6f28d4ff665d3fdc8cc7f94f9ddb4043000fb64b0840b1fe55c5801f955830f1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe
Size

180KB
MD5

e78b242572e44fa3a78241de4bcf4637
SHA1

d3fb2372d3178262b38a7a84194b6414db8c931d
SHA256

6f28d4ff665d3fdc8cc7f94f9ddb4043000fb64b0840b1fe55c5801f955830f1
SHA512

6154f2fb9ad617c2fe3aac92de257d82e4a69e149f62e590a5b55ec2dd711ad0dbdb2e05cabcbb65b20d52d90bf4ad892f64fad34867118fbdc572120db254a4
SSDEEP

3072:jEGh0oJlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGjl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023220-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023227-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023227-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEA0E91-87BC-4198-BA6A-88169D202F23}\stubpath = "C:\\Windows\\{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe"	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}\stubpath = "C:\\Windows\\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe"	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}\stubpath = "C:\\Windows\\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe"	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEA0E91-87BC-4198-BA6A-88169D202F23}	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01854799-F1D4-4759-A525-6A2947E64DD2}	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}\stubpath = "C:\\Windows\\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe"	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}\stubpath = "C:\\Windows\\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe"	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}\stubpath = "C:\\Windows\\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe"	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}\stubpath = "C:\\Windows\\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe"	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}\stubpath = "C:\\Windows\\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe"	{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039347BF-C37B-4940-AFC9-03D3DC09310A}\stubpath = "C:\\Windows\\{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe"	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}\stubpath = "C:\\Windows\\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe"	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}\stubpath = "C:\\Windows\\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe"	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01854799-F1D4-4759-A525-6A2947E64DD2}\stubpath = "C:\\Windows\\{01854799-F1D4-4759-A525-6A2947E64DD2}.exe"	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}	{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039347BF-C37B-4940-AFC9-03D3DC09310A}	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
2316	{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
4252	{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
File created	C:\Windows\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
File created	C:\Windows\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
File created	C:\Windows\{01854799-F1D4-4759-A525-6A2947E64DD2}.exe	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
File created	C:\Windows\{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe
File created	C:\Windows\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
File created	C:\Windows\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
File created	C:\Windows\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
File created	C:\Windows\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe	{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
File created	C:\Windows\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
File created	C:\Windows\{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
File created	C:\Windows\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
Token: SeIncBasePriorityPrivilege	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
Token: SeIncBasePriorityPrivilege	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
Token: SeIncBasePriorityPrivilege	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
Token: SeIncBasePriorityPrivilege	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
Token: SeIncBasePriorityPrivilege	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
Token: SeIncBasePriorityPrivilege	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
Token: SeIncBasePriorityPrivilege	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
Token: SeIncBasePriorityPrivilege	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
Token: SeIncBasePriorityPrivilege	1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
Token: SeIncBasePriorityPrivilege	2316	{01854799-F1D4-4759-A525-6A2947E64DD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1904	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	96
PID 880 wrote to memory of 1904	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	96
PID 880 wrote to memory of 1904	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	96
PID 880 wrote to memory of 3672	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	97
PID 880 wrote to memory of 3672	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	97
PID 880 wrote to memory of 3672	880	2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe	97
PID 1904 wrote to memory of 3676	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	98
PID 1904 wrote to memory of 3676	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	98
PID 1904 wrote to memory of 3676	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	98
PID 1904 wrote to memory of 1164	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	99
PID 1904 wrote to memory of 1164	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	99
PID 1904 wrote to memory of 1164	1904	{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe	99
PID 3676 wrote to memory of 2732	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	101
PID 3676 wrote to memory of 2732	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	101
PID 3676 wrote to memory of 2732	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	101
PID 3676 wrote to memory of 992	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	102
PID 3676 wrote to memory of 992	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	102
PID 3676 wrote to memory of 992	3676	{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe	102
PID 2732 wrote to memory of 1144	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	103
PID 2732 wrote to memory of 1144	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	103
PID 2732 wrote to memory of 1144	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	103
PID 2732 wrote to memory of 1988	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	104
PID 2732 wrote to memory of 1988	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	104
PID 2732 wrote to memory of 1988	2732	{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe	104
PID 1144 wrote to memory of 3416	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	105
PID 1144 wrote to memory of 3416	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	105
PID 1144 wrote to memory of 3416	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	105
PID 1144 wrote to memory of 4580	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	106
PID 1144 wrote to memory of 4580	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	106
PID 1144 wrote to memory of 4580	1144	{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe	106
PID 3416 wrote to memory of 4336	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	107
PID 3416 wrote to memory of 4336	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	107
PID 3416 wrote to memory of 4336	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	107
PID 3416 wrote to memory of 3220	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	108
PID 3416 wrote to memory of 3220	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	108
PID 3416 wrote to memory of 3220	3416	{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe	108
PID 4336 wrote to memory of 1868	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	109
PID 4336 wrote to memory of 1868	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	109
PID 4336 wrote to memory of 1868	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	109
PID 4336 wrote to memory of 2544	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	110
PID 4336 wrote to memory of 2544	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	110
PID 4336 wrote to memory of 2544	4336	{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe	110
PID 1868 wrote to memory of 4272	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	111
PID 1868 wrote to memory of 4272	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	111
PID 1868 wrote to memory of 4272	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	111
PID 1868 wrote to memory of 4268	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	112
PID 1868 wrote to memory of 4268	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	112
PID 1868 wrote to memory of 4268	1868	{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe	112
PID 4272 wrote to memory of 1876	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	113
PID 4272 wrote to memory of 1876	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	113
PID 4272 wrote to memory of 1876	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	113
PID 4272 wrote to memory of 2628	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	114
PID 4272 wrote to memory of 2628	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	114
PID 4272 wrote to memory of 2628	4272	{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe	114
PID 1876 wrote to memory of 1628	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	115
PID 1876 wrote to memory of 1628	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	115
PID 1876 wrote to memory of 1628	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	115
PID 1876 wrote to memory of 1620	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	116
PID 1876 wrote to memory of 1620	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	116
PID 1876 wrote to memory of 1620	1876	{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe	116
PID 1628 wrote to memory of 2316	1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe	117
PID 1628 wrote to memory of 2316	1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe	117
PID 1628 wrote to memory of 2316	1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe	117
PID 1628 wrote to memory of 4744	1628	{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_e78b242572e44fa3a78241de4bcf4637_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
  C:\Windows\{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
    C:\Windows\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
      C:\Windows\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
        
        C:\Windows\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
        
        C:\Windows\{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
        
        C:\Windows\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
        
        C:\Windows\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
        
        C:\Windows\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
        
        C:\Windows\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
        
        C:\Windows\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
        
        C:\Windows\{01854799-F1D4-4759-A525-6A2947E64DD2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe
        
        C:\Windows\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01854~1.EXE > nul
        13⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F1AB~1.EXE > nul
        12⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E073E~1.EXE > nul
        11⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CFF5~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02F39~1.EXE > nul
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C7A~1.EXE > nul
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BEA0~1.EXE > nul
        7⤵
        
        PID:3220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0DC6~1.EXE > nul
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8D72~1.EXE > nul
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08317~1.EXE > nul
      4⤵
      PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03934~1.EXE > nul
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01854799-F1D4-4759-A525-6A2947E64DD2}.exe

Filesize
180KB

MD5
5bcb038e8b0916dfcc77eb269990a1ad

SHA1
14bc983ff6516e7fccfca8d9565f15606aa91e99

SHA256
6fa9ff6efde2136d1e7daa2688dbd270efa811d94e13791b3900c76bd31aa715

SHA512
4132018df3e21d0055247814f3542b1243d57c414b605efd9b32810e2931372818a9f92d6253e8577ec96276d7740a64cfc4024b79e81af057498c2b598c5e11

Download Submit
C:\Windows\{02F3969E-CD33-4a0e-852B-7CECB6AF336D}.exe

Filesize
180KB

MD5
1bcd4edbb0ddb6ccd664026ac3fc6ea4

SHA1
f55ec280c24ea4be30c1bba79a8cb7eae367c70a

SHA256
55f1934a19d4c4ac5ae11325ad0cf535aab25519c7964d1cac0e4ca2730ad589

SHA512
d149e3f4f2b78324f0b648e691b68a12cabd32bc95ad57c94cb74a6ac23e5cfea25fa7728b4d4058ac4b8ba451a8e4180b5805095a39b8c54e4a5d9034cf6c84

Download Submit
C:\Windows\{039347BF-C37B-4940-AFC9-03D3DC09310A}.exe

Filesize
180KB

MD5
d69e212d2dad267a9b6f7b09634e57d4

SHA1
4eefafb0a6952b110588f28137a674766f3e7be4

SHA256
8b198967987e990da0f5017de62dc07dde983d5b7309607641ce374fb02d7baa

SHA512
9378da452c5e5f09d89c7b4b14cc128ec40bdcfad9c1d50c1365b8020cb683d3f245ef61a78968b65dcc8cb14e68f33f2661755ac7be702c794462b336bb2caa

Download Submit
C:\Windows\{08317291-39DC-40c7-BF2A-8C9A1B23D92B}.exe

Filesize
180KB

MD5
324c8c6589c0a2465ba1ea6d31126a1e

SHA1
de479a30e8bf6d9ddcd2881ea900cf4e8adc9b07

SHA256
c0bf95c227bfb0fe4e60ca7d1f132b08e0a4a04ca610ba09966925a01ee6edf9

SHA512
e56821e0deb8e786fa8a050e5540c48d2b2a8e1ea6a2c1056852655c0562132bdecc9461ec79a0e9571963c5cd1d279f17ca552f1616621bc07ce0f7c216f9d1

Download Submit
C:\Windows\{0CFF51A2-3876-4628-A6D8-1C8311EBB6FD}.exe

Filesize
180KB

MD5
e42de85ffcbaf189b66411113cba2bc0

SHA1
2c9bcf467dd93adad6553514b0a67931ba74d70d

SHA256
cc54fb69d32a179cf1dd62f0c7690f9fd149183d33cd527c9df2e6f6cfe2d906

SHA512
8334bbca4185682c19555b38a526701744ca7904a1b6f09c1c71631bfffc5ee67aeaaec0286119aa65996a5a9886800c5d60a784984670ff57729e743b323b33

Download Submit
C:\Windows\{5BEA0E91-87BC-4198-BA6A-88169D202F23}.exe

Filesize
180KB

MD5
89243f68d305616cf3e057a538e44a50

SHA1
87371c343c1505129f3fc5b5037c5b2340bf1739

SHA256
cff4a329a0c26443509664d84b56a897d7785e8e987078f7bfe6fad08bbcbb2e

SHA512
6f9487f3145ae4538214b4e889b70d8b32c865c709397c7fdeab4f29e5a9e5a7c3915e41055333bc8f1f0d056edda6fe996b93775b321f7992d03894672bc0d7

Download Submit
C:\Windows\{6F1AB90A-7DA2-4a45-A9D0-CD89F725B33C}.exe

Filesize
180KB

MD5
da78dce333e3e033b163ab2c39f7178f

SHA1
4727f3784a1fa4ac4064dee8967ccdb93821f873

SHA256
6f321727a4edf2fac2e40c572a5b5a5459105fa12179e051c4fd7d59c3229175

SHA512
4e5ae1ff6ce4092174fe652ab868f6aed287a9e24311da8f44561e2ed7ef24c57022808a042ce01f19c9698b6c5cdd9b13951a56d0cbd0a964fad89fcc7b8b5e

Download Submit
C:\Windows\{A794BE91-5FC6-4a48-9A14-211D6E74DF1E}.exe

Filesize
180KB

MD5
d990925e91bd00ca83a12d751aa0ca1a

SHA1
0902b8a7644e1ae94bf562febec92daf34994c7d

SHA256
e4f06b3ff128ce74090480718ec7673700f44468c62ed6352b3b61aa9f919c60

SHA512
8310e85cb45e2f8e017359c87521bb535023b40f87f9091f2f163dd897f8d1ae7b247dbf6f67b07d1640a66452663d75a70c2a5089dae6e004724c1b24057837

Download Submit
C:\Windows\{B0DC699A-A178-49e7-872A-648C7FFCD6DB}.exe

Filesize
180KB

MD5
43d6e706cc10d26be53197ab1cd01bc4

SHA1
84af666681ac11fe3878162ec0759347437d885e

SHA256
037d34eaf14fa7e79e0c70e11971d4c37abe0cefd51e8a6551ac10d7f155aa66

SHA512
4a3521ffe7652e8ee94bf4a5e17a6410c79725d2ccf2f85a2d4cea1af738decf72f2c581892162d9ac43f99ccf760483b02a8e2788882af1268fe0a3ce6af4db

Download Submit
C:\Windows\{B8D7285A-5D64-4460-8EF6-8E2CB8A56634}.exe

Filesize
180KB

MD5
b84818eaa98d2d3595c4366e4a529a0e

SHA1
f3199745cb3b2e16c5a708cda0c8764d86f540f5

SHA256
1570811ed346289df43905dd20bd79c66bc71d30181cf972ea32e3ace7a36209

SHA512
106ee1e54f969b90a9297366f54a2693f3d3f8c909acd81a9d021e3661493612f46c1d953f01adc9f72c330b2ba91c9814e402558ccd19356e6739b7855c2d12

Download Submit
C:\Windows\{E073E2ED-270D-4c23-A4B0-E19D7CCCDD43}.exe

Filesize
180KB

MD5
79bdfa61363b21501f2f71591cd75b54

SHA1
e4888aa0a2d7f449f017d51a2e4ba7592c0459b2

SHA256
bc26eb8b25a73d340b979f326dea7c946052cacfbe014b56e918ca23be36d59e

SHA512
a01c4856a1d8e77e210ff5e1b426743f2850b20e12b46a6e62019e47744e82547857810e071330fcd06bd5bf662e528e4b899fb0ee1646811bc74e6b945d7405

Download Submit
C:\Windows\{E7C7A0CB-67D9-4c04-BCF1-B7554331C2F5}.exe

Filesize
180KB

MD5
8ef8354dd9f25b04503f5be68f1d63ea

SHA1
162aa7dfd2e30d590c43a73470f2ef4d57822e28

SHA256
4c3246b8bd9e7002e9c8c0d3b0df68f114c66b91d6e2c7f1fe99bd6a456e18fe

SHA512
99664017eea86aff3c9cdffdb9fbfbf99529ee19218f56dd3ae172ee8dec30bb0ba249455cf005439799132037f140de033978e03a10088592a49b90bbd4ee93

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads