e51d9134dbb065e51d79681002ceafd714ceef57c29925012598ac56fa7a3694

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
Size

168KB
MD5

bfcaa345f789f4dfc76ccccd1022676c
SHA1

c6e146bdf22a1e17401064658883b6246b3c4030
SHA256

e51d9134dbb065e51d79681002ceafd714ceef57c29925012598ac56fa7a3694
SHA512

041e33bc14aa9fcec3e50c4bb882fe288c55c0b5b4e3516dd0098d636a4a05ba63f16e6a8ba806f6c4e977ea24f3e05299e70a3c44dda0fe53df8898847a92a7
SSDEEP

1536:1EGh0oxlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oxlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023238-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023239-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58584D48-D405-45a9-8127-6E3CC078ACCF}	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}\stubpath = "C:\\Windows\\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe"	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}\stubpath = "C:\\Windows\\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe"	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}\stubpath = "C:\\Windows\\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe"	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58584D48-D405-45a9-8127-6E3CC078ACCF}\stubpath = "C:\\Windows\\{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe"	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}\stubpath = "C:\\Windows\\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe"	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A103FD-57F4-4b77-96C8-8579C93742BF}	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}\stubpath = "C:\\Windows\\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe"	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A636A70-8AF5-4305-96C3-62DB91C47102}	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15420C16-077E-4ee8-A2B9-AF478399E7D5}	{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}\stubpath = "C:\\Windows\\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe"	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15420C16-077E-4ee8-A2B9-AF478399E7D5}\stubpath = "C:\\Windows\\{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe"	{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A636A70-8AF5-4305-96C3-62DB91C47102}\stubpath = "C:\\Windows\\{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe"	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A103FD-57F4-4b77-96C8-8579C93742BF}\stubpath = "C:\\Windows\\{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe"	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}\stubpath = "C:\\Windows\\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe"	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE8E291-AB70-4b23-82C9-D49363717FFD}	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE8E291-AB70-4b23-82C9-D49363717FFD}\stubpath = "C:\\Windows\\{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe"	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe

Executes dropped EXE 12 IoCs

pid	Process
3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
4392	{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
3308	{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
File created	C:\Windows\{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
File created	C:\Windows\{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe	{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
File created	C:\Windows\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
File created	C:\Windows\{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
File created	C:\Windows\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
File created	C:\Windows\{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
File created	C:\Windows\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
File created	C:\Windows\{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
File created	C:\Windows\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
File created	C:\Windows\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
File created	C:\Windows\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
Token: SeIncBasePriorityPrivilege	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
Token: SeIncBasePriorityPrivilege	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
Token: SeIncBasePriorityPrivilege	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
Token: SeIncBasePriorityPrivilege	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
Token: SeIncBasePriorityPrivilege	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
Token: SeIncBasePriorityPrivilege	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
Token: SeIncBasePriorityPrivilege	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
Token: SeIncBasePriorityPrivilege	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
Token: SeIncBasePriorityPrivilege	3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
Token: SeIncBasePriorityPrivilege	4392	{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3308	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	95
PID 4220 wrote to memory of 3308	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	95
PID 4220 wrote to memory of 3308	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	95
PID 4220 wrote to memory of 404	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	96
PID 4220 wrote to memory of 404	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	96
PID 4220 wrote to memory of 404	4220	2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe	96
PID 3308 wrote to memory of 4892	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	97
PID 3308 wrote to memory of 4892	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	97
PID 3308 wrote to memory of 4892	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	97
PID 3308 wrote to memory of 2184	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	98
PID 3308 wrote to memory of 2184	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	98
PID 3308 wrote to memory of 2184	3308	{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe	98
PID 4892 wrote to memory of 2960	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	100
PID 4892 wrote to memory of 2960	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	100
PID 4892 wrote to memory of 2960	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	100
PID 4892 wrote to memory of 1840	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	101
PID 4892 wrote to memory of 1840	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	101
PID 4892 wrote to memory of 1840	4892	{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe	101
PID 2960 wrote to memory of 4672	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	102
PID 2960 wrote to memory of 4672	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	102
PID 2960 wrote to memory of 4672	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	102
PID 2960 wrote to memory of 4828	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	103
PID 2960 wrote to memory of 4828	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	103
PID 2960 wrote to memory of 4828	2960	{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe	103
PID 4672 wrote to memory of 3016	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	104
PID 4672 wrote to memory of 3016	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	104
PID 4672 wrote to memory of 3016	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	104
PID 4672 wrote to memory of 3152	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	105
PID 4672 wrote to memory of 3152	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	105
PID 4672 wrote to memory of 3152	4672	{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe	105
PID 3016 wrote to memory of 4440	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	106
PID 3016 wrote to memory of 4440	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	106
PID 3016 wrote to memory of 4440	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	106
PID 3016 wrote to memory of 3844	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	107
PID 3016 wrote to memory of 3844	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	107
PID 3016 wrote to memory of 3844	3016	{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe	107
PID 4440 wrote to memory of 3304	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	108
PID 4440 wrote to memory of 3304	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	108
PID 4440 wrote to memory of 3304	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	108
PID 4440 wrote to memory of 1600	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	109
PID 4440 wrote to memory of 1600	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	109
PID 4440 wrote to memory of 1600	4440	{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe	109
PID 3304 wrote to memory of 4296	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	110
PID 3304 wrote to memory of 4296	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	110
PID 3304 wrote to memory of 4296	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	110
PID 3304 wrote to memory of 5020	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	111
PID 3304 wrote to memory of 5020	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	111
PID 3304 wrote to memory of 5020	3304	{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe	111
PID 4296 wrote to memory of 3276	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	112
PID 4296 wrote to memory of 3276	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	112
PID 4296 wrote to memory of 3276	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	112
PID 4296 wrote to memory of 3684	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	113
PID 4296 wrote to memory of 3684	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	113
PID 4296 wrote to memory of 3684	4296	{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe	113
PID 3276 wrote to memory of 3944	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	114
PID 3276 wrote to memory of 3944	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	114
PID 3276 wrote to memory of 3944	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	114
PID 3276 wrote to memory of 3232	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	115
PID 3276 wrote to memory of 3232	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	115
PID 3276 wrote to memory of 3232	3276	{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe	115
PID 3944 wrote to memory of 4392	3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe	116
PID 3944 wrote to memory of 4392	3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe	116
PID 3944 wrote to memory of 4392	3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe	116
PID 3944 wrote to memory of 4496	3944	{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
  C:\Windows\{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
    C:\Windows\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
      C:\Windows\{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
        
        C:\Windows\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
        
        C:\Windows\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
        
        C:\Windows\{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
        
        C:\Windows\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
        
        C:\Windows\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
        
        C:\Windows\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
        
        C:\Windows\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
        
        C:\Windows\{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe
        
        C:\Windows\{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe
        13⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A636~1.EXE > nul
        13⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3F8F~1.EXE > nul
        12⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5DA1~1.EXE > nul
        11⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F74~1.EXE > nul
        10⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F00FD~1.EXE > nul
        9⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE8E~1.EXE > nul
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9062E~1.EXE > nul
        7⤵
        
        PID:3844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80D5B~1.EXE > nul
        6⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21A10~1.EXE > nul
        5⤵
        
        PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE80~1.EXE > nul
      4⤵
      PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{58584~1.EXE > nul
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15420C16-077E-4ee8-A2B9-AF478399E7D5}.exe

Filesize
168KB

MD5
b59f1b137ed1c0545f301492c0159e38

SHA1
5365ba1dc1464638e85087047531b3cb835c79ee

SHA256
3b823fcb94edf61dcd7f8b22638bf90c85175af7eb9a0ea6094513fbd5c5fd23

SHA512
97d5525d0ab2af0034b36b95942bc349d65870581ce199cb10cf23a648c090851d16567a6e0585e3127f38ff05dd76f6c603195e33b8fd65ed7067626a4a1db1

Download Submit
C:\Windows\{21A103FD-57F4-4b77-96C8-8579C93742BF}.exe

Filesize
168KB

MD5
3119a0a0e2dc70fdb45b5e3dbb428084

SHA1
67ef6071ada6d4715bb00fff1f3bc6a09f13997c

SHA256
de842fe023f92718451b9f7f826ab877e3b7af9d1fa088b04046ca9e74e757a0

SHA512
8a0ad839a62f178d7cf9fa13f66b8737d9f5f2bc93a8dc6033ca239bbb1e71341f42a00230d3ffb06a5010089472729a05b78420f4f960c763d6643a2aa8e969

Download Submit
C:\Windows\{58584D48-D405-45a9-8127-6E3CC078ACCF}.exe

Filesize
168KB

MD5
9c962e4214a8f862eecdfc4155fe71a9

SHA1
eec9b4c44cb9c5403ffeff996f0860c29ad36a05

SHA256
58aa0356c04d1c946dfb6691ddfdb6f0eb55a1d44b12d282fe9c71a07d3fc2ea

SHA512
0642d382f4015472aa58eac660508d41dae5c315e6cfec7470d1ba4ee35e50fdc8d5fc576e265b0ad0d991f726285b0d3ac5b3725b6a68e5595d3853867431e1

Download Submit
C:\Windows\{80D5B50F-A2D8-4ea5-9CC2-A52655B49401}.exe

Filesize
168KB

MD5
dfc94028572b9674e9792efb7b1e0f7f

SHA1
e29f1c1d8f079fb7a936b116766cf391d8d2b14f

SHA256
41a9fa189675bb6b297577c75a68302a193608d000579d3d19bd8122f510b438

SHA512
ff40f632a13e95b3fde1e56a1af76b514d39001fd0b4808178c8dac2c267e9fb416a4e4d496d43c3611fcf8222dea3d8acd2232d4fdeb6d1992ec921859a87a4

Download Submit
C:\Windows\{9062E84C-4AEB-43bd-85E2-CEC7A9AA2078}.exe

Filesize
168KB

MD5
5aef8d1987a1c8566114ff19a0406394

SHA1
35dcc8270a791f303fc20a1a497a558fdfaa8d88

SHA256
78f77eff34bd95d6cdae3914c36f4b7728399a048faa82084c12a5a192baf6eb

SHA512
056fa0b5a941f9d834eb2ffa63cb6df8c671bffd8c229cfa2d94600f1ecc0f489f69dae0965cdddf595d3cc7cd425061e5befe31e964b396c214b48e7bcbfd36

Download Submit
C:\Windows\{9A636A70-8AF5-4305-96C3-62DB91C47102}.exe

Filesize
168KB

MD5
2747fce78eea230ab9684e04002f68e2

SHA1
e75069eb4886df8598a835e5c7026ca9233ad51b

SHA256
56d83268609406511afcf87ac3cfdd4b6c623fe2cc8fdbafca1d5f772ffe6554

SHA512
490916394de77e523840e12bcfc9da3506dc6ef2bd98e3ff5b0f05ff4cd8a21417b33dcb5a41b30daf07a544f9649835122013771ddb2925adf07822c2c709bb

Download Submit
C:\Windows\{9BE8E291-AB70-4b23-82C9-D49363717FFD}.exe

Filesize
168KB

MD5
398b41f534de2016fd81f809c23f37b6

SHA1
601076ffe2ea255b30001b5fbb71e2468e6df3e2

SHA256
161f937d614d54a6dc811010d800e050491c8e901435e74060facc8c474dbead

SHA512
246f9348c68c4640a74f46fa94a4d55ff3939171a000d6e724c32b5a7c4303bcaf3813d702e49763ff87fa887300c308bad9a3c49fde0f6c94f1f738e2315206

Download Submit
C:\Windows\{C5DA17AC-D7BB-4fd5-A106-1D000F66F53A}.exe

Filesize
168KB

MD5
8c558c9b104cdb613fa2e4d09270b884

SHA1
93761595060796aacb91f3afc14850978cd9312c

SHA256
1de31a7f9c98e07fda1b87a06c483032dd71314432994820b8e79e4a7c1c430d

SHA512
8c64287a40fbdd07e89a02d958ba3e05fa9c8c70d6f1cfea2b8391ce3978c3029c689aa8f0c9296c1be10c4bfbc540fc4fcdeba48155c4963342f46b341d0a97

Download Submit
C:\Windows\{D3F8FAD2-5D05-4864-8DE2-CCA95E530993}.exe

Filesize
168KB

MD5
c1e2d0ba15fef1b77d098dfad60df2e8

SHA1
9174920d4599a92fbd61ae80021a0a8c25c809b3

SHA256
024b2312eeb116825a1e4accd4d1d61f4d32aae5a4dba20dfd74360405923c72

SHA512
2f7411451b739dd3b803b7583b1aacfcff299f0f756b8c36b7d650f2c7904c80c65ccbcbb8d064108eb4bd8929f5f1af099ede2076926cb9ec0f1dc4cd4a88aa

Download Submit
C:\Windows\{D5F746F2-44B5-4ef6-AB60-EA512F383B47}.exe

Filesize
168KB

MD5
14c911b92e8b3c4edec59cc3f44c6903

SHA1
cb30b8dc135ed0339e4a7bed353be26486174335

SHA256
cd1a48e4ad6883ea32fca5732d66fedc27bff0120b69d54baaaa917f4b095be6

SHA512
e6c5cea23fc8ecb6e39b181a39ba8e4483d0eb995c66dcdb321bac3542e78ceaf93e6fa1e2ac2ed6cb3ecce7f204c4c6ca114ea902c13f5f573857013f1da99f

Download Submit
C:\Windows\{EEE801EE-59BF-4d5f-B1AE-B10422C18F69}.exe

Filesize
168KB

MD5
f0f9b781b436b70cf30f0d8414e27153

SHA1
cb01f4bf8b80a7d366c71ca96fad6f86b6d8aff6

SHA256
a08c63c8d4d024cc72321469e16d91dc8a4f059ee09761ff00d606ec621c7c82

SHA512
ea52754045d39e0f956b64dd3e551f196d595aae90a43bc2b4e08b7c81a2a70da7d0e616fa878cf2f4d38a13225df11c8d30b20f75ae4e9a9edb2ded07c51fc7

Download Submit
C:\Windows\{F00FD49F-B5A7-4f9f-90F6-B0C0290F8C8B}.exe

Filesize
168KB

MD5
3a7d2f14a5c59b28fbfb388bdc411822

SHA1
e332dfb04e78c22a360f772cfd4cad1c8806fdc3

SHA256
b3e395c4fc25fb73583a80d5807623c9aa11453e02f6905bb18dbc1c154921a1

SHA512
0d7e4236e5cf25a7919313bcefd7429666e6b868075d5cea5caaeb93d0e0447ec125efdfb22b74306397f6c45768f4f55170a4a1f0d59087494353cfbe809359

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads