804d7ac5bceccc1f1103cededcea7059706859dac83508a824c2c8f2f61ba22b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
Size

168KB
MD5

79ab9aa6f6b8fcfa2b43713f4baf4b0a
SHA1

d8b5a4a2920c021149343b30b7a079cd820ea594
SHA256

804d7ac5bceccc1f1103cededcea7059706859dac83508a824c2c8f2f61ba22b
SHA512

2b5ee2bfb24ecb1464d37499cad2d6aec04609c081c436ea62db99b6c316fb0112f59a8ac03da88b3c8552c949d7a90d45adaa24644c73a4a2cc9a66c85483c0
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023214-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023218-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023218-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b3f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b40-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021b3f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}\stubpath = "C:\\Windows\\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe"	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D504A07C-586D-4084-8EE3-6D598ADCAA58}\stubpath = "C:\\Windows\\{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe"	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}\stubpath = "C:\\Windows\\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe"	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}\stubpath = "C:\\Windows\\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe"	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0E87AB8-6543-437a-82C7-05AC6074F97C}	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}	{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}\stubpath = "C:\\Windows\\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe"	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}\stubpath = "C:\\Windows\\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe"	{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}\stubpath = "C:\\Windows\\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe"	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}\stubpath = "C:\\Windows\\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe"	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}\stubpath = "C:\\Windows\\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe"	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}\stubpath = "C:\\Windows\\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe"	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}\stubpath = "C:\\Windows\\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe"	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0E87AB8-6543-437a-82C7-05AC6074F97C}\stubpath = "C:\\Windows\\{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe"	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D504A07C-586D-4084-8EE3-6D598ADCAA58}	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe

Executes dropped EXE 12 IoCs

pid	Process
1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe
2240	{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
2112	{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
File created	C:\Windows\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
File created	C:\Windows\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
File created	C:\Windows\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
File created	C:\Windows\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
File created	C:\Windows\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
File created	C:\Windows\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
File created	C:\Windows\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
File created	C:\Windows\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe	{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
File created	C:\Windows\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
File created	C:\Windows\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
File created	C:\Windows\{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
Token: SeIncBasePriorityPrivilege	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
Token: SeIncBasePriorityPrivilege	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
Token: SeIncBasePriorityPrivilege	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
Token: SeIncBasePriorityPrivilege	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
Token: SeIncBasePriorityPrivilege	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
Token: SeIncBasePriorityPrivilege	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
Token: SeIncBasePriorityPrivilege	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
Token: SeIncBasePriorityPrivilege	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
Token: SeIncBasePriorityPrivilege	3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe
Token: SeIncBasePriorityPrivilege	2240	{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1116	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	94
PID 2108 wrote to memory of 1116	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	94
PID 2108 wrote to memory of 1116	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	94
PID 2108 wrote to memory of 4292	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	95
PID 2108 wrote to memory of 4292	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	95
PID 2108 wrote to memory of 4292	2108	2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe	95
PID 1116 wrote to memory of 2856	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	96
PID 1116 wrote to memory of 2856	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	96
PID 1116 wrote to memory of 2856	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	96
PID 1116 wrote to memory of 4348	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	97
PID 1116 wrote to memory of 4348	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	97
PID 1116 wrote to memory of 4348	1116	{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe	97
PID 2856 wrote to memory of 2396	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	99
PID 2856 wrote to memory of 2396	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	99
PID 2856 wrote to memory of 2396	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	99
PID 2856 wrote to memory of 3208	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	100
PID 2856 wrote to memory of 3208	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	100
PID 2856 wrote to memory of 3208	2856	{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe	100
PID 2396 wrote to memory of 3492	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	101
PID 2396 wrote to memory of 3492	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	101
PID 2396 wrote to memory of 3492	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	101
PID 2396 wrote to memory of 3116	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	102
PID 2396 wrote to memory of 3116	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	102
PID 2396 wrote to memory of 3116	2396	{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe	102
PID 3492 wrote to memory of 1944	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	103
PID 3492 wrote to memory of 1944	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	103
PID 3492 wrote to memory of 1944	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	103
PID 3492 wrote to memory of 3168	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	104
PID 3492 wrote to memory of 3168	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	104
PID 3492 wrote to memory of 3168	3492	{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe	104
PID 1944 wrote to memory of 1016	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	105
PID 1944 wrote to memory of 1016	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	105
PID 1944 wrote to memory of 1016	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	105
PID 1944 wrote to memory of 1604	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	106
PID 1944 wrote to memory of 1604	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	106
PID 1944 wrote to memory of 1604	1944	{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe	106
PID 1016 wrote to memory of 4500	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	107
PID 1016 wrote to memory of 4500	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	107
PID 1016 wrote to memory of 4500	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	107
PID 1016 wrote to memory of 2644	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	108
PID 1016 wrote to memory of 2644	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	108
PID 1016 wrote to memory of 2644	1016	{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe	108
PID 4500 wrote to memory of 2032	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	109
PID 4500 wrote to memory of 2032	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	109
PID 4500 wrote to memory of 2032	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	109
PID 4500 wrote to memory of 4092	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	110
PID 4500 wrote to memory of 4092	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	110
PID 4500 wrote to memory of 4092	4500	{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe	110
PID 2032 wrote to memory of 4448	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	111
PID 2032 wrote to memory of 4448	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	111
PID 2032 wrote to memory of 4448	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	111
PID 2032 wrote to memory of 3324	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	112
PID 2032 wrote to memory of 3324	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	112
PID 2032 wrote to memory of 3324	2032	{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe	112
PID 4448 wrote to memory of 3424	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	113
PID 4448 wrote to memory of 3424	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	113
PID 4448 wrote to memory of 3424	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	113
PID 4448 wrote to memory of 2580	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	114
PID 4448 wrote to memory of 2580	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	114
PID 4448 wrote to memory of 2580	4448	{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe	114
PID 3424 wrote to memory of 2240	3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe	115
PID 3424 wrote to memory of 2240	3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe	115
PID 3424 wrote to memory of 2240	3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe	115
PID 3424 wrote to memory of 4576	3424	{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_79ab9aa6f6b8fcfa2b43713f4baf4b0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
  C:\Windows\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
    C:\Windows\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
      C:\Windows\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
        
        C:\Windows\{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
        
        C:\Windows\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
        
        C:\Windows\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
        
        C:\Windows\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
        
        C:\Windows\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
        
        C:\Windows\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe
        
        C:\Windows\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
        
        C:\Windows\{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe
        
        C:\Windows\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D504A~1.EXE > nul
        13⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87E30~1.EXE > nul
        12⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{640DC~1.EXE > nul
        11⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88091~1.EXE > nul
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3F3D~1.EXE > nul
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF54F~1.EXE > nul
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18520~1.EXE > nul
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0E87~1.EXE > nul
        6⤵
        
        PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19D83~1.EXE > nul
        5⤵
        
        PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4AEF~1.EXE > nul
      4⤵
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA96C~1.EXE > nul
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18520EB5-3A3B-41e4-809A-08EC21AD6B3D}.exe

Filesize
168KB

MD5
8037b4414a387472b87199bd65d447c2

SHA1
05c86a93d409a94791e35394b8d7504123f381aa

SHA256
259227a74bdd5a69c98e0d2879619d5f422335f9b864faf8a4766054913aba9c

SHA512
ed6a49298972a1b9762ff93550464487f16358ed5bf6fdeca9d4598ff0c555e19592db915d539517ea8510121651d2287b5ddff80dc6048779d97cb8a0a45e52

Download Submit
C:\Windows\{19D8365C-4572-489d-B73D-C5F6FE4D1CDC}.exe

Filesize
168KB

MD5
a4a51b5e88536cc2b30842c74ad613c0

SHA1
f3a7479429ca54df22acb07860d54c821e0ffd88

SHA256
47d99060f38274dddf99821cb7ab0a5b6c54c11cb113b9d6e19970e987d0379b

SHA512
3290716d46d02eec7630c961e97714e00374b922ceaa9373c0af53e25e607c022cc7b62fa9e5f1af5c3b5bf4afd20af14c609ccce665205989d265941643487f

Download Submit
C:\Windows\{640DC520-35E4-4d1d-A537-7DECAA0E0C76}.exe

Filesize
168KB

MD5
38422ed6d8491198c9eecb68bb4779ee

SHA1
3a854daac0660fa1fef9242a17be2fdc90af1838

SHA256
c4cf7b89355e1617e5cc987eb698aad10fba7ccc1112264d7fab3f07b859ed30

SHA512
10d228a358ea8e9a981c80f099850256f686bb85e288353b2a9ed251ddc077dc6ce9a0636504cf3514eca03d5eba18071be5bad347db386a9ffee2d072b6d44a

Download Submit
C:\Windows\{87E30023-E11E-4b58-99C9-F4D7CDEBA001}.exe

Filesize
168KB

MD5
a3c406f47c2a49eb01d569bc46c8733a

SHA1
72af8727be11eed609f03b1ef837de95b966fd59

SHA256
443235be8a2224ddb017e42aa6ac5bbec5f0b4f9a721b48bd60a15f6279a63b3

SHA512
3b9aacf183e6990e9275c75eac408756280cca14ba72920e0b192ef34667eca4aa3ad3180749514fcb407bfed558538645e0224d809bed91437056f538a304f9

Download Submit
C:\Windows\{8809179B-64A6-4cfb-91AE-B9FDB6367A3A}.exe

Filesize
168KB

MD5
61beec8f1b1de2e9c82e42a0b64d287d

SHA1
1022679d52accdd24b864472f378867e5dc47532

SHA256
2c96eb70eccf9de0c503c1dd9081359ab5dea6e4f293988d84f55486d2ea668c

SHA512
4132fba55ad586ed83ae82c6f572eaf23b7acaefc0a5093ddd939ec57feddafe67888ba9a34d8c08accb1de6edc3b37eccc5190172908aa3fd833c87ef810a0a

Download Submit
C:\Windows\{88C36125-9EEA-4318-8ED2-ADC828CEA9BD}.exe

Filesize
168KB

MD5
be8f3c43556bd2c31da1a66b62f582b3

SHA1
5af02a2d88965cb9fca64e0e4764311a94bfdfba

SHA256
b5d75060555b1fd62cac90070330137edfd8176770ffa7b3cbdaee7768b0a35a

SHA512
94fcc413387a78c3fae1f05933941d616736b01ef9e05546d3fe8db8f510054d9ef9335380568efd466a416ee99f996409dff05754d005c9c38cd631627257f3

Download Submit
C:\Windows\{AF54FB02-BB07-4bfe-A705-0A0531934ED8}.exe

Filesize
168KB

MD5
8250133792dca224139a6332ff2fabf8

SHA1
bb4972e9cf50960fa2a5ab483569fa8fb751f37a

SHA256
2c930e4f5e592a8e87b31c61985dfe15a042492b9c43cca8d71b5e79ed9101ab

SHA512
288d54f95e173e8380757e69b2730ff76cdb1ed48be8ced1b36b337c95d17e2296bf4db7930c9e0c31c255e0eb6c757c3365e1448aed1762edf682d6c23c4e03

Download Submit
C:\Windows\{B0E87AB8-6543-437a-82C7-05AC6074F97C}.exe

Filesize
168KB

MD5
923cf2cf493b2b5fc7ad4bb517e5d036

SHA1
920153261628c59cedcc12a75efbd0bea287e08d

SHA256
01bf732e73d70c699cc2371103afe50e7b4b7fe4e16c8a2ca4176ffba8038248

SHA512
b07f22445b813bd394269c5a4a55e5925894282808509b09217cd21d8fecb908cd216459c40aaeb4970bc38d626cb9178a49a85643008aaceeffd5a7e6576d76

Download Submit
C:\Windows\{B3F3D6FD-C4F9-49c6-8839-FB3B1DE0E492}.exe

Filesize
168KB

MD5
cac732480866e49ffa37b2bd282ca267

SHA1
dbc4ab0ce7781325174443faaa6758999112905e

SHA256
c0dc8a392504b43b5d5dd7e703b327a95535d5f6e9b3da65d09a0e1706c7c82d

SHA512
abeb07e842b2245e2997e01937c28b3a83ad417d8e8a081b6d0e775d6ee79569d1eab358cebaaab96bc2d52ddd26d6817405e0649ec059474b84b7565c4f89ca

Download Submit
C:\Windows\{BA96C7D8-EE00-41c3-8A5F-0C18E7C73A53}.exe

Filesize
168KB

MD5
2ad239777db624faf2ba2746e8719b92

SHA1
ae5cd7d86a255a19d71615ef4577b5b5327c997f

SHA256
2ef12567ce94c6d266516933bdfa0c74efe9a6f34eefa86d8d8d72b6b963d416

SHA512
ebcf490c8a510112dba690c365bcb7f760865aa969a4f6af0ebdde592a4009d35a7b21cf1aae73591100e2879e94422a352aeb8cf255b3bef7d8e7775777829b

Download Submit
C:\Windows\{D504A07C-586D-4084-8EE3-6D598ADCAA58}.exe

Filesize
168KB

MD5
28182535878d07987aae323797937399

SHA1
fdc256ee362d96c4b1a2a7e96f788ce76fc9a1bd

SHA256
91b0c4c596ca706e7cde5deb677e9679442fa39a14708fb0f2924641f4853f45

SHA512
3afdcb85954c3569c263e14ac8c8a7084e8c1da7ab5b058710e4d1ab0c59ded552a280d293774f58f141fd25981ee97cd416afba2beb708241096a59a5b043b9

Download Submit
C:\Windows\{F4AEF0A3-BF14-4f5d-987A-23F44C774FF6}.exe

Filesize
168KB

MD5
fcc7a2a76c33ce3433657acde3540eb1

SHA1
d0ed861e7ae68e0aafb64263fa2d270e34edac4c

SHA256
17ef28e2861675f2a18eb3ad289ab6c77dc5ea3287f3bcb6bda12e4aa025ec56

SHA512
2f1a45837b1165154d7c9a1bcf74e672e685b7b62cc666b6983335c27393d767cfb26a48289b833ea5bd8a6e2a8b8a0092303f5bcda35f87bc36ba15a21a1891

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads