caabda906a296de02d091f7f502ae71c295cec4aa7ac441cf76eaa6d0c3c001c

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
Size

408KB
MD5

fcb356162c2f792b64350ebd4479dcee
SHA1

104b65c4894b7e86b3e54b9ad0e221dc9312d4cf
SHA256

caabda906a296de02d091f7f502ae71c295cec4aa7ac441cf76eaa6d0c3c001c
SHA512

617d2d87d647e50e0700a6439c9bb473171e230f0a31bd644600cc49c0018b8eeefd2143306705f8f5f21592cf06696021241d7dd8c821c4f57a2b0480c96802
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGmldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231d1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231df-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e804-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}\stubpath = "C:\\Windows\\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe"	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907B945D-4D0E-4663-B443-FC17AA6CFC40}\stubpath = "C:\\Windows\\{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe"	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8951E4B2-7477-4e91-9052-CB43E11728DF}\stubpath = "C:\\Windows\\{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe"	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}	{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E849AB43-49E1-44d5-A486-61894AFE05B1}	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E849AB43-49E1-44d5-A486-61894AFE05B1}\stubpath = "C:\\Windows\\{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe"	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}\stubpath = "C:\\Windows\\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe"	{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF66B6EC-E457-455b-9435-236A6BDB986E}\stubpath = "C:\\Windows\\{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe"	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8951E4B2-7477-4e91-9052-CB43E11728DF}	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90A779D-1FC9-4c73-B48B-33D13503952D}\stubpath = "C:\\Windows\\{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe"	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}\stubpath = "C:\\Windows\\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe"	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}\stubpath = "C:\\Windows\\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe"	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}\stubpath = "C:\\Windows\\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe"	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90A779D-1FC9-4c73-B48B-33D13503952D}	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF66B6EC-E457-455b-9435-236A6BDB986E}	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}\stubpath = "C:\\Windows\\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe"	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907B945D-4D0E-4663-B443-FC17AA6CFC40}	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}\stubpath = "C:\\Windows\\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe"	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe

Executes dropped EXE 12 IoCs

pid	Process
2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
1236	{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe
4856	{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
File created	C:\Windows\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
File created	C:\Windows\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
File created	C:\Windows\{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
File created	C:\Windows\{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
File created	C:\Windows\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
File created	C:\Windows\{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
File created	C:\Windows\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
File created	C:\Windows\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
File created	C:\Windows\{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
File created	C:\Windows\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
File created	C:\Windows\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe	{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
Token: SeIncBasePriorityPrivilege	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
Token: SeIncBasePriorityPrivilege	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
Token: SeIncBasePriorityPrivilege	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
Token: SeIncBasePriorityPrivilege	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
Token: SeIncBasePriorityPrivilege	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
Token: SeIncBasePriorityPrivilege	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
Token: SeIncBasePriorityPrivilege	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
Token: SeIncBasePriorityPrivilege	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
Token: SeIncBasePriorityPrivilege	2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
Token: SeIncBasePriorityPrivilege	1236	{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2892	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	90
PID 2284 wrote to memory of 2892	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	90
PID 2284 wrote to memory of 2892	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	90
PID 2284 wrote to memory of 404	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	91
PID 2284 wrote to memory of 404	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	91
PID 2284 wrote to memory of 404	2284	2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe	91
PID 2892 wrote to memory of 4396	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	94
PID 2892 wrote to memory of 4396	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	94
PID 2892 wrote to memory of 4396	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	94
PID 2892 wrote to memory of 4496	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	95
PID 2892 wrote to memory of 4496	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	95
PID 2892 wrote to memory of 4496	2892	{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe	95
PID 4396 wrote to memory of 4312	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	97
PID 4396 wrote to memory of 4312	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	97
PID 4396 wrote to memory of 4312	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	97
PID 4396 wrote to memory of 2480	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	98
PID 4396 wrote to memory of 2480	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	98
PID 4396 wrote to memory of 2480	4396	{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe	98
PID 4312 wrote to memory of 1576	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	99
PID 4312 wrote to memory of 1576	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	99
PID 4312 wrote to memory of 1576	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	99
PID 4312 wrote to memory of 3440	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	100
PID 4312 wrote to memory of 3440	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	100
PID 4312 wrote to memory of 3440	4312	{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe	100
PID 1576 wrote to memory of 4320	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	101
PID 1576 wrote to memory of 4320	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	101
PID 1576 wrote to memory of 4320	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	101
PID 1576 wrote to memory of 2060	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	102
PID 1576 wrote to memory of 2060	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	102
PID 1576 wrote to memory of 2060	1576	{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe	102
PID 4320 wrote to memory of 3980	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	103
PID 4320 wrote to memory of 3980	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	103
PID 4320 wrote to memory of 3980	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	103
PID 4320 wrote to memory of 116	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	104
PID 4320 wrote to memory of 116	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	104
PID 4320 wrote to memory of 116	4320	{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe	104
PID 3980 wrote to memory of 4968	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	105
PID 3980 wrote to memory of 4968	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	105
PID 3980 wrote to memory of 4968	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	105
PID 3980 wrote to memory of 1328	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	106
PID 3980 wrote to memory of 1328	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	106
PID 3980 wrote to memory of 1328	3980	{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe	106
PID 4968 wrote to memory of 4052	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	107
PID 4968 wrote to memory of 4052	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	107
PID 4968 wrote to memory of 4052	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	107
PID 4968 wrote to memory of 3656	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	108
PID 4968 wrote to memory of 3656	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	108
PID 4968 wrote to memory of 3656	4968	{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe	108
PID 4052 wrote to memory of 4808	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	109
PID 4052 wrote to memory of 4808	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	109
PID 4052 wrote to memory of 4808	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	109
PID 4052 wrote to memory of 2940	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	110
PID 4052 wrote to memory of 2940	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	110
PID 4052 wrote to memory of 2940	4052	{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe	110
PID 4808 wrote to memory of 2252	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	111
PID 4808 wrote to memory of 2252	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	111
PID 4808 wrote to memory of 2252	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	111
PID 4808 wrote to memory of 5088	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	112
PID 4808 wrote to memory of 5088	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	112
PID 4808 wrote to memory of 5088	4808	{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe	112
PID 2252 wrote to memory of 1236	2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe	113
PID 2252 wrote to memory of 1236	2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe	113
PID 2252 wrote to memory of 1236	2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe	113
PID 2252 wrote to memory of 2588	2252	{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_fcb356162c2f792b64350ebd4479dcee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
  C:\Windows\{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
    C:\Windows\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
      C:\Windows\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
        
        C:\Windows\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
        
        C:\Windows\{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
        
        C:\Windows\{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
        
        C:\Windows\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
        
        C:\Windows\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
        
        C:\Windows\{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
        
        C:\Windows\{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe
        
        C:\Windows\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe
        
        C:\Windows\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe
        13⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D2D5~1.EXE > nul
        13⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8951E~1.EXE > nul
        12⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{907B9~1.EXE > nul
        11⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E408~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A41A7~1.EXE > nul
        9⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF66B~1.EXE > nul
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E849A~1.EXE > nul
        7⤵
        
        PID:116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD0C~1.EXE > nul
        6⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46B95~1.EXE > nul
        5⤵
        
        PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36CCA~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F90A7~1.EXE > nul
    3⤵
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{36CCA2F9-85F9-49bc-9B4F-72B2E6AC8A2C}.exe

Filesize
408KB

MD5
889b2d21f9d93bb1a443c99ddf9ffaf5

SHA1
2df5d4f68c1acefd74872e20c8945f4ac3980b45

SHA256
1f802fc76afbb0ffce3cc812abc9565ab2e5ae2f233d78b07019faefc524c715

SHA512
8290818df0058682004de7e1723e2b474a7839043f95bb342546bf4734c6b42d5e2ac4a121203f113bb05fd749c06bbd97e58cd9a42dc40e6ab2159abaeae675

Download Submit
C:\Windows\{3D2D5CBD-B0EF-49b8-A424-585DC93FFCB7}.exe

Filesize
408KB

MD5
2268dffd722f9820a7b0be3c87d3979d

SHA1
9665d83669bad5885c9da77b80d966f1391d2d2e

SHA256
824c86f5ab5c85f8feb40744d7d3ef6c9de273714af04889c4ec24880e753780

SHA512
ee3f69b6a03c6246a0f978318079cf8fb6383c1e97252766296e4ed742c080cdd35a0a7d9cc6c3147679383d38568412c44636aee2e594b88459c4e27477c319

Download Submit
C:\Windows\{46B9569E-2799-47e6-B2B7-C7C4EA17ABB1}.exe

Filesize
408KB

MD5
836d2e093475e4bb17a258fe305543dc

SHA1
d7592b6027a975ea437c9702a4fab26049c18d7b

SHA256
17208ce2843240ca12c3887b3ca3fe09eaa7e7930e9bf82926f890385296691a

SHA512
ca55c95b8b9754d6e7281ec6d68014350f8b158232e28e2488c2282f1c0bcf6f1ed7ffd275e4c694fd2169fe61dc6a4abaa26d129923e1b7c851614e932187a2

Download Submit
C:\Windows\{4BABCE17-112B-4ad0-8BB5-2379FC2881E3}.exe

Filesize
408KB

MD5
ba809aaa10b83638328a4c4e984292ca

SHA1
e6123197e5ccec3cfcd065783aa313c3b73bbaaf

SHA256
d497322b687761e4f35a1ba260c3d100c920183b630b8a59b6e3902dd83dd590

SHA512
428742a9d90c60ecb698cfc0dd507a5a99b56cee0eb0d871f0af8e878eb663ba747fa37f0234acd7dcc1cfd826ff03d923fa7299d413ce98dc013762008ff2f4

Download Submit
C:\Windows\{4E4085B4-0E4F-4975-A8F6-6353DA03AC8E}.exe

Filesize
408KB

MD5
3771a7ba163baa2ea27562b74318b800

SHA1
88d055a9612685e0cf5deee847810a6bb6e1f1ae

SHA256
998b50296fe373b4776a9dc4e8d25afb8ce7c8eb2922240e9482312aa04ce7fb

SHA512
fa38def5b2bcb4e019c0c32dee0850c4a12ea873945c30bedd2f6e445bfad913bf19c79b513122f15314b421a16bfd26283a7c2db49ba799fe3fa1c46f161941

Download Submit
C:\Windows\{8951E4B2-7477-4e91-9052-CB43E11728DF}.exe

Filesize
408KB

MD5
173c6de460cd9a32c9360bdc22f36155

SHA1
7f3d704ed6f3fb547098a71111fadb32480b59c1

SHA256
8e24808e6b4a8152b81178ab08951a734980d1b3243f054c469585d81703e606

SHA512
f199096b4b9cc428723f1f2a04fc1b4ad451e394269f07f0c5748a15a761cc354a1ad99f95cb8204cf832a76834c2012d026ee1cacf81fcaf0bdc508c489138c

Download Submit
C:\Windows\{907B945D-4D0E-4663-B443-FC17AA6CFC40}.exe

Filesize
408KB

MD5
5c0594f0e611ee87d5cd8bd30fda225e

SHA1
0d3f472bee87bae3434f378ae6ab51f8a32293f5

SHA256
3607f38ab69c562f32ad0b4f85f838870df8d55b8e41d756aefae3f597a89570

SHA512
6b31ce0261e95c268038baaedef629fdf75257b4d4c85714e4a4a19f173b3cd02e1a59424ad91459e142f0b741988c8f31b49e12ea81f7a3cce7b28714a93728

Download Submit
C:\Windows\{9AD0C446-0271-4978-8642-C65D1E3C3C5A}.exe

Filesize
408KB

MD5
dedaca50dabf55b6def879bc4b1dbf09

SHA1
9cbbe712106ca6a5caf3356c8d05b9af4f6c36a7

SHA256
51ccdea939b54ad7506b1f50eb81d08114f2d770ea5e24d66393e18a7622a671

SHA512
7f1d67d0a40f1639c3f5920fe2e9caeaa8dd9fd9db9ad1e43cacb8b2e889eed7340538b44eb7e41a11a4f2308ddbdefe39f8dc02c83c89e43d50d58f851fc3d8

Download Submit
C:\Windows\{A41A7C79-16A3-4d44-85C9-6F3AD8BC3556}.exe

Filesize
408KB

MD5
06933d49def6f9b5105b1868b03dc86c

SHA1
4d4e70370972a7556efe50b064d138254d6ac421

SHA256
328fae4b02dcefda9c9961c98d612345efb6745532e07730eccb62555a72fe6d

SHA512
f4fd5d182706209cc1d7abf584ee328e4ca48ad7f61b258614efd7cc696e0f46a2f0cb1268b55d0be773ea10fbcef1e8469f8e3fb079f7da94a24873d6f29f7d

Download Submit
C:\Windows\{BF66B6EC-E457-455b-9435-236A6BDB986E}.exe

Filesize
408KB

MD5
808854273f7788e25c43a32ca1a76de1

SHA1
db2cacdef0c95840ce188bc88c77efe11cac88d2

SHA256
0f1eea0d8841de3c73b1b106f65e8b52a43b95cce36a1e30fe945aace4641350

SHA512
b869a6d516ddc977e6f5d149b3c4ce8528147fbd9afb1c6bcc2927b0666b4ee6e4519a8bac64519337a8ab121fac35b44ce1fd5b1ce3022f8da204de4e81261e

Download Submit
C:\Windows\{E849AB43-49E1-44d5-A486-61894AFE05B1}.exe

Filesize
408KB

MD5
e2cc72bee62091b6a79838874c878704

SHA1
266723714c9a5ec372434707b74aae43c782daea

SHA256
172abf16a2045ff0f7b9e7c59ae00565c3f396b0302e3e3d67d22ca49c516aac

SHA512
d2b3b26a2efbce888b0cb29569908bc1a82b75fb2083432f7aafcd840ae8ea31add7999ba6f13c734852575eda52e0ac060d1431ec27ff6d86230cce0045a662

Download Submit
C:\Windows\{F90A779D-1FC9-4c73-B48B-33D13503952D}.exe

Filesize
408KB

MD5
25a1d3ef5a759fb8fb00ea96d41e17b5

SHA1
bf7d67ffd92673aaa649cd6fd9b1acb542910b4f

SHA256
f8ba521a6866b93fbe5fedc2d35c1717189d1ea50eedeb77c7035eacb970a917

SHA512
d5a62eec60677a335e3721dc0a1ff57f2020e0aca27566a04b68b242c2647f263c3541f779d6085af328d6215b3058091647b93ecaae3c2825df4791a5bfaa71

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads