6d28141831802d9645e0f3b9f5cc7e2b00faef5f6e395de28572498488cfb274

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
Size

344KB
MD5

d39922fed686c9ab0336e4289e8261ac
SHA1

9bfbf99ebdaebc180ddeb777a3b01769e458650c
SHA256

6d28141831802d9645e0f3b9f5cc7e2b00faef5f6e395de28572498488cfb274
SHA512

b17b749b69ada3990c4cca5651f75312a94a96cd38d0f05ca83acb4e351a0fd41b4c163fbb7e370c90fa53c0978b6c8986de0d28920a6dbe0f5ed61345a7ebb1
SSDEEP

3072:mEGh0oKlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023224-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002321d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6903E033-F844-4b75-B2F2-459306616DB4}	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}	{6903E033-F844-4b75-B2F2-459306616DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}\stubpath = "C:\\Windows\\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe"	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}\stubpath = "C:\\Windows\\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe"	{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C38FC93-D5CA-4530-85A0-39E288609E08}	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}\stubpath = "C:\\Windows\\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe"	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}\stubpath = "C:\\Windows\\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe"	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8443858-0BE3-4739-8D08-709F2DA51855}	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8443858-0BE3-4739-8D08-709F2DA51855}\stubpath = "C:\\Windows\\{A8443858-0BE3-4739-8D08-709F2DA51855}.exe"	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}\stubpath = "C:\\Windows\\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe"	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}\stubpath = "C:\\Windows\\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe"	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C38FC93-D5CA-4530-85A0-39E288609E08}\stubpath = "C:\\Windows\\{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe"	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}\stubpath = "C:\\Windows\\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe"	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B92DE67-800C-487e-A098-97F41E71CA99}	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B92DE67-800C-487e-A098-97F41E71CA99}\stubpath = "C:\\Windows\\{2B92DE67-800C-487e-A098-97F41E71CA99}.exe"	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}	{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6903E033-F844-4b75-B2F2-459306616DB4}\stubpath = "C:\\Windows\\{6903E033-F844-4b75-B2F2-459306616DB4}.exe"	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}\stubpath = "C:\\Windows\\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe"	{6903E033-F844-4b75-B2F2-459306616DB4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe
1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
2500	{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe
1504	{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
File created	C:\Windows\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	{6903E033-F844-4b75-B2F2-459306616DB4}.exe
File created	C:\Windows\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
File created	C:\Windows\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
File created	C:\Windows\{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
File created	C:\Windows\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
File created	C:\Windows\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
File created	C:\Windows\{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
File created	C:\Windows\{6903E033-F844-4b75-B2F2-459306616DB4}.exe	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
File created	C:\Windows\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
File created	C:\Windows\{A8443858-0BE3-4739-8D08-709F2DA51855}.exe	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
File created	C:\Windows\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe	{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
Token: SeIncBasePriorityPrivilege	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
Token: SeIncBasePriorityPrivilege	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
Token: SeIncBasePriorityPrivilege	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe
Token: SeIncBasePriorityPrivilege	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
Token: SeIncBasePriorityPrivilege	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
Token: SeIncBasePriorityPrivilege	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
Token: SeIncBasePriorityPrivilege	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
Token: SeIncBasePriorityPrivilege	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
Token: SeIncBasePriorityPrivilege	2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
Token: SeIncBasePriorityPrivilege	2500	{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4896	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	97
PID 2436 wrote to memory of 4896	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	97
PID 2436 wrote to memory of 4896	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	97
PID 2436 wrote to memory of 1016	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	98
PID 2436 wrote to memory of 1016	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	98
PID 2436 wrote to memory of 1016	2436	2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe	98
PID 4896 wrote to memory of 3776	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	99
PID 4896 wrote to memory of 3776	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	99
PID 4896 wrote to memory of 3776	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	99
PID 4896 wrote to memory of 3760	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	100
PID 4896 wrote to memory of 3760	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	100
PID 4896 wrote to memory of 3760	4896	{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe	100
PID 3776 wrote to memory of 4464	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	102
PID 3776 wrote to memory of 4464	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	102
PID 3776 wrote to memory of 4464	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	102
PID 3776 wrote to memory of 3368	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	103
PID 3776 wrote to memory of 3368	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	103
PID 3776 wrote to memory of 3368	3776	{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe	103
PID 4464 wrote to memory of 3108	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	104
PID 4464 wrote to memory of 3108	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	104
PID 4464 wrote to memory of 3108	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	104
PID 4464 wrote to memory of 4148	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	105
PID 4464 wrote to memory of 4148	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	105
PID 4464 wrote to memory of 4148	4464	{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe	105
PID 3108 wrote to memory of 1380	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	106
PID 3108 wrote to memory of 1380	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	106
PID 3108 wrote to memory of 1380	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	106
PID 3108 wrote to memory of 4612	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	107
PID 3108 wrote to memory of 4612	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	107
PID 3108 wrote to memory of 4612	3108	{6903E033-F844-4b75-B2F2-459306616DB4}.exe	107
PID 1380 wrote to memory of 1524	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	108
PID 1380 wrote to memory of 1524	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	108
PID 1380 wrote to memory of 1524	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	108
PID 1380 wrote to memory of 3592	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	109
PID 1380 wrote to memory of 3592	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	109
PID 1380 wrote to memory of 3592	1380	{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe	109
PID 1524 wrote to memory of 4308	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	110
PID 1524 wrote to memory of 4308	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	110
PID 1524 wrote to memory of 4308	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	110
PID 1524 wrote to memory of 2552	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	111
PID 1524 wrote to memory of 2552	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	111
PID 1524 wrote to memory of 2552	1524	{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe	111
PID 4308 wrote to memory of 2792	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	112
PID 4308 wrote to memory of 2792	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	112
PID 4308 wrote to memory of 2792	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	112
PID 4308 wrote to memory of 516	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	113
PID 4308 wrote to memory of 516	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	113
PID 4308 wrote to memory of 516	4308	{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe	113
PID 2792 wrote to memory of 4576	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	114
PID 2792 wrote to memory of 4576	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	114
PID 2792 wrote to memory of 4576	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	114
PID 2792 wrote to memory of 1456	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	115
PID 2792 wrote to memory of 1456	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	115
PID 2792 wrote to memory of 1456	2792	{2B92DE67-800C-487e-A098-97F41E71CA99}.exe	115
PID 4576 wrote to memory of 2248	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	116
PID 4576 wrote to memory of 2248	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	116
PID 4576 wrote to memory of 2248	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	116
PID 4576 wrote to memory of 752	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	117
PID 4576 wrote to memory of 752	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	117
PID 4576 wrote to memory of 752	4576	{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe	117
PID 2248 wrote to memory of 2500	2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe	118
PID 2248 wrote to memory of 2500	2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe	118
PID 2248 wrote to memory of 2500	2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe	118
PID 2248 wrote to memory of 4564	2248	{A8443858-0BE3-4739-8D08-709F2DA51855}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_d39922fed686c9ab0336e4289e8261ac_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
  C:\Windows\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
    C:\Windows\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
      C:\Windows\{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Windows\{6903E033-F844-4b75-B2F2-459306616DB4}.exe
        
        C:\Windows\{6903E033-F844-4b75-B2F2-459306616DB4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
        
        C:\Windows\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
        
        C:\Windows\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
        
        C:\Windows\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
        
        C:\Windows\{2B92DE67-800C-487e-A098-97F41E71CA99}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
        
        C:\Windows\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
        
        C:\Windows\{A8443858-0BE3-4739-8D08-709F2DA51855}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe
        
        C:\Windows\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe
        
        C:\Windows\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BFD5~1.EXE > nul
        13⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8443~1.EXE > nul
        12⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60026~1.EXE > nul
        11⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B92D~1.EXE > nul
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05CA6~1.EXE > nul
        9⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D38~1.EXE > nul
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E010~1.EXE > nul
        7⤵
        
        PID:3592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6903E~1.EXE > nul
        6⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C38F~1.EXE > nul
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DCEB3~1.EXE > nul
      4⤵
      PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41EE5~1.EXE > nul
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05CA62A4-C977-4efe-BFD5-E95BB419F6DA}.exe

Filesize
344KB

MD5
761db32df42b8aa707ed9e67b289d2f9

SHA1
4862cafacd2a8fdb9091407cff41c7411accbd0b

SHA256
33443556891bbb90e89777fb135a0bbd1acb98c477584501a4136b2c215375b9

SHA512
c8d333edcc0bb899db12e0c275dd244f27d03790c4141bbafcb3e5dd793d2db3bbb547938923110d2e7db61324c4e8bc5fcf32afd739fe8efb2a0adaa5d73968

Download Submit
C:\Windows\{2B92DE67-800C-487e-A098-97F41E71CA99}.exe

Filesize
344KB

MD5
75f1a7ac5f5067ee6da4955e21be9671

SHA1
36df95abf6fc86b8eb99f4f1006de5f2c239c24f

SHA256
dada96da534f141fcf3e99cab87b81af75827c92045244fe84e0b4a9615e0837

SHA512
bd3eb217cc3fd04dbd5e4c30c8bd57185b299d06f79706f9518e49462f08fa67473512ec8e5e212c1037917d0318fb1d2c54e81dde06139fc476803134f1aeb6

Download Submit
C:\Windows\{2BFD5286-FA26-43e7-852B-5BF2E295CAA6}.exe

Filesize
344KB

MD5
a662595ba7b87bf47e3e7cc2ce31051c

SHA1
3bfb10c0e88e62d738052f11b7ff9569d49e7043

SHA256
1cd6fdf698fd213662a02f535e0b480674263be348a4ecd4de5d70dad08fa515

SHA512
5782cc9f7fc67eba8afccd9437f4be7e6eecba182f8688bfa7b80e90c4a0d7f2422bd11292570cc64d7ecf0e7bf2ea60a60e20eaa09a08b37d02ac53a246ea8a

Download Submit
C:\Windows\{41EE56D4-C8D7-4eac-8CDD-1232C49B25F0}.exe

Filesize
344KB

MD5
2e8befce2303cdb5008b34a451b0a03b

SHA1
f8874942ea0cbf945192e171ccdc96bac4f16f07

SHA256
775d5c1d7efd8cdd57af57f8d2dd6733e3566f6692744f4dc46dee71307dc3be

SHA512
962342085d2bbcf65b777cc75d9ef7facbc720872c6da42b643f44479b0c776b661511af7df886123b51dbeed20dfc9dcfff54f1d0ff0ce1ad6cc724ca71447f

Download Submit
C:\Windows\{6002661B-DDEB-4a58-93E1-74BCB5D099EB}.exe

Filesize
344KB

MD5
4862eded199790550a4d465d303b76d6

SHA1
fdf164af3c8144b9e5266f9196a8e3a9e2a9cee1

SHA256
5cc36941648f9ff6a8e4fc4135ffdc61a849e93ead4ef011def63b3cb1f84855

SHA512
f5091b3270b450d97b47b3f52d831479f4f97c4ee4060be268b2d71195c30806856bc663127156b750e636365631ace67d344790bdc3cfec472a9a430bb08da9

Download Submit
C:\Windows\{61D38874-3589-4bb2-9E5C-7E7708A2A0D9}.exe

Filesize
344KB

MD5
5baea8c4423fb6dba72de608bc8fa28e

SHA1
27973376921379e7f2fec62edf47bdf5dc93dc1a

SHA256
0fe30baf25008af68c5c507e2f56bc15cf62baac8f8866cfc4c50cdd58acd3ce

SHA512
8a454d09c48448cf3fbe53a6cfb2ca0d423817e70f808f8363cc9f8121715998b73241cf5dfdae0a41300e50898db6890aeca785812907f0b615d44e02d82115

Download Submit
C:\Windows\{6903E033-F844-4b75-B2F2-459306616DB4}.exe

Filesize
344KB

MD5
fc1c142b3d3bc8c4bf0deced292ef4e8

SHA1
a11fef5036fe537ef6d2ca7e3fcaf481f5137c15

SHA256
007cd55763f12df927f15f46d8ed52958341b859d7b95544bed0c4836295f2f7

SHA512
10529f12e1139983afc14e252599f3df56759cbca086867f4f0a6df8550e3a442606d4e9ac0bd6a3635ff1cd5645d71c07bb1867518373899a98d44cb32d1438

Download Submit
C:\Windows\{6C38FC93-D5CA-4530-85A0-39E288609E08}.exe

Filesize
344KB

MD5
c972609502082f65df11c4e2d61906a8

SHA1
2b3fbaa841685909bf3975574bd669c2a2bea781

SHA256
fd3dac4ed83ac9272fd8751f514a5d57d4b86225938eaab902de6dbbde818963

SHA512
1e69e4ced1c2d7d1f1f1b5113747d20694ca2f654ae049c561ec4edc9adbed16f0f1898065d72389f134bebdc5b775eca201655913669fee7d9ec0b6bdbf75e5

Download Submit
C:\Windows\{8E0105A1-CFF4-4ba1-AEA4-DFA8ADE00CC2}.exe

Filesize
344KB

MD5
23b57cce02934fe2d235ce104a9e95b7

SHA1
5dc60d6b8ffba1f6cac4b689dff4c08fec38b16b

SHA256
410ba34548c8c7c30270f0161a2dd3a11f825e7d4766388b78f71dd94d09b89d

SHA512
0f2f82be53af32648fb6fb54bfd392015fa7c65648098ca7b52d233c538f219bf2dc40a5b5aa4b990470f05a102516cf0ef3d4e1aa566165cd556466929ef481

Download Submit
C:\Windows\{A1E28AAC-D6A9-41c8-A744-22F2904DDCBC}.exe

Filesize
344KB

MD5
0509428931c24433c3dbf6b340153d61

SHA1
12fc018e207cf4227945ca687eeffb604c743948

SHA256
1b65a9b4b807b8b44a646cb9d6bc0d97e2ddb6788110db74448219b8c9c38d0f

SHA512
7f9b2f119ecbc6c7633a62e31f027239f3363a09b9e1c0b855dd059633df4093f4d52c9eb48f559da943558bf31d8f3320042b77ab5337253e3000df06eebb3d

Download Submit
C:\Windows\{A8443858-0BE3-4739-8D08-709F2DA51855}.exe

Filesize
344KB

MD5
a944b5256808f84d5be90046fde4004f

SHA1
c2d8ef53c179318d782b13ae6ee5c9bc7d1bf268

SHA256
b727cf7ea7fac149cf66696408c29bffd037c34f3df077c76bd19e55b4304e3e

SHA512
ccb481da78c03571c8c3dd80fba4a630e360d2e0460f5d03937e4f5346679e154a7098cfe22bfc4b61a55a449f7846e0f53d364a9e78d938b645a10db48132f1

Download Submit
C:\Windows\{DCEB3CEE-0052-4282-BD6E-8AF81C0E6090}.exe

Filesize
344KB

MD5
418b8ebba6fca69617e2717a37cd7304

SHA1
a24e9dd57e0ecfec1f43cfd51a0c973054f03e52

SHA256
fa3c7f302c5b00d93e61947c921d014098c49120dbe3220cc1e8b6d7bec73104

SHA512
28f124bb0f17750890bd2748af44c0463dd827b8a35fc846d28237918e830cd048b6a915d840f64c068d632b5af881b0b851f3eeae21e08fd29d95f7f52e6469

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads