2b70a642935dd9406b98eed88e2c6980c77f04f1b3970720063a2c9a0cf79eb1

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
Size

380KB
MD5

c5cee786190774f65ee888df377a9315
SHA1

a064003948c357d8013131f422203e99c58d956d
SHA256

2b70a642935dd9406b98eed88e2c6980c77f04f1b3970720063a2c9a0cf79eb1
SHA512

22d5af3d468adffe89216d00111622ec226dbcdf720905fda88dae2985f10b1249c5cfdcb014d2a47f4b950204452ce3fe72e65934b2f388b96772218fac33ac
SSDEEP

3072:mEGh0oKlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG8l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023227-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023219-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021df7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0223AF68-0D26-4dbb-B445-45F9C9A85449}\stubpath = "C:\\Windows\\{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe"	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}\stubpath = "C:\\Windows\\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe"	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}\stubpath = "C:\\Windows\\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe"	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DDDF3E-47CC-448e-9194-30EB9149823D}\stubpath = "C:\\Windows\\{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe"	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26827AB-E3EF-4b7e-B38A-583C399DC231}\stubpath = "C:\\Windows\\{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe"	{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26827AB-E3EF-4b7e-B38A-583C399DC231}	{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}\stubpath = "C:\\Windows\\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe"	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}\stubpath = "C:\\Windows\\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe"	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DDDF3E-47CC-448e-9194-30EB9149823D}	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}\stubpath = "C:\\Windows\\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe"	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855F0062-5D7B-4c6b-AE0A-102B8660A434}	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855F0062-5D7B-4c6b-AE0A-102B8660A434}\stubpath = "C:\\Windows\\{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe"	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}\stubpath = "C:\\Windows\\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe"	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}\stubpath = "C:\\Windows\\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe"	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0223AF68-0D26-4dbb-B445-45F9C9A85449}	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}\stubpath = "C:\\Windows\\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe"	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
968	{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
3784	{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
File created	C:\Windows\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
File created	C:\Windows\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
File created	C:\Windows\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
File created	C:\Windows\{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe	{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
File created	C:\Windows\{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
File created	C:\Windows\{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
File created	C:\Windows\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
File created	C:\Windows\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
File created	C:\Windows\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
File created	C:\Windows\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
File created	C:\Windows\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
Token: SeIncBasePriorityPrivilege	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
Token: SeIncBasePriorityPrivilege	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
Token: SeIncBasePriorityPrivilege	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
Token: SeIncBasePriorityPrivilege	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
Token: SeIncBasePriorityPrivilege	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
Token: SeIncBasePriorityPrivilege	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
Token: SeIncBasePriorityPrivilege	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
Token: SeIncBasePriorityPrivilege	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
Token: SeIncBasePriorityPrivilege	4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
Token: SeIncBasePriorityPrivilege	968	{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4780	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	95
PID 4836 wrote to memory of 4780	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	95
PID 4836 wrote to memory of 4780	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	95
PID 4836 wrote to memory of 1168	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	96
PID 4836 wrote to memory of 1168	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	96
PID 4836 wrote to memory of 1168	4836	2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe	96
PID 4780 wrote to memory of 4688	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	97
PID 4780 wrote to memory of 4688	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	97
PID 4780 wrote to memory of 4688	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	97
PID 4780 wrote to memory of 2980	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	98
PID 4780 wrote to memory of 2980	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	98
PID 4780 wrote to memory of 2980	4780	{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe	98
PID 4688 wrote to memory of 3468	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	100
PID 4688 wrote to memory of 3468	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	100
PID 4688 wrote to memory of 3468	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	100
PID 4688 wrote to memory of 2480	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	101
PID 4688 wrote to memory of 2480	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	101
PID 4688 wrote to memory of 2480	4688	{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe	101
PID 3468 wrote to memory of 4964	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	102
PID 3468 wrote to memory of 4964	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	102
PID 3468 wrote to memory of 4964	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	102
PID 3468 wrote to memory of 2384	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	103
PID 3468 wrote to memory of 2384	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	103
PID 3468 wrote to memory of 2384	3468	{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe	103
PID 4964 wrote to memory of 2916	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	104
PID 4964 wrote to memory of 2916	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	104
PID 4964 wrote to memory of 2916	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	104
PID 4964 wrote to memory of 456	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	105
PID 4964 wrote to memory of 456	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	105
PID 4964 wrote to memory of 456	4964	{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe	105
PID 2916 wrote to memory of 2516	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	106
PID 2916 wrote to memory of 2516	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	106
PID 2916 wrote to memory of 2516	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	106
PID 2916 wrote to memory of 4284	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	107
PID 2916 wrote to memory of 4284	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	107
PID 2916 wrote to memory of 4284	2916	{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe	107
PID 2516 wrote to memory of 3080	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	108
PID 2516 wrote to memory of 3080	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	108
PID 2516 wrote to memory of 3080	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	108
PID 2516 wrote to memory of 2744	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	109
PID 2516 wrote to memory of 2744	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	109
PID 2516 wrote to memory of 2744	2516	{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe	109
PID 3080 wrote to memory of 2660	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	110
PID 3080 wrote to memory of 2660	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	110
PID 3080 wrote to memory of 2660	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	110
PID 3080 wrote to memory of 1496	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	111
PID 3080 wrote to memory of 1496	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	111
PID 3080 wrote to memory of 1496	3080	{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe	111
PID 2660 wrote to memory of 3236	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	112
PID 2660 wrote to memory of 3236	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	112
PID 2660 wrote to memory of 3236	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	112
PID 2660 wrote to memory of 1652	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	113
PID 2660 wrote to memory of 1652	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	113
PID 2660 wrote to memory of 1652	2660	{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe	113
PID 3236 wrote to memory of 4884	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	114
PID 3236 wrote to memory of 4884	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	114
PID 3236 wrote to memory of 4884	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	114
PID 3236 wrote to memory of 4616	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	115
PID 3236 wrote to memory of 4616	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	115
PID 3236 wrote to memory of 4616	3236	{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe	115
PID 4884 wrote to memory of 968	4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe	116
PID 4884 wrote to memory of 968	4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe	116
PID 4884 wrote to memory of 968	4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe	116
PID 4884 wrote to memory of 4324	4884	{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_c5cee786190774f65ee888df377a9315_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
  C:\Windows\{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
    C:\Windows\{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
      C:\Windows\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
        
        C:\Windows\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
        
        C:\Windows\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
        
        C:\Windows\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
        
        C:\Windows\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
        
        C:\Windows\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
        
        C:\Windows\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
        
        C:\Windows\{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
        
        C:\Windows\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe
        
        C:\Windows\{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe
        13⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D870~1.EXE > nul
        13⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53DDD~1.EXE > nul
        12⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFCA~1.EXE > nul
        11⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24130~1.EXE > nul
        10⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C12C~1.EXE > nul
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5032C~1.EXE > nul
        8⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2EF8~1.EXE > nul
        7⤵
        
        PID:4284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F693~1.EXE > nul
        6⤵
        
        PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE5F~1.EXE > nul
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0223A~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{855F0~1.EXE > nul
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0223AF68-0D26-4dbb-B445-45F9C9A85449}.exe

Filesize
380KB

MD5
2b67c7c3c71b9bc93b6794a980d5e8e4

SHA1
593a6b084e8d26cc99a8dc676eb11eebb46325d0

SHA256
ac7ba73efbcf49e6621cccc9157b5bb29b5d313c89b4eb9941f8170484b31efa

SHA512
39953595b941a580134e015c49aa86ead34be65deb97cfdbe4c15742cd3a5c39945fe7daf69cc8e0223d610ec4ba0f8860f989058c466c41b816478b417b6d73

Download Submit
C:\Windows\{1BFCAC8B-1AE8-4202-9913-95C202FE6708}.exe

Filesize
380KB

MD5
7ef0f99d1d5488fab6caace0c57b8e61

SHA1
44d5cb128ff5e353050bc858548db0202d27b30c

SHA256
2f1d4edf26a80ea2b02ae4486291f93657922331d8b70899a48e8abdf3727f97

SHA512
1458d6f4bd88ec30aca7e342467dbc34b5d5de9de96cbf8bc4bdb45c649114e870856668602f098c3b03d4dc5fb6ee9781f221867b229a6ea8e202683a86eba5

Download Submit
C:\Windows\{24130BBE-4BC2-4e10-92D5-2CE61B0A8E4F}.exe

Filesize
380KB

MD5
e638cbf2ed9c86d4e674f6d5c1524dee

SHA1
2c5036c10c346aa5d91e3debf53202ef7958f506

SHA256
72ae1c077f7e490b0d66dad80f6422afed6a3b896fa2e78d6f921f342532300a

SHA512
da0d96a4d87c1ebb0ecbf2d447386c0dcfdcb02067bb94b18680a9fcfaa129b873602befa34a5499891f17ca5c584019310c5b0570c4789fc8961a1578bcae25

Download Submit
C:\Windows\{5032CB21-A02A-4c56-9EFF-628CF044B7C0}.exe

Filesize
380KB

MD5
e4d65c58436e2c8a7a1b23c380bb6a59

SHA1
3570a95b32d1ae0af4601ce86645c53b2ff03085

SHA256
7c2610923ac20cf65692c8bcca296ec0906e1da81d13520202dc434c871141f8

SHA512
5a1ce3aa10f3dba0f2a5a72c3b0753088a915ae537c4b8c490f6b7b9b1422965557ea3900df3eb9412386a01382a93f31a129534797d93a8d034eb9fe5087924

Download Submit
C:\Windows\{53DDDF3E-47CC-448e-9194-30EB9149823D}.exe

Filesize
380KB

MD5
be176d65efb1027cdbe14fec780567e2

SHA1
9fce19eb0414cc36b8ecbfda99132e001417d895

SHA256
0f99b93a23f9cd0d4a1aef1a4e86f54f50634a4863b74704863c8f721b4bcc56

SHA512
412523f3e9b881094794d4a4a3dca4db3646b92b71d6c53ff3dc2b161d3006a24d974716abea71e71f3f5a18cdac933e9aec7b542d7537839f7270772b7e1c14

Download Submit
C:\Windows\{7C12C89E-CB73-4f8e-9A91-ABC0AD9B9675}.exe

Filesize
380KB

MD5
b39474769d859d4a149bc3cb8b855be8

SHA1
c85ed37ee09783597993b973c0934cba1318106a

SHA256
31cb214c8d8a5d5375cc067137a4cecb3e5d8bbe6c058b17730bc7a069c3823d

SHA512
159c596fe2e63fb48ebf4e0d7aefba705a708c83d1dff61c50e999614610c23d177771a61c5106b4c98cdbedf65fb94124bd2ea360b0fcc07a66bfffe7eafca6

Download Submit
C:\Windows\{7F693F87-FA62-4601-95A8-03BF2D08A5D8}.exe

Filesize
380KB

MD5
d4f9d2a4923c5e8ca002618ea73bff21

SHA1
37ebd61ba12ae067b67b0b4bbb50c1590bf2ad34

SHA256
ba150ff3b23ccea20a7dcadf143504941d695251f962b480f6b49588386a9520

SHA512
8f3c223f4776efb49f0d600341a28dd49444c6a5fad1f9b9db9ca37cd0e1436c4fb28403e2066f81b77f370e17417f47869443935dd3991ab28919bb1cdbd713

Download Submit
C:\Windows\{855F0062-5D7B-4c6b-AE0A-102B8660A434}.exe

Filesize
380KB

MD5
5a603fe0abb193d5f8dbfae4dac635bd

SHA1
bb70f47b2ac4562034a1048a74d3ab34dffecd63

SHA256
bce3dc72b3d558a7ab93138e457794e9c47c4c8d087c7469a87904a5e0f27d7b

SHA512
ccc646fbc48c845048bca2ffb88de6978f0b2ed69f15857ef2bde5b271405c29caab83c4a57fc25061b6993835f76ecd935aeba9f80ad0d5ba1e70dca5f059c9

Download Submit
C:\Windows\{8D870799-7385-4bef-942C-A0FC5B4B3BD7}.exe

Filesize
380KB

MD5
7f8e0d3eccef12425defeb4005eb8ed8

SHA1
4adc5c05b2b5b4a3f837276337c3a046b7d13d87

SHA256
453796cc1438e607b06d609ddc1ca83337091fdcb60fe0578e24637bef81d4d5

SHA512
9e7a141913f9cf6b19dccdd64cd3e7ff7175037c5d06d34467ef771fa2f814a1848014a49a0958b867608f610be7121702829b39c57b341c2e531a08a943aaeb

Download Submit
C:\Windows\{A2EF8CCB-6CC2-4f4b-B73E-F33369C8D2E7}.exe

Filesize
380KB

MD5
ea943c906581cafd849f7a7bf3da2a07

SHA1
1846f36c673106286cb7f2178b0f75f64040efe9

SHA256
894dbdc84aedbc9055b2026522d32c0a0d1c5e76e789852e488173e56072a797

SHA512
22b87edaed0d484674bc0c494d2dca85a4a39a488004602d78eb0c7eb4a716b76eb6336740aed1e5b59f0334c6b74607b3c16d3368a432d4c9bfc7c27908544a

Download Submit
C:\Windows\{BDE5F9AF-C66A-4eff-8374-85B6C4EAB68D}.exe

Filesize
380KB

MD5
957d3f92d79b42071c503ec4525967e9

SHA1
d648e8a981590dc4d11428c2af7c56bae36d50f0

SHA256
b7a69a4ddfcea75d8a410e84badc89457736f9bea5736e3590b0d59a494510b6

SHA512
f42c7866714f3b3fcb8f96203ebf7adc9789be518d56b5594f2705f2b81421a84c94d0a049f580b8b501abbf084e7879191bad8b03b44a97e3d4574d53394528

Download Submit
C:\Windows\{D26827AB-E3EF-4b7e-B38A-583C399DC231}.exe

Filesize
380KB

MD5
22d4f1f0365b93e173c3b7fc9298e7ca

SHA1
5eb0ec9e76ca0687169484e42f0bb53503cd8b1a

SHA256
9eb1bbba9850609ef3219a963032c0b7c63526971db6d1bd90646a603d5d84c6

SHA512
37dd37140aeb428fe4a005740e6e1e70471ba7e2d68c76b1633a93988e35f70950874ead5e945bb73227fd9805f6b41dbc7abbb71d394bf4830ee8e59f3356c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads