2be2af95d009ff1a3f02f970b0a61f4d366fcfc7d16e294461b5308b406874e3

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Size

216KB
MD5

330dd73facdc2b18c38725b1ae19561c
SHA1

b877298cf2d39e029a05723b512373e0d44b2c8d
SHA256

2be2af95d009ff1a3f02f970b0a61f4d366fcfc7d16e294461b5308b406874e3
SHA512

3e6cfca8f064c41612be91045a53ddd542103fe5087aa9e396996fbbdc95df754cbcca6df4cf07d6760acaea8a37d528697a40225804eabf4b3d97657083cf53
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGQlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023231-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023223-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023238-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023223-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}\stubpath = "C:\\Windows\\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe"	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}\stubpath = "C:\\Windows\\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe"	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5E63D4-8458-4671-A408-6CC5346AB348}	{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}\stubpath = "C:\\Windows\\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe"	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}\stubpath = "C:\\Windows\\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe"	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5E63D4-8458-4671-A408-6CC5346AB348}\stubpath = "C:\\Windows\\{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe"	{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB95849-901B-4105-A6F0-CE1030D33F43}	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB95849-901B-4105-A6F0-CE1030D33F43}\stubpath = "C:\\Windows\\{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe"	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76758718-B2F9-428d-AECA-36C8F7F0CD13}\stubpath = "C:\\Windows\\{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe"	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}\stubpath = "C:\\Windows\\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe"	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99826A89-A9B7-47c1-B962-33029E98CE38}	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}\stubpath = "C:\\Windows\\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe"	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99826A89-A9B7-47c1-B962-33029E98CE38}\stubpath = "C:\\Windows\\{99826A89-A9B7-47c1-B962-33029E98CE38}.exe"	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}\stubpath = "C:\\Windows\\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe"	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76758718-B2F9-428d-AECA-36C8F7F0CD13}	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}\stubpath = "C:\\Windows\\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe"	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
5052	{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
2292	{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
File created	C:\Windows\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
File created	C:\Windows\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
File created	C:\Windows\{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
File created	C:\Windows\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
File created	C:\Windows\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
File created	C:\Windows\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
File created	C:\Windows\{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
File created	C:\Windows\{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe	{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
File created	C:\Windows\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
File created	C:\Windows\{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
File created	C:\Windows\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
Token: SeIncBasePriorityPrivilege	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
Token: SeIncBasePriorityPrivilege	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
Token: SeIncBasePriorityPrivilege	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
Token: SeIncBasePriorityPrivilege	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
Token: SeIncBasePriorityPrivilege	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
Token: SeIncBasePriorityPrivilege	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
Token: SeIncBasePriorityPrivilege	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
Token: SeIncBasePriorityPrivilege	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
Token: SeIncBasePriorityPrivilege	1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
Token: SeIncBasePriorityPrivilege	5052	{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3520	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	96
PID 1800 wrote to memory of 3520	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	96
PID 1800 wrote to memory of 3520	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	96
PID 1800 wrote to memory of 2936	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	97
PID 1800 wrote to memory of 2936	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	97
PID 1800 wrote to memory of 2936	1800	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	97
PID 3520 wrote to memory of 4472	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	98
PID 3520 wrote to memory of 4472	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	98
PID 3520 wrote to memory of 4472	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	98
PID 3520 wrote to memory of 2292	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	99
PID 3520 wrote to memory of 2292	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	99
PID 3520 wrote to memory of 2292	3520	{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe	99
PID 4472 wrote to memory of 4496	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	101
PID 4472 wrote to memory of 4496	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	101
PID 4472 wrote to memory of 4496	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	101
PID 4472 wrote to memory of 3528	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	102
PID 4472 wrote to memory of 3528	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	102
PID 4472 wrote to memory of 3528	4472	{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe	102
PID 4496 wrote to memory of 1824	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	103
PID 4496 wrote to memory of 1824	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	103
PID 4496 wrote to memory of 1824	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	103
PID 4496 wrote to memory of 432	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	104
PID 4496 wrote to memory of 432	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	104
PID 4496 wrote to memory of 432	4496	{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe	104
PID 1824 wrote to memory of 4604	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	105
PID 1824 wrote to memory of 4604	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	105
PID 1824 wrote to memory of 4604	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	105
PID 1824 wrote to memory of 2408	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	106
PID 1824 wrote to memory of 2408	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	106
PID 1824 wrote to memory of 2408	1824	{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe	106
PID 4604 wrote to memory of 2024	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	107
PID 4604 wrote to memory of 2024	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	107
PID 4604 wrote to memory of 2024	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	107
PID 4604 wrote to memory of 3252	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	108
PID 4604 wrote to memory of 3252	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	108
PID 4604 wrote to memory of 3252	4604	{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe	108
PID 2024 wrote to memory of 368	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	109
PID 2024 wrote to memory of 368	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	109
PID 2024 wrote to memory of 368	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	109
PID 2024 wrote to memory of 2432	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	110
PID 2024 wrote to memory of 2432	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	110
PID 2024 wrote to memory of 2432	2024	{99826A89-A9B7-47c1-B962-33029E98CE38}.exe	110
PID 368 wrote to memory of 4664	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	111
PID 368 wrote to memory of 4664	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	111
PID 368 wrote to memory of 4664	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	111
PID 368 wrote to memory of 4440	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	112
PID 368 wrote to memory of 4440	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	112
PID 368 wrote to memory of 4440	368	{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe	112
PID 4664 wrote to memory of 2160	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	113
PID 4664 wrote to memory of 2160	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	113
PID 4664 wrote to memory of 2160	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	113
PID 4664 wrote to memory of 4044	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	114
PID 4664 wrote to memory of 4044	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	114
PID 4664 wrote to memory of 4044	4664	{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe	114
PID 2160 wrote to memory of 1276	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	115
PID 2160 wrote to memory of 1276	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	115
PID 2160 wrote to memory of 1276	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	115
PID 2160 wrote to memory of 3000	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	116
PID 2160 wrote to memory of 3000	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	116
PID 2160 wrote to memory of 3000	2160	{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe	116
PID 1276 wrote to memory of 5052	1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe	117
PID 1276 wrote to memory of 5052	1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe	117
PID 1276 wrote to memory of 5052	1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe	117
PID 1276 wrote to memory of 996	1276	{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
  C:\Windows\{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
    C:\Windows\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
      C:\Windows\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
        
        C:\Windows\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
        
        C:\Windows\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
        
        C:\Windows\{99826A89-A9B7-47c1-B962-33029E98CE38}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
        
        C:\Windows\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
        
        C:\Windows\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
        
        C:\Windows\{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
        
        C:\Windows\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
        
        C:\Windows\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe
        
        C:\Windows\{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe
        13⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDFDA~1.EXE > nul
        13⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A3B~1.EXE > nul
        12⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76758~1.EXE > nul
        11⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AD9~1.EXE > nul
        10⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C16~1.EXE > nul
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99826~1.EXE > nul
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C08~1.EXE > nul
        7⤵
        
        PID:3252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DEF8~1.EXE > nul
        6⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62DF~1.EXE > nul
        5⤵
        
        PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD10C~1.EXE > nul
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB95~1.EXE > nul
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CB95849-901B-4105-A6F0-CE1030D33F43}.exe

Filesize
216KB

MD5
672e35bcd9ad12c94d317b1a0f314bfe

SHA1
87bd4ec8c81142a07bb89929cde40fb984e9a363

SHA256
3c01c79cee20afdfa6566b295ce9f4c48e21fbbd62f69fec668c903af0e74b67

SHA512
ba8c49071a2642a5a1f7841f59c93d21d02a3cda81897c59a95212dc0473e1db5becedd8b1905475f8694aafd541a964bd934c1106028279c70471752beb58a6

Download Submit
C:\Windows\{14C16C5B-A014-4ed9-A32D-F7CA51F22F7D}.exe

Filesize
216KB

MD5
6b35d6a210809aed29aea71dcaa337cc

SHA1
e1d8ad07d576a348687bde62c1ca606f4e545476

SHA256
f4f2a46985455c6da2023b21a67787c1a58da5c05f2ee40bfacfd25cbff4d7cb

SHA512
b58ac5dcbda807de88a36bd2025fe554d228d72783d1f5b28391e2654e67f2ead572e4306fc96790f5ddf9f0987de4880c9abbbdc294e548a4b8aa87efafcafb

Download Submit
C:\Windows\{64AD94E9-BFA7-4107-B8C4-EE46F61A0A04}.exe

Filesize
216KB

MD5
23ebe613e93d0690708926ddae5bc7da

SHA1
936ba03e28b631fef811b4f6b775bd0ce65914d2

SHA256
7b4a242ca2b0a745c9e5ff55fbf514cab21f451f8e4e125bcd9f98ff2c74b8a2

SHA512
0f263529e08f4004f95d9b345660063fcd06fcd2f331316b3171b8c77c644ea88161bbcdade504bdf245d4f1f7b620ff46e3d5759c1df58afc9c80901dbb7730

Download Submit
C:\Windows\{76758718-B2F9-428d-AECA-36C8F7F0CD13}.exe

Filesize
216KB

MD5
aa79394a2a32ad09a557b674f7f27ed0

SHA1
8d1f075923464e63134cce8bf151a3b99f13fe4c

SHA256
bd2aab2792c82bb0bf36605c040698cadc8bf15bcf4f63e2b9e1d636dfbd4fd5

SHA512
4e5185853fc78f3149870e110132c363a1fdcd17c4ccb2221eeb730bc40d6ef23850aabfeeca1ba74809bee4ec0aff96321c7a0fe78f7debea111a087b9bff0a

Download Submit
C:\Windows\{78C08F6B-58EA-45c7-AAA9-0646EA04B427}.exe

Filesize
216KB

MD5
3659540d45e8a2792e3d77f5bbbf4088

SHA1
646bb11496679f65c994ae226c70fbdffbdf9bad

SHA256
07cb0f7ab6a84dc28e212cdb0db5d3cb72c5d013f8910d936b0a60442a53c127

SHA512
e9a992d9445bc785fd221039e8f3cb3208c3682474ba051ca1c96dc1158471868d878cdee2484060c65469feef9047d79a0de20fbf8deb53f98f0fbd461efd86

Download Submit
C:\Windows\{7DEF891E-C36F-4dcd-895A-1CBA0DA36B5F}.exe

Filesize
216KB

MD5
d14d1a8544962d5d326e511d23d4ce27

SHA1
d55a12c407f00c51d33db3ae31bb7235214785db

SHA256
2ea28b4826f61d5ceca0db494c4bcfc1a4bdaa24ebbac20e622785769e380a64

SHA512
4e9c724c2be53b43db78bcb725dbc1dc441c931a638888614980ea7ea68718037ebeb00015ad4d63f6d65b7e502b5c1632c4fcc7a3001e20b5c533d4173cebac

Download Submit
C:\Windows\{97A3BF95-8C63-44e5-BF43-6A96EA7206AC}.exe

Filesize
216KB

MD5
9299c15ba0fbf3ddde897c4249f4ba61

SHA1
e097baa98eec40395d8adf93b6f9223e002197bb

SHA256
77e6839ddd03873ec168f2b1c48e60cbb791f11ac794ff037bebe9a2cbf85c22

SHA512
9ed1de2057e9f7655815b7f51dc3db892a61bfe4c0f1df4577ca41b5388c473188f90cf12126dec48e57411024b934b465836189517b2589d0ebb67a10bd2adc

Download Submit
C:\Windows\{99826A89-A9B7-47c1-B962-33029E98CE38}.exe

Filesize
216KB

MD5
0b8136041b91a0fa43fc52dc8bcd0348

SHA1
a389e96e5eeaacc83b36233bb00877ff36c00a13

SHA256
b56be9448b491b3e0d37702721fcc04b353f392baddf4cd4f2f39c18235b523c

SHA512
9af9eb5d27ec8bf25dd9a7c993243182f658da7d97972a73bd96e90cc41220442a9f593ae43d9b8ff7202ebb6bf052b79ade94664f78062e86a70e2545f0dd0f

Download Submit
C:\Windows\{AD5E63D4-8458-4671-A408-6CC5346AB348}.exe

Filesize
216KB

MD5
addf35a604e93398482183f76cef7fdc

SHA1
b5ba32529633b290a3c846c78e20a4147c30085a

SHA256
c6256a38a34b60fd9f05aee4bc9f9622208c48690c0a5176831a83c97a3a8f16

SHA512
05f6b98aa42f6b97a261f835c3b1e069ee6b5c57f6a3d1d0bd68678da43fc6afc4e22cee7d9603c4174103e81624931599084da965421f408287bc5a2503ed53

Download Submit
C:\Windows\{B62DFC3F-2383-433e-971D-60EE7D5B89EE}.exe

Filesize
216KB

MD5
909abddc169cdc233f07cc18b22bc764

SHA1
2bc17ea6d8781d32cd3b2ee8b2a7c8a61efe976b

SHA256
b68b4e5c773e3431f56266be0b058848d0c7ac6ff8b1965ff7cade42ae5a5df1

SHA512
7a17a07bf1f5c6237d4aa9198ff6f3c8cf40bcbeb3bdfcecf7b33079e51c9cb56427d9ad2dc143d971a2cebde6bb0f2b537807d2be1f0c219ee4561315379b6d

Download Submit
C:\Windows\{CD10CCCF-DB6D-4baa-95A7-1C86A7F0D72A}.exe

Filesize
216KB

MD5
f86cdb1c7160228dd27c5fb32c70d4c9

SHA1
9bbe565c9df7140fce1c4f5c4f475e655595067e

SHA256
4944b5ec31ed5362c54072004fd76e195908101b22d7b5b8849fc78a7e47525b

SHA512
aaf5d1bb5ce3eab3241fe500ad1974a52310274e46d65bcf03ec84fc7b9dd994fb61a460138636c5557d597bf00bbc4e74ec326d9b0dffaf9a2e09f5dd16e334

Download Submit
C:\Windows\{EDFDA58C-A7A6-4e47-B2A7-61F60412EAE1}.exe

Filesize
216KB

MD5
b497e4b188bbb27b92c159360b612045

SHA1
ec687abbf51ecfa2881b567d81c991d55a232dd4

SHA256
21247b03d0c47bbbc2e35ef24abce7b4c9f25b390e600d75027ab650ecd9c083

SHA512
33915b981eacf6c96d94b25274ec4abb41297cd86fef62952e928a74cc2b11e169e4fa43c9b9a28b5d064ee5028479486a2fc564c26a3d2a306347570f43e2e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads