32929b60e13a23f86b88b99c636d46be9104fc21becfddd5e990bfaa2f22e4f6

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
Size

344KB
MD5

87aca315993ef818fd1113e829cbffc2
SHA1

5ba0239362967c16fdc9ae8d94e9a5b72950cad0
SHA256

32929b60e13a23f86b88b99c636d46be9104fc21becfddd5e990bfaa2f22e4f6
SHA512

cb6c9a5ea0cb0a086f26057645498eb7c37b94109bb15878bc483a68e55ee561c7064946b51e8e55f2b6bd261b2709e5aa64f94a47be27678aebe02ae124414f
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231fb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000018062-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023219-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000018062-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000018062-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC47462-3932-4183-B34A-208FB2C48925}	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC47462-3932-4183-B34A-208FB2C48925}\stubpath = "C:\\Windows\\{7EC47462-3932-4183-B34A-208FB2C48925}.exe"	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}\stubpath = "C:\\Windows\\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe"	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F6E8B8-3B31-4349-BA04-8F2387725468}	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}\stubpath = "C:\\Windows\\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe"	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25BB5472-8678-4812-A6BD-61A59BFC73E6}	{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391011E8-96EE-454c-9A31-ED7726000DB9}\stubpath = "C:\\Windows\\{391011E8-96EE-454c-9A31-ED7726000DB9}.exe"	{7EC47462-3932-4183-B34A-208FB2C48925}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}\stubpath = "C:\\Windows\\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe"	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}\stubpath = "C:\\Windows\\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe"	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F6E8B8-3B31-4349-BA04-8F2387725468}\stubpath = "C:\\Windows\\{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe"	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25BB5472-8678-4812-A6BD-61A59BFC73E6}\stubpath = "C:\\Windows\\{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe"	{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2161470-26C9-40c7-836D-6DFDF01972B3}\stubpath = "C:\\Windows\\{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe"	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}\stubpath = "C:\\Windows\\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe"	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391011E8-96EE-454c-9A31-ED7726000DB9}	{7EC47462-3932-4183-B34A-208FB2C48925}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2161470-26C9-40c7-836D-6DFDF01972B3}	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}\stubpath = "C:\\Windows\\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe"	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}\stubpath = "C:\\Windows\\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe"	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe

Executes dropped EXE 12 IoCs

pid	Process
5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe
4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
3216	{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
1452	{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
File created	C:\Windows\{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
File created	C:\Windows\{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
File created	C:\Windows\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
File created	C:\Windows\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
File created	C:\Windows\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
File created	C:\Windows\{7EC47462-3932-4183-B34A-208FB2C48925}.exe	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
File created	C:\Windows\{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	{7EC47462-3932-4183-B34A-208FB2C48925}.exe
File created	C:\Windows\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
File created	C:\Windows\{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe	{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
File created	C:\Windows\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
File created	C:\Windows\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe
Token: SeIncBasePriorityPrivilege	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
Token: SeIncBasePriorityPrivilege	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
Token: SeIncBasePriorityPrivilege	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
Token: SeIncBasePriorityPrivilege	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
Token: SeIncBasePriorityPrivilege	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
Token: SeIncBasePriorityPrivilege	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
Token: SeIncBasePriorityPrivilege	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
Token: SeIncBasePriorityPrivilege	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
Token: SeIncBasePriorityPrivilege	4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
Token: SeIncBasePriorityPrivilege	3216	{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 5084	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	94
PID 2196 wrote to memory of 5084	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	94
PID 2196 wrote to memory of 5084	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	94
PID 2196 wrote to memory of 3220	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	95
PID 2196 wrote to memory of 3220	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	95
PID 2196 wrote to memory of 3220	2196	2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe	95
PID 5084 wrote to memory of 4260	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	96
PID 5084 wrote to memory of 4260	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	96
PID 5084 wrote to memory of 4260	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	96
PID 5084 wrote to memory of 2072	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	97
PID 5084 wrote to memory of 2072	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	97
PID 5084 wrote to memory of 2072	5084	{7EC47462-3932-4183-B34A-208FB2C48925}.exe	97
PID 4260 wrote to memory of 3960	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	99
PID 4260 wrote to memory of 3960	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	99
PID 4260 wrote to memory of 3960	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	99
PID 4260 wrote to memory of 3772	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	100
PID 4260 wrote to memory of 3772	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	100
PID 4260 wrote to memory of 3772	4260	{391011E8-96EE-454c-9A31-ED7726000DB9}.exe	100
PID 3960 wrote to memory of 4796	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	101
PID 3960 wrote to memory of 4796	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	101
PID 3960 wrote to memory of 4796	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	101
PID 3960 wrote to memory of 3044	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	102
PID 3960 wrote to memory of 3044	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	102
PID 3960 wrote to memory of 3044	3960	{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe	102
PID 4796 wrote to memory of 3684	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	103
PID 4796 wrote to memory of 3684	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	103
PID 4796 wrote to memory of 3684	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	103
PID 4796 wrote to memory of 4532	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	104
PID 4796 wrote to memory of 4532	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	104
PID 4796 wrote to memory of 4532	4796	{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe	104
PID 3684 wrote to memory of 5104	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	105
PID 3684 wrote to memory of 5104	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	105
PID 3684 wrote to memory of 5104	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	105
PID 3684 wrote to memory of 4932	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	106
PID 3684 wrote to memory of 4932	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	106
PID 3684 wrote to memory of 4932	3684	{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe	106
PID 5104 wrote to memory of 4540	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	107
PID 5104 wrote to memory of 4540	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	107
PID 5104 wrote to memory of 4540	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	107
PID 5104 wrote to memory of 4344	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	108
PID 5104 wrote to memory of 4344	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	108
PID 5104 wrote to memory of 4344	5104	{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe	108
PID 4540 wrote to memory of 224	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	109
PID 4540 wrote to memory of 224	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	109
PID 4540 wrote to memory of 224	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	109
PID 4540 wrote to memory of 3428	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	110
PID 4540 wrote to memory of 3428	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	110
PID 4540 wrote to memory of 3428	4540	{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe	110
PID 224 wrote to memory of 4988	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	111
PID 224 wrote to memory of 4988	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	111
PID 224 wrote to memory of 4988	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	111
PID 224 wrote to memory of 3764	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	112
PID 224 wrote to memory of 3764	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	112
PID 224 wrote to memory of 3764	224	{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe	112
PID 4988 wrote to memory of 4324	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	113
PID 4988 wrote to memory of 4324	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	113
PID 4988 wrote to memory of 4324	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	113
PID 4988 wrote to memory of 4180	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	114
PID 4988 wrote to memory of 4180	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	114
PID 4988 wrote to memory of 4180	4988	{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe	114
PID 4324 wrote to memory of 3216	4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe	115
PID 4324 wrote to memory of 3216	4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe	115
PID 4324 wrote to memory of 3216	4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe	115
PID 4324 wrote to memory of 4476	4324	{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{7EC47462-3932-4183-B34A-208FB2C48925}.exe
  C:\Windows\{7EC47462-3932-4183-B34A-208FB2C48925}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
    C:\Windows\{391011E8-96EE-454c-9A31-ED7726000DB9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
      C:\Windows\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
        
        C:\Windows\{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
      - C:\Windows\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
        
        C:\Windows\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
        
        C:\Windows\{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
        
        C:\Windows\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
        
        C:\Windows\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
        
        C:\Windows\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
        
        C:\Windows\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
        
        C:\Windows\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe
        
        C:\Windows\{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B2C~1.EXE > nul
        13⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0506~1.EXE > nul
        12⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EEEE~1.EXE > nul
        11⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF7E~1.EXE > nul
        10⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E16CE~1.EXE > nul
        9⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F6E~1.EXE > nul
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0670~1.EXE > nul
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2161~1.EXE > nul
        6⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{076B9~1.EXE > nul
        5⤵
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39101~1.EXE > nul
      4⤵
      PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC47~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{076B9D7C-22D8-4c1f-AB8A-1F2CFA67EABD}.exe

Filesize
344KB

MD5
4c79ae43d2a39d3a9e2661c654249bb6

SHA1
da6d1078ba360b80345bc3422998db38a93de855

SHA256
3e9e8540b30cfcb4953657d555cf62257bb11ff301eaf6cc060432e2e1a38f34

SHA512
54b8e77a9c7d6ae0e7fc63e2a7844a70644d6bb8a69d7b7c112f50bdd11c663ad693e3506e74422caee1359e63982f70c43030d8b8e242cb18ee2f502cf18df4

Download Submit
C:\Windows\{25BB5472-8678-4812-A6BD-61A59BFC73E6}.exe

Filesize
344KB

MD5
b0cce58368c463e32b0bae6b5ec52579

SHA1
e490b0c5c5567f3a79777996db1370be77f554ea

SHA256
aafe45a8e66174689eacd99ec6c1f222cbef065b29788c2105079012410f10bd

SHA512
2a79cd3000c337f05c63b010b37c7e5e13909c3d0832110f4d831edd6807959f7c4419e70752f23b36d26a021d7fb1b3345c72a36a05bf545610d8703363ffe7

Download Submit
C:\Windows\{391011E8-96EE-454c-9A31-ED7726000DB9}.exe

Filesize
344KB

MD5
85babff3d7d4a212e3fb1addde2b9e4a

SHA1
2ec295564d0f9bd8ac6ce110532d1f255d1c6522

SHA256
596400e0c6ee39b16f0942047f4116f5c88071d745ac52cc5873985f7a38aee2

SHA512
40700ec5d97200bfa7e4f29eaf0d4093002c07eb3cf9330ecba4e94dc19f932ec3d16a6d06b634997a3f02ac963ad0697c878012861e18e838bba4e4127f4a82

Download Submit
C:\Windows\{3EEEE2A6-5BEC-4b1c-A7F4-C0F95DDF9D39}.exe

Filesize
344KB

MD5
237b6b78aa810906e0db99c0fe5669c7

SHA1
9c7140f431f44fbd522c37b9396fe8f5b39abe53

SHA256
afe98d3b20fd3f100114bd00470d6386399780479de0aa37fccf392226237eac

SHA512
ce545e27c62a73193ade0d5447d58196403a46db94fc07f8227d2cf24783e7af714eaecf6c7c6594d8b92f23e819167e7309ce846caf0979a1211465fbdc4f38

Download Submit
C:\Windows\{7EC47462-3932-4183-B34A-208FB2C48925}.exe

Filesize
344KB

MD5
e0d32bd7814d9f9fa6e821b441df1e9f

SHA1
4cce9a420115eaa5ac82ed665a17f10c89511412

SHA256
dc23dcc9af5a362c792c8fb5b62898e6cfee2f140dfb85a8de65d647d69249a2

SHA512
085254e1cf989a34134fa08c1688ea80b2e2e825c3de4c64c321937e03336652deebf4b4d6492ef2e19273166ca7c3ac529e38cc917b70903032201798a60ace

Download Submit
C:\Windows\{A2161470-26C9-40c7-836D-6DFDF01972B3}.exe

Filesize
344KB

MD5
3b9436ae1e014864f33a0d0ac9084954

SHA1
d5f00ce0b5d6883b348fb78afa80767560eb42b3

SHA256
79ceda8e491f4a21eaa6ce15b7f8bfa0db199fc278da341289f047a99b6ac5ed

SHA512
23c737ebd0106212a9cc8319fdfc5cdc99ada4614b9d9798f85dfe452085797ea9cea05010d3436670457ba970ac0601e665b26491f6535a3014dfd3c3dee6b6

Download Submit
C:\Windows\{B05062A9-4513-4b22-A69C-EDF8EFF1F3BA}.exe

Filesize
344KB

MD5
e3ecaa006a8ec7262e36a2e99f4c1049

SHA1
31c53b93682872ab49a3bbb453bd78ead919fa6a

SHA256
287d0d0481677fd0c8848dff6c2b539f4a3b77565bd289f5cce93f7ed3c54e2a

SHA512
ed1d7826d1ee1bd658f08a389022310aa6df9c37982d2332bfdf14ee69e23d893cc77c8766f5c1f99af50c714ef91f3a826206ef5e81c7d402c39a793cbf554f

Download Submit
C:\Windows\{C2B2C3FF-969A-4762-81D9-537A88D9FAB8}.exe

Filesize
344KB

MD5
f4115b45aa713692409b9f27b8df855c

SHA1
a19eea4a1b8804f05388c74b68a69e408716e4ba

SHA256
d5fbac6503291ced93f27ee59c08be3b97cad48e4882bbea812754938da62bd0

SHA512
eb4b7f04b36719ffc04da023e6965cd19d129ccf5cc423fd240b80f85600be8e38c9e5ec604bf699fe477269b3aec61a14fbfe3c1d32836acdb8ef02cf0e257c

Download Submit
C:\Windows\{E0670A7D-267F-4a6d-83F2-E0CB4B056C70}.exe

Filesize
344KB

MD5
2fdd04e0300362ac5572c6149f94327f

SHA1
bf9d980c520133b995513331a1d7b59efd6f0725

SHA256
89e24e0f46d4c8b3dbdaa3cc57161feffc9b9f3766c7c2ac7964f039230c4f6b

SHA512
b50d8ae450742b0af2e71aafd8ad30a7505d8731673ed949cff8a7782c110e7f3a1a2a221d13964ba4a74b76bb5407ed31a0886f92d48c02b43560cc5a5307cb

Download Submit
C:\Windows\{E16CE019-CF55-47cc-8E0B-A0E2614366FE}.exe

Filesize
344KB

MD5
7c5310240d1111d77511eeca11497065

SHA1
9ae909579eed594a9ab0e61be3699f71b744540e

SHA256
cdd38aa86b23633464c2c481b622111aa02d5711fb83cfdcfd8e65365bff912e

SHA512
10d54f09147a1212aac0396e2a0d6a88d00c5fe7baa9fe78d4fd710511b41fd651512906b4617b186127f8a9d09bb811078ff87fd5b217b0ba389890162c36ac

Download Submit
C:\Windows\{EAF7EB28-2CD2-4e5e-84AE-ED13CD93CFEF}.exe

Filesize
344KB

MD5
8c29f9dd05e6b8df5e257e87b54e80ad

SHA1
6c975ba290663512f76890b9997f93ad0fd58c6f

SHA256
3b11cd395aa47efd83ee9cf3a7fd89fbfff5772836f2b0295c4ff483ef2f06af

SHA512
f30a006f0bf1151db30df2f08d107dfe1aa13637366fd0bbfeff635987690eeced90e89a9fb7caf446d256c6c85895f578aedc978b29ed11e68e071be38c96ea

Download Submit
C:\Windows\{F0F6E8B8-3B31-4349-BA04-8F2387725468}.exe

Filesize
344KB

MD5
fb035b6df77297d4fb74b22000c16ca4

SHA1
a95a917bb0d7b173fbe2e7b76c264b3417a29683

SHA256
65e0c4a597c34dd635b94066a0e99dddef88d1b610494be3c568c6994b9b5acd

SHA512
b7eb8d6f6adece0f52f60bbffe8b5c4974429949ef129a061909ad35e71faa7346639296d691f57fd94ad40f9616755990c176f3eecd7c6bc5bb8d6254168c5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads