729407bdcfbbc32ad3da78450143536afe71de12cdf5fb0f57c4306bab2aa8b6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Size

408KB
MD5

020679600730217abb99bb7ce00127ce
SHA1

590028c90c3944a213c05bf676ccaa5fabbceada
SHA256

729407bdcfbbc32ad3da78450143536afe71de12cdf5fb0f57c4306bab2aa8b6
SHA512

e6193d219271acbf9e6d3a2fe37e263a1cb36ffd59e80d203a898d2812be4e03656bce53039a5b4a9eb87eb731bf4cba7f4db82589aa74601ff1bb8b49bd0d6e
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023204-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000231fb-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00150000000231fb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}\stubpath = "C:\\Windows\\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe"	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}\stubpath = "C:\\Windows\\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe"	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A51BE2DD-130A-4405-8C77-E84EB466E520}	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}\stubpath = "C:\\Windows\\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe"	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}\stubpath = "C:\\Windows\\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe"	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}\stubpath = "C:\\Windows\\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe"	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}\stubpath = "C:\\Windows\\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe"	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}\stubpath = "C:\\Windows\\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe"	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}\stubpath = "C:\\Windows\\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe"	{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}\stubpath = "C:\\Windows\\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe"	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}\stubpath = "C:\\Windows\\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe"	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}	{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}\stubpath = "C:\\Windows\\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe"	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A51BE2DD-130A-4405-8C77-E84EB466E520}\stubpath = "C:\\Windows\\{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe"	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe

Deletes itself 1 IoCs

pid	Process
4456	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe
2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
2204	{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
1592	{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
File created	C:\Windows\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
File created	C:\Windows\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
File created	C:\Windows\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
File created	C:\Windows\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
File created	C:\Windows\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe	{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
File created	C:\Windows\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
File created	C:\Windows\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
File created	C:\Windows\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
File created	C:\Windows\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
File created	C:\Windows\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
File created	C:\Windows\{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
Token: SeIncBasePriorityPrivilege	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
Token: SeIncBasePriorityPrivilege	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
Token: SeIncBasePriorityPrivilege	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
Token: SeIncBasePriorityPrivilege	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
Token: SeIncBasePriorityPrivilege	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
Token: SeIncBasePriorityPrivilege	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
Token: SeIncBasePriorityPrivilege	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe
Token: SeIncBasePriorityPrivilege	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
Token: SeIncBasePriorityPrivilege	3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
Token: SeIncBasePriorityPrivilege	2204	{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3704	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	96
PID 408 wrote to memory of 3704	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	96
PID 408 wrote to memory of 3704	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	96
PID 408 wrote to memory of 4456	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	97
PID 408 wrote to memory of 4456	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	97
PID 408 wrote to memory of 4456	408	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	97
PID 3704 wrote to memory of 4884	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	98
PID 3704 wrote to memory of 4884	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	98
PID 3704 wrote to memory of 4884	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	98
PID 3704 wrote to memory of 1452	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	99
PID 3704 wrote to memory of 1452	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	99
PID 3704 wrote to memory of 1452	3704	{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe	99
PID 4884 wrote to memory of 5076	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	101
PID 4884 wrote to memory of 5076	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	101
PID 4884 wrote to memory of 5076	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	101
PID 4884 wrote to memory of 1544	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	102
PID 4884 wrote to memory of 1544	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	102
PID 4884 wrote to memory of 1544	4884	{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe	102
PID 5076 wrote to memory of 640	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	103
PID 5076 wrote to memory of 640	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	103
PID 5076 wrote to memory of 640	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	103
PID 5076 wrote to memory of 5092	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	104
PID 5076 wrote to memory of 5092	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	104
PID 5076 wrote to memory of 5092	5076	{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe	104
PID 640 wrote to memory of 2764	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	105
PID 640 wrote to memory of 2764	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	105
PID 640 wrote to memory of 2764	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	105
PID 640 wrote to memory of 1196	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	106
PID 640 wrote to memory of 1196	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	106
PID 640 wrote to memory of 1196	640	{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe	106
PID 2764 wrote to memory of 4428	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	107
PID 2764 wrote to memory of 4428	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	107
PID 2764 wrote to memory of 4428	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	107
PID 2764 wrote to memory of 3032	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	108
PID 2764 wrote to memory of 3032	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	108
PID 2764 wrote to memory of 3032	2764	{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe	108
PID 4428 wrote to memory of 4364	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	109
PID 4428 wrote to memory of 4364	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	109
PID 4428 wrote to memory of 4364	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	109
PID 4428 wrote to memory of 5016	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	110
PID 4428 wrote to memory of 5016	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	110
PID 4428 wrote to memory of 5016	4428	{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe	110
PID 4364 wrote to memory of 1304	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	111
PID 4364 wrote to memory of 1304	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	111
PID 4364 wrote to memory of 1304	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	111
PID 4364 wrote to memory of 4016	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	112
PID 4364 wrote to memory of 4016	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	112
PID 4364 wrote to memory of 4016	4364	{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe	112
PID 1304 wrote to memory of 2068	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	113
PID 1304 wrote to memory of 2068	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	113
PID 1304 wrote to memory of 2068	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	113
PID 1304 wrote to memory of 1352	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	114
PID 1304 wrote to memory of 1352	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	114
PID 1304 wrote to memory of 1352	1304	{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe	114
PID 2068 wrote to memory of 3512	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	115
PID 2068 wrote to memory of 3512	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	115
PID 2068 wrote to memory of 3512	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	115
PID 2068 wrote to memory of 4588	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	116
PID 2068 wrote to memory of 4588	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	116
PID 2068 wrote to memory of 4588	2068	{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe	116
PID 3512 wrote to memory of 2204	3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe	117
PID 3512 wrote to memory of 2204	3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe	117
PID 3512 wrote to memory of 2204	3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe	117
PID 3512 wrote to memory of 3900	3512	{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
  C:\Windows\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
    C:\Windows\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
      C:\Windows\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
        
        C:\Windows\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
        
        C:\Windows\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
        
        C:\Windows\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
        
        C:\Windows\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe
        
        C:\Windows\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
        
        C:\Windows\{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
        
        C:\Windows\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
        
        C:\Windows\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe
        
        C:\Windows\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe
        13⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69E4D~1.EXE > nul
        13⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5E0D~1.EXE > nul
        12⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A51BE~1.EXE > nul
        11⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0D7~1.EXE > nul
        10⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F69~1.EXE > nul
        9⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33862~1.EXE > nul
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F76~1.EXE > nul
        7⤵
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20F1C~1.EXE > nul
        6⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FE0B~1.EXE > nul
        5⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36D7D~1.EXE > nul
      4⤵
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C21~1.EXE > nul
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C0D7B42-643E-4bb5-A7DE-418E24F9BB45}.exe

Filesize
408KB

MD5
f8dd933a9bd73f9d3ce2f52dd3b95d7b

SHA1
5a137798ca7e34c3eef1087c54a7daaa5e5799ba

SHA256
bc85eb43a43eb28a7c10d731ff59bf489540bbfe6afe0b70ddc948ec0c700ab3

SHA512
7dfb487f0c8020a8549b5ff46f403e2efa7c6d891323ca07dc6543c0d813f9a666a9115e9283984fb6f589ce5109ea3ef66df7bcd8fb3b4a84d76a87c3619b68

Download Submit
C:\Windows\{20F1C053-28F8-4db5-BEAE-F367C2AB4C95}.exe

Filesize
408KB

MD5
06dc986e36870ab8f545bbc2fbc42146

SHA1
687fb6436bcc5ada4379f5db34854ed2976ce7a5

SHA256
0fff7ed3d26daaee0b3bb76d7316985c87a303348ce8164037ae6637d10557b9

SHA512
2957fc13e6bf81cfe6066be4849dd4ce8f6b76cd80a1c074d10ce812961a8d7b1de3b6e285efe804f4cb1cd19bd88928a34fcf2d5563c509496faade69f1fe34

Download Submit
C:\Windows\{2FE0B35A-2AB1-4e97-9AA7-33F9382E0C2F}.exe

Filesize
408KB

MD5
a01c42d7102103bd942c954b73f6a01c

SHA1
8d1dc11e24664368d363e340fd795c28c6ce7c1b

SHA256
48426dad95ef167152966dd51882a11a01b0096229f0e74e7b20699a69dd559e

SHA512
653444e9e304e151e3b067a3eae0c3267bdd703f007b6d08b3f419f1565e9e72b662656602434b8e20308f77a23d5131bee3c0254b4295678260729d51609c9f

Download Submit
C:\Windows\{33862DD6-D87F-4e91-BB1B-D8167FB5710D}.exe

Filesize
408KB

MD5
07ea4d2a4fe3d8be75a3e00a8f4649c9

SHA1
3aca3b879b2a613b72459812177d0a1e13e601ca

SHA256
f626be2517af7be554181ca59fd180e8aaac82ee75856bee0619fe6c68967526

SHA512
6ac4a164f896782520069ca5802884ccef767ccf88ac42b570a2ef91e6beadd3535daa4cf7190c758f935c513e35ea8f1f0691af3d8964078a1267fa5dcdbcd6

Download Submit
C:\Windows\{36D7D053-ACB1-4cf4-B036-E6CC0C548229}.exe

Filesize
408KB

MD5
76feb93fc886f78d3ac71da1f412a4eb

SHA1
3b66eae0f31b07196f4216e51570492453fd0c26

SHA256
6f2f0aa0cf0b4b3012a0a0e395704cce91df7a78e16c85f0e9a199838f22b10a

SHA512
efd1738e3df18c833c55f6e32782c23e5215f9ba8273d177018910b1ca605e5c89b04b8357edeebea3edeff7fbaf83143c8abc036953dac55f25e1bafd967660

Download Submit
C:\Windows\{69E4D03B-75AD-466a-AF49-85BED4E3BCA7}.exe

Filesize
408KB

MD5
fbe5db2080ee71c9c36a3809b3f4c5ff

SHA1
1cd2ba9ee3d7efc37f2d76a1da02184c40272f28

SHA256
e7ae8adaa6ef33d31143892dc863f11d6518c868e4e9e8d7852494a3c5d41b88

SHA512
099c27c6947a31a06f3f2d241517013b037c617ecd4f8246052b2108c720b8d06f2d5a8ca5db0489997d8d11dbf7aaabc3818b24b8c2c622214cf30724416b47

Download Submit
C:\Windows\{91F76A15-CBFE-49ed-9598-F93BC9EF900B}.exe

Filesize
408KB

MD5
4908dd61ad6f5c245b85850b76d5df5b

SHA1
780ec6aedc8d45737bb401a0ea751ac359727c79

SHA256
b8330a7f2949d5e641490dda73e2ff6f97a7c03b253fc8b6775d93625a7fc760

SHA512
3da466f9e07888cc2ad8fac9e9d21e06e2bd7282d28c90a98f36ca1d2652c606479fefbac19351936e6afb308022fac9628d6232adaa25032975a612ed3b8c93

Download Submit
C:\Windows\{A1F69906-F0F1-439a-8EB6-00CD52CBC768}.exe

Filesize
408KB

MD5
3346f645ca36cc69a09d118637827b8f

SHA1
1a402b0e5ccce8c5fe813c33dd298066ae6a1dd3

SHA256
a3ad057d1d475b1ff11edc3852db692628de26d292a9cb5e695d7f0426462a26

SHA512
c6cdff315cc00ae855d4852a1f52cb91ed8311b54801ec31296e71e11c3cb97ae9ed1720140c8a1180d119e8eac597f465e01f84fabcdd6fd8671611d7583232

Download Submit
C:\Windows\{A51BE2DD-130A-4405-8C77-E84EB466E520}.exe

Filesize
408KB

MD5
6ac931bcad1d2a721d1b8045e76fda60

SHA1
0502e38298974569eab73fd5e0d0ed51927a558a

SHA256
4bfa70bb8236ec3c271764d2f70dbb2788de2a4c60236c81f6a7eb172afe59d7

SHA512
534bb30742ea06a6578bc794d78e925d93f1857e86cfb9acf1c31c1fce06c231c2a033e4997f482826d420797d2656d48c3d6ef6d9729f334698620cf6d99d9c

Download Submit
C:\Windows\{C5E0DA2A-790E-45d3-8CC4-D9174AFEC611}.exe

Filesize
408KB

MD5
0725e8b1774db144c2ab4cc951b680b6

SHA1
450dd3aa8b6f8d5c115dea903f42c7b82a3be6ba

SHA256
cd907a6830f8808b433c5eb8e629fb2ee6f7d45843110fc80b886883b84f1e97

SHA512
ed7a36993a66917378b3a5c0ea20b1edef37189049454fc375780fedccc7113530b60aa02e0dfb0bd22bcdb990b3cb023a9f78c93f5749c381e068bd61eb532b

Download Submit
C:\Windows\{D3C211C8-6ECF-4a65-B02A-4D2E18B3F81D}.exe

Filesize
408KB

MD5
b4c51786c25c22e60258812aa7223d47

SHA1
a075db567714b3a31421749c4efbd5166e7eff07

SHA256
f3fb3c0330303bf677a88ab09a039938f62f2c3f79f63664655be1b4a5c2b21e

SHA512
e70aa4fff3021c741d4a3a8d5debd0eca0db41efd4f1d17a901f24fb836388a0a9525ce0a32015b5e6774272d4340599acd538f54b7df9096718e37b6eef6b15

Download Submit
C:\Windows\{ED2141DD-88E8-4aa1-8ED0-B3A9F0608153}.exe

Filesize
408KB

MD5
d6e6a73d27afee9587817b0b271c06b8

SHA1
df1a1ffdac13311a30b8f3cadb45dfefb1a7af75

SHA256
1bf9ae9b2c64a36bf4eaa4d156748bf7a6e103c07247c83612eb1145ff0fd675

SHA512
4a4623602a3c1cf42a444858a7080b1d51ade7887f88945ed34953419594e36b8af27f29e590e9cbab25d8948a718855e207bcd4b544f77b4bd39a8d833dd87f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads