f70224bf1613badf11cce9f03fda6e86f176da36dc6c4dcf164008ce4138dfb7

Analysis

max time kernel
163s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
Size

216KB
MD5

3322a9b5d365c0036849016c7b525ef5
SHA1

23b756e276ccbad1d9a47a82743bd0c93787da71
SHA256

f70224bf1613badf11cce9f03fda6e86f176da36dc6c4dcf164008ce4138dfb7
SHA512

3510db687915b53dd86294510b9996b1af843e2eb9fcc1eb74634357bac526dd88ed8748b3e5c2fe814185c3568f9d14025d268ea12771500bb6ae0e7f8a7e48
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGolEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e806-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021838-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000037-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000000037-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B448EF-1BA9-4755-92C7-2011657DCF1C}\stubpath = "C:\\Windows\\{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe"	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6250D371-DCDB-4a26-91F7-E8730E01E691}	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}\stubpath = "C:\\Windows\\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe"	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}\stubpath = "C:\\Windows\\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe"	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B448EF-1BA9-4755-92C7-2011657DCF1C}	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}\stubpath = "C:\\Windows\\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe"	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}\stubpath = "C:\\Windows\\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe"	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240AEA10-E706-4d0a-9416-8566F6E02137}\stubpath = "C:\\Windows\\{240AEA10-E706-4d0a-9416-8566F6E02137}.exe"	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}	{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}\stubpath = "C:\\Windows\\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe"	{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}\stubpath = "C:\\Windows\\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe"	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6277B5-2138-4828-86B3-421D2206163B}	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}	{8E6277B5-2138-4828-86B3-421D2206163B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}\stubpath = "C:\\Windows\\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe"	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240AEA10-E706-4d0a-9416-8566F6E02137}	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6250D371-DCDB-4a26-91F7-E8730E01E691}\stubpath = "C:\\Windows\\{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe"	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6277B5-2138-4828-86B3-421D2206163B}\stubpath = "C:\\Windows\\{8E6277B5-2138-4828-86B3-421D2206163B}.exe"	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}\stubpath = "C:\\Windows\\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe"	{8E6277B5-2138-4828-86B3-421D2206163B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe

Executes dropped EXE 12 IoCs

pid	Process
4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe
4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
1648	{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
1580	{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
File created	C:\Windows\{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
File created	C:\Windows\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
File created	C:\Windows\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
File created	C:\Windows\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	{8E6277B5-2138-4828-86B3-421D2206163B}.exe
File created	C:\Windows\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
File created	C:\Windows\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
File created	C:\Windows\{240AEA10-E706-4d0a-9416-8566F6E02137}.exe	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
File created	C:\Windows\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe	{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
File created	C:\Windows\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
File created	C:\Windows\{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
File created	C:\Windows\{8E6277B5-2138-4828-86B3-421D2206163B}.exe	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
Token: SeIncBasePriorityPrivilege	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
Token: SeIncBasePriorityPrivilege	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
Token: SeIncBasePriorityPrivilege	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
Token: SeIncBasePriorityPrivilege	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe
Token: SeIncBasePriorityPrivilege	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
Token: SeIncBasePriorityPrivilege	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
Token: SeIncBasePriorityPrivilege	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
Token: SeIncBasePriorityPrivilege	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
Token: SeIncBasePriorityPrivilege	368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
Token: SeIncBasePriorityPrivilege	1648	{240AEA10-E706-4d0a-9416-8566F6E02137}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 4700	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	88
PID 888 wrote to memory of 4700	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	88
PID 888 wrote to memory of 4700	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	88
PID 888 wrote to memory of 4852	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	89
PID 888 wrote to memory of 4852	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	89
PID 888 wrote to memory of 4852	888	2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe	89
PID 4700 wrote to memory of 4236	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	94
PID 4700 wrote to memory of 4236	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	94
PID 4700 wrote to memory of 4236	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	94
PID 4700 wrote to memory of 3616	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	95
PID 4700 wrote to memory of 3616	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	95
PID 4700 wrote to memory of 3616	4700	{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe	95
PID 4236 wrote to memory of 4140	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	99
PID 4236 wrote to memory of 4140	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	99
PID 4236 wrote to memory of 4140	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	99
PID 4236 wrote to memory of 1860	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	100
PID 4236 wrote to memory of 1860	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	100
PID 4236 wrote to memory of 1860	4236	{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe	100
PID 4140 wrote to memory of 2304	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	102
PID 4140 wrote to memory of 2304	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	102
PID 4140 wrote to memory of 2304	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	102
PID 4140 wrote to memory of 1400	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	103
PID 4140 wrote to memory of 1400	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	103
PID 4140 wrote to memory of 1400	4140	{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe	103
PID 2304 wrote to memory of 4740	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	104
PID 2304 wrote to memory of 4740	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	104
PID 2304 wrote to memory of 4740	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	104
PID 2304 wrote to memory of 1084	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	105
PID 2304 wrote to memory of 1084	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	105
PID 2304 wrote to memory of 1084	2304	{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe	105
PID 4740 wrote to memory of 4136	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	106
PID 4740 wrote to memory of 4136	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	106
PID 4740 wrote to memory of 4136	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	106
PID 4740 wrote to memory of 3260	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	107
PID 4740 wrote to memory of 3260	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	107
PID 4740 wrote to memory of 3260	4740	{8E6277B5-2138-4828-86B3-421D2206163B}.exe	107
PID 4136 wrote to memory of 836	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	108
PID 4136 wrote to memory of 836	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	108
PID 4136 wrote to memory of 836	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	108
PID 4136 wrote to memory of 4428	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	109
PID 4136 wrote to memory of 4428	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	109
PID 4136 wrote to memory of 4428	4136	{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe	109
PID 836 wrote to memory of 2524	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	110
PID 836 wrote to memory of 2524	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	110
PID 836 wrote to memory of 2524	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	110
PID 836 wrote to memory of 2064	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	111
PID 836 wrote to memory of 2064	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	111
PID 836 wrote to memory of 2064	836	{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe	111
PID 2524 wrote to memory of 3584	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	112
PID 2524 wrote to memory of 3584	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	112
PID 2524 wrote to memory of 3584	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	112
PID 2524 wrote to memory of 3924	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	113
PID 2524 wrote to memory of 3924	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	113
PID 2524 wrote to memory of 3924	2524	{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe	113
PID 3584 wrote to memory of 368	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	114
PID 3584 wrote to memory of 368	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	114
PID 3584 wrote to memory of 368	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	114
PID 3584 wrote to memory of 2704	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	115
PID 3584 wrote to memory of 2704	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	115
PID 3584 wrote to memory of 2704	3584	{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe	115
PID 368 wrote to memory of 1648	368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe	116
PID 368 wrote to memory of 1648	368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe	116
PID 368 wrote to memory of 1648	368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe	116
PID 368 wrote to memory of 2224	368	{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_3322a9b5d365c0036849016c7b525ef5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
  C:\Windows\{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
    C:\Windows\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
      C:\Windows\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
        
        C:\Windows\{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{8E6277B5-2138-4828-86B3-421D2206163B}.exe
        
        C:\Windows\{8E6277B5-2138-4828-86B3-421D2206163B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
        
        C:\Windows\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
        
        C:\Windows\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
        
        C:\Windows\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
        
        C:\Windows\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
        
        C:\Windows\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
        
        C:\Windows\{240AEA10-E706-4d0a-9416-8566F6E02137}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe
        
        C:\Windows\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240AE~1.EXE > nul
        13⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC12~1.EXE > nul
        12⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3DC3~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE4AD~1.EXE > nul
        10⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{291D1~1.EXE > nul
        9⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A95F0~1.EXE > nul
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E627~1.EXE > nul
        7⤵
        
        PID:3260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6250D~1.EXE > nul
        6⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29BD8~1.EXE > nul
        5⤵
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{059CF~1.EXE > nul
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70B44~1.EXE > nul
    3⤵
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{059CF562-13CE-4f24-8A9A-F69AA9EE174C}.exe

Filesize
216KB

MD5
5225b7865303a60d975afa78819364a4

SHA1
4da5ae00d9a73c340e0e7278ab85cf290bea1fff

SHA256
53378dfebdd952b6fea04feee22ff4dc02fd53d94bfd7556a2917cbf163833a4

SHA512
016d3a0ce01db7ce295cfd4fca28f108792bb3a794a832ccb626eeeedb70e1ae95b7e9612ce7486c9071837758af35ad0f76c70b75fc5ce7cce8e5eafef4277a

Download Submit
C:\Windows\{14BD990E-6986-4a1f-A0D6-60DFE633DC9D}.exe

Filesize
216KB

MD5
7e2a388ee65518281522e8d57d5dd6ef

SHA1
4536c79349636e2bb1ac74ad93cc31276192d6d5

SHA256
e65405efd752d506a6c601a0883a1f02d9144a7103aa205f7d898b0dfeca928a

SHA512
6891eecbad1f5c8c4f4d5c5d27b1d9d0ca371308b3a3f0f166f8b5e0890386f83d802b2726d33f8a6b5b7d67da7b5f4ed94768c52f2e25743a2db34f0f7cd647

Download Submit
C:\Windows\{240AEA10-E706-4d0a-9416-8566F6E02137}.exe

Filesize
216KB

MD5
1daa56db251b53ae1c51ac0b1b582759

SHA1
63c79f95f83daca8305ed0050f7147fca7913c87

SHA256
f2d7970167797aeebcd3012cb07a4dc183423a6ae43b420a5681c1301ba12279

SHA512
5a49f76f3ef84192a4df89c2c9c3165278089b257e42229391963f981f43c475ae2df2f0fad5db6095c204ceaf4850377f284cc6b20ae837d484094a4cbcd349

Download Submit
C:\Windows\{291D1FCC-55C1-4a18-AFFF-6632F2352E90}.exe

Filesize
216KB

MD5
62a3b553d964637c23762a07f326e3ab

SHA1
cf43b6a17284a1eb0e7750f6a50d6137dd27e86e

SHA256
09acef5cb185e0413db4730cfb6aecdc2b30bd4e374d98061aac148af3654e46

SHA512
4030bc1be08a3ac49b2b5757053d3fe0d89f86a9c8d45ba51f77236d2cc6c21266f392723072fd9caa589bfcbe3a83c8738a6cacf3ef3b9a15f520c085c8ac3b

Download Submit
C:\Windows\{29BD8AC6-EBF3-48a4-BFBF-14D86CC480A0}.exe

Filesize
216KB

MD5
eaf8d9442b3806f6d221aa3a30b0b3a7

SHA1
bf94ce78354598d84e198bee1f0627f84a345937

SHA256
1a81046ad4ceb3b177f30a1c158631d40a3401eec87af54220c54cc5b495d94f

SHA512
db8e9340fa0b5e7c5319ea981393389fa3e059e998144f7b44ff76ffb25721bdbbf56e31bc69753254cad630dc065cdc1302a0c13cfdebf8b19c3c83e1ca431b

Download Submit
C:\Windows\{6250D371-DCDB-4a26-91F7-E8730E01E691}.exe

Filesize
216KB

MD5
af82f7fc076b794822243093fdd1d78d

SHA1
1146d40433a84b464c91c1ed10ebc1d7cc55b27b

SHA256
9ee98117c6352ce8d30b9d20f4ea4aa116882b0a7062406bda681ce424a7b5bc

SHA512
9129e217df748ce5c242b8d3058740803785666da4a1a583ce164747888bdb78af546252a93fd013056224175ff0f91a2ee2f247caa7dbe14d9d4e74c7da4b69

Download Submit
C:\Windows\{70B448EF-1BA9-4755-92C7-2011657DCF1C}.exe

Filesize
216KB

MD5
a161976f7581c8513922dc03c0d2b01f

SHA1
d732f954ca5a69469cbb37099d3a117c43bbe030

SHA256
bc92020c4afd955a695a30eb4701ad8380d22d66ebe7a39a3b9cf29631a906e6

SHA512
b0989ef7055907e21d3b377f3abd48459b524e896bf253caf5ca694b4de3c0436dfeacbfd9f7510c5665246945b7446477eb078de8a47e455dcb48aebfb7281c

Download Submit
C:\Windows\{8E6277B5-2138-4828-86B3-421D2206163B}.exe

Filesize
216KB

MD5
d2405bc144bdacd3d4e855ca37660c50

SHA1
e07f63e2ee53bba41a021774a8f3f132996a290f

SHA256
f74aee951102e318a2ad574141ad94ca50e1664173687a8953d9d4c8bca1cbd8

SHA512
c6f952bbc541440dda7652d190b942351a79a8e0748bba80d5611ce977bbd736afc4a60dc2de552806037ca99f7123828048d964b0dc101a7e6a96f7e9ff5fd4

Download Submit
C:\Windows\{A95F0725-38E1-4b0f-A2E4-81EBCAFBACCD}.exe

Filesize
216KB

MD5
4625c560ec65d8f0280a5a34467b3d4a

SHA1
bf0c0a54951e1fd97064a578b8052563e87ab294

SHA256
fd96246134dfecd00ec1c3fdfb918be50dc5a3949b857de4ed26ec30f41db9da

SHA512
ed67399791cc3a554954f891d28d23f3351167c7dcc69bb643aac65d87294609930f73dddaab6f236de9375c2edc907e6c8b9049d22998e796e0d768e9b18adb

Download Submit
C:\Windows\{AE4AD5CB-230E-4ff3-9D83-9EC09F08F10F}.exe

Filesize
216KB

MD5
22347040a0de18689d0350fa51ae1be2

SHA1
57b2eb0dc464c07ad7334fd26e87ea503a574658

SHA256
746a663bbe953dc03cdebbcc4307b10efe3457be010ae0b20ef93999547835c9

SHA512
5d227c14a00c508d6cd7bfb1ed36775a8fd76980cf53716d46161156feaf82343f04b105dcb34683e6aa95f492c62b74a7c2c58a923a413598a42b5b82ae42bc

Download Submit
C:\Windows\{C3DC3E60-0B7C-494b-A6AE-F504384E2085}.exe

Filesize
216KB

MD5
b6dfe8ab7b10885b11a89234e4a7417e

SHA1
1bbf7a8a0efb6bb783aa2e3e3bb02739a906ffc1

SHA256
cba27353cc94041fc954c9f208ec5115a03b949571dcfe2d1c0aeed47ffa9908

SHA512
7178e31be75c4005a0a31509f10d9e39f133397db10a492508524f7872e388ae0206e5051b1d4ab0d71fe535628c84882c546aa4360a519154f720e15b90dbac

Download Submit
C:\Windows\{ECC12BA8-31EF-4b0d-A6AC-A7FED1C9C1C3}.exe

Filesize
216KB

MD5
040bcf868d5ad93264111fe4d3924934

SHA1
24ded577966cc1748e2395e791a44f06b471d118

SHA256
144c01e8c4d0c845f7dae8574533ca9b1485912efbc1d7fc27c59f6b26063d0e

SHA512
1cde61ed00b54f01efea8440ad6a27b91f54b051e553f64743e1618364577921165aff895e32249f5452a9c48b98207ff7f4bdc9219dd03f3ceddfea44380d13

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads