410fe386b8a73c2fe31360338629d61d01a44ef80d781cae1470b9d0fe7f5a5d

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Size

168KB
MD5

ee5b303eaabfaad6215e31c52a0acbf3
SHA1

fd82920c63b3929b5cf578838ac71c84bd6cd741
SHA256

410fe386b8a73c2fe31360338629d61d01a44ef80d781cae1470b9d0fe7f5a5d
SHA512

b4f288cb6c931b9c5959a668e319978638ac086644e36b23636fd26fd7e634ec7b6b9b2e48eacee40f089bac231a5302bb5c2fadc5fc216872c63b6a1a42cde9
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e809-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023243-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023248-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023243-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000006d1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021838-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000037-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000006d1-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000000037-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00150000000006d1-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000006d1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}\stubpath = "C:\\Windows\\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe"	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}\stubpath = "C:\\Windows\\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe"	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}	{53297F86-D616-48c0-820D-594286E9F2A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C937963-0CC7-41b9-9936-B155EF59D073}	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C937963-0CC7-41b9-9936-B155EF59D073}\stubpath = "C:\\Windows\\{1C937963-0CC7-41b9-9936-B155EF59D073}.exe"	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}\stubpath = "C:\\Windows\\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe"	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}\stubpath = "C:\\Windows\\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe"	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53297F86-D616-48c0-820D-594286E9F2A5}	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}\stubpath = "C:\\Windows\\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe"	{53297F86-D616-48c0-820D-594286E9F2A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}\stubpath = "C:\\Windows\\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe"	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E71EFFA-203C-466b-9521-49F443371950}	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E71EFFA-203C-466b-9521-49F443371950}\stubpath = "C:\\Windows\\{1E71EFFA-203C-466b-9521-49F443371950}.exe"	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}\stubpath = "C:\\Windows\\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe"	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B938C68D-5C6E-49f4-AA56-487939A70DEF}\stubpath = "C:\\Windows\\{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe"	{1C937963-0CC7-41b9-9936-B155EF59D073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}	{1E71EFFA-203C-466b-9521-49F443371950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}\stubpath = "C:\\Windows\\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe"	{1E71EFFA-203C-466b-9521-49F443371950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53297F86-D616-48c0-820D-594286E9F2A5}\stubpath = "C:\\Windows\\{53297F86-D616-48c0-820D-594286E9F2A5}.exe"	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B938C68D-5C6E-49f4-AA56-487939A70DEF}	{1C937963-0CC7-41b9-9936-B155EF59D073}.exe

Executes dropped EXE 12 IoCs

pid	Process
4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
232	{1E71EFFA-203C-466b-9521-49F443371950}.exe
3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe
2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
3900	{1C937963-0CC7-41b9-9936-B155EF59D073}.exe
4172	{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
File created	C:\Windows\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
File created	C:\Windows\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
File created	C:\Windows\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
File created	C:\Windows\{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe	{1C937963-0CC7-41b9-9936-B155EF59D073}.exe
File created	C:\Windows\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
File created	C:\Windows\{1E71EFFA-203C-466b-9521-49F443371950}.exe	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
File created	C:\Windows\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	{1E71EFFA-203C-466b-9521-49F443371950}.exe
File created	C:\Windows\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
File created	C:\Windows\{53297F86-D616-48c0-820D-594286E9F2A5}.exe	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
File created	C:\Windows\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe	{53297F86-D616-48c0-820D-594286E9F2A5}.exe
File created	C:\Windows\{1C937963-0CC7-41b9-9936-B155EF59D073}.exe	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
Token: SeIncBasePriorityPrivilege	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
Token: SeIncBasePriorityPrivilege	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
Token: SeIncBasePriorityPrivilege	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe
Token: SeIncBasePriorityPrivilege	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
Token: SeIncBasePriorityPrivilege	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
Token: SeIncBasePriorityPrivilege	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
Token: SeIncBasePriorityPrivilege	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
Token: SeIncBasePriorityPrivilege	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe
Token: SeIncBasePriorityPrivilege	2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
Token: SeIncBasePriorityPrivilege	3900	{1C937963-0CC7-41b9-9936-B155EF59D073}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4980	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	92
PID 1804 wrote to memory of 4980	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	92
PID 1804 wrote to memory of 4980	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	92
PID 1804 wrote to memory of 3568	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	93
PID 1804 wrote to memory of 3568	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	93
PID 1804 wrote to memory of 3568	1804	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	93
PID 4980 wrote to memory of 5112	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	98
PID 4980 wrote to memory of 5112	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	98
PID 4980 wrote to memory of 5112	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	98
PID 4980 wrote to memory of 3120	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	99
PID 4980 wrote to memory of 3120	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	99
PID 4980 wrote to memory of 3120	4980	{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe	99
PID 5112 wrote to memory of 436	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	100
PID 5112 wrote to memory of 436	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	100
PID 5112 wrote to memory of 436	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	100
PID 5112 wrote to memory of 4524	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	101
PID 5112 wrote to memory of 4524	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	101
PID 5112 wrote to memory of 4524	5112	{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe	101
PID 436 wrote to memory of 232	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	102
PID 436 wrote to memory of 232	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	102
PID 436 wrote to memory of 232	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	102
PID 436 wrote to memory of 4604	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	103
PID 436 wrote to memory of 4604	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	103
PID 436 wrote to memory of 4604	436	{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe	103
PID 232 wrote to memory of 3420	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	104
PID 232 wrote to memory of 3420	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	104
PID 232 wrote to memory of 3420	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	104
PID 232 wrote to memory of 684	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	105
PID 232 wrote to memory of 684	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	105
PID 232 wrote to memory of 684	232	{1E71EFFA-203C-466b-9521-49F443371950}.exe	105
PID 3420 wrote to memory of 1056	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	106
PID 3420 wrote to memory of 1056	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	106
PID 3420 wrote to memory of 1056	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	106
PID 3420 wrote to memory of 4592	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	107
PID 3420 wrote to memory of 4592	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	107
PID 3420 wrote to memory of 4592	3420	{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe	107
PID 1056 wrote to memory of 4300	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	108
PID 1056 wrote to memory of 4300	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	108
PID 1056 wrote to memory of 4300	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	108
PID 1056 wrote to memory of 4044	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	109
PID 1056 wrote to memory of 4044	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	109
PID 1056 wrote to memory of 4044	1056	{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe	109
PID 4300 wrote to memory of 400	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	110
PID 4300 wrote to memory of 400	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	110
PID 4300 wrote to memory of 400	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	110
PID 4300 wrote to memory of 2996	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	111
PID 4300 wrote to memory of 2996	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	111
PID 4300 wrote to memory of 2996	4300	{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe	111
PID 400 wrote to memory of 1212	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	112
PID 400 wrote to memory of 1212	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	112
PID 400 wrote to memory of 1212	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	112
PID 400 wrote to memory of 652	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	113
PID 400 wrote to memory of 652	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	113
PID 400 wrote to memory of 652	400	{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe	113
PID 1212 wrote to memory of 2960	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	114
PID 1212 wrote to memory of 2960	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	114
PID 1212 wrote to memory of 2960	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	114
PID 1212 wrote to memory of 3668	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	115
PID 1212 wrote to memory of 3668	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	115
PID 1212 wrote to memory of 3668	1212	{53297F86-D616-48c0-820D-594286E9F2A5}.exe	115
PID 2960 wrote to memory of 3900	2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe	116
PID 2960 wrote to memory of 3900	2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe	116
PID 2960 wrote to memory of 3900	2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe	116
PID 2960 wrote to memory of 4980	2960	{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
  C:\Windows\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
    C:\Windows\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
      C:\Windows\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\{1E71EFFA-203C-466b-9521-49F443371950}.exe
        
        C:\Windows\{1E71EFFA-203C-466b-9521-49F443371950}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Windows\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
        
        C:\Windows\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
        
        C:\Windows\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
        
        C:\Windows\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
        
        C:\Windows\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{53297F86-D616-48c0-820D-594286E9F2A5}.exe
        
        C:\Windows\{53297F86-D616-48c0-820D-594286E9F2A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
        
        C:\Windows\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{1C937963-0CC7-41b9-9936-B155EF59D073}.exe
        
        C:\Windows\{1C937963-0CC7-41b9-9936-B155EF59D073}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe
        
        C:\Windows\{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C937~1.EXE > nul
        13⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEEAC~1.EXE > nul
        12⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53297~1.EXE > nul
        11⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A503F~1.EXE > nul
        10⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9F94~1.EXE > nul
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2C72~1.EXE > nul
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0762B~1.EXE > nul
        7⤵
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E71E~1.EXE > nul
        6⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C30F1~1.EXE > nul
        5⤵
        
        PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6825~1.EXE > nul
      4⤵
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16757~1.EXE > nul
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0762B7FE-3229-4d9a-98AC-6736BE4C24CE}.exe

Filesize
168KB

MD5
01c7f0435d5207a387d7462e29a65993

SHA1
11fc6fbc42a23ac0e60340d3a12cc7ecb9f776ed

SHA256
f26650aba5d693ebfe76eaea01f19efbfebfdb3704b3770b8d8b198718b48c21

SHA512
11f625d44d869eff2e69e849fda5def19b5fa5ec0ebc6dc422e137789385209cba6bacb824eb70a61b983a77f8bcc621efc399016f10289720ca76943d53b24b

Download Submit
C:\Windows\{16757A09-B971-425a-AEB1-5F6C8CC4B5E5}.exe

Filesize
168KB

MD5
3677e80ba03d4f38271b27fb1e32cec4

SHA1
cbffbf2f32b626e968ffc66b18087f512f0cd999

SHA256
0a9045300a1573a2e5fe3fa8b87300cb2dede525a40f6dc639f8c64bd6f80fb1

SHA512
ad276da80840f8dd96d1c41f3018827ca160122136e02821a2e05b3bbd22fdcc79af9b551c088dba12f3c1468733102ef2ea3e5e80f9b902b630d6f4d4efc5c1

Download Submit
C:\Windows\{1C937963-0CC7-41b9-9936-B155EF59D073}.exe

Filesize
168KB

MD5
e7e3c301d32aa6ce18bb5eb227d1b62c

SHA1
bc0697ff135f27b74661fed75383f8420b646e46

SHA256
147fbb395fa85aff016bc57623de8a58de02e4a20059b30411f64d6bd83410d9

SHA512
c77e8d3f0487c2b539488f152e13088d4912d15bca5eefd25dab46af22e536c64c5b97ccb784944937dba09d12ad0ac554321928c6ad4b20a80a4ff5adc79f9c

Download Submit
C:\Windows\{1E71EFFA-203C-466b-9521-49F443371950}.exe

Filesize
168KB

MD5
7f2e7759e7d5ba832404f4c74ad8522d

SHA1
803e7cbd3d2484762cc892f55fd6acb9ca213c2f

SHA256
b3add1de4baa6b1912087e7495fd100def25007669da672c2d4ab37d69eaa7dc

SHA512
1c5d763294b68050728dc3e565a7a07c244fca85d5b720fd815e11dde0a6b711e856df5fee01e4c601c1914d7b075ac7e915bd700ca95a2647ca11ccf232ab17

Download Submit
C:\Windows\{53297F86-D616-48c0-820D-594286E9F2A5}.exe

Filesize
168KB

MD5
03ea2b7e2cf9828d040eb60f4f9f6555

SHA1
21d14562595dc611f4971f308a65aeb01479e6fd

SHA256
6fa711672310dd0093c01681af2cbd2e0489a4fce14894dc3c488259cd24d18d

SHA512
0321835b9f58a76980f2a3ce227864fa0559619fc7f604b06fce747081af19451a98059856a68ed669b9900eaf1b604d906e5052a1a94580e412b636ed1076c2

Download Submit
C:\Windows\{A503F7B4-3026-46cb-9157-5B2798BD9B4B}.exe

Filesize
168KB

MD5
1c4809b5d983d31e45aa29fdc41fb3ac

SHA1
0fd052927902b5ce6734f0e20874104d9c9ab248

SHA256
9329d8b4e6e35b888ae07c242f517400302996640f9bfde09bc9ef046be84238

SHA512
d6ef6829090dd90795a059239669f4e46d4f70445f5214c6ecd65b6590eab51d6155fd71a9281b5b6317b78e799fe57426a4300cfbd9cf08c34280327e942b60

Download Submit
C:\Windows\{A6825A39-3F10-4dc2-913F-EA01CEF280E5}.exe

Filesize
168KB

MD5
653693315ee1116ee826c33a1461b414

SHA1
ec01ed42de2ae9e856785d2f79fbc9f07586a705

SHA256
289265b6f206e9a7092791e67530df8ac32959541d37618f934d1afca3a213d6

SHA512
85f27c41d1c8c30f37ed4d6e34f1d9ad723179275eb13d207697f2076a0d834fc93e020468fb27d2c6bb982b21f5d1acb8137b513f02d8f810986921ab06e914

Download Submit
C:\Windows\{B938C68D-5C6E-49f4-AA56-487939A70DEF}.exe

Filesize
168KB

MD5
eccdf89c0f2c25d6ee1d709eb406e57d

SHA1
246eee6142a43b35270cf4287e8fa37ba543d42a

SHA256
a5a314d551ed71726bd18f97fff8adeeed77b2dbf800c0e51eac864d2879800b

SHA512
43eff0d35bca8e06b902b4c73e2f24825dab4bc1b5ae85c25a8adfd47eb015fe4d3bf499b5c6cdcc3327fbb606866f3ee8daf5ce8b8ca4ba504ad5a8d68adf67

Download Submit
C:\Windows\{C2C72589-23C6-4d9d-A74A-8C5E183DE7C0}.exe

Filesize
168KB

MD5
81ec72644a1f642812a6e059df5fbeae

SHA1
b74f37d40209c7e724cc082e720c4e1b19146b92

SHA256
1e9e03932886ead8a4a3e14886d9759a57e8d90ee1b9986fd37bbdd772cc27a2

SHA512
6fdc7f59ddd0a5dfbbcf39efe31b6ad411c750bef656ce70616edbc2b020c42dea2bce57aa5bb848c426773c60e15da60e88bb6b311f637795e461180ffe1851

Download Submit
C:\Windows\{C30F17F1-5EBE-4a1d-83AC-2C8E495DC21A}.exe

Filesize
168KB

MD5
1b8b19950b20ed0cc3656debb6d37010

SHA1
394e9dd6a58f8d217a8801912bfa0dfdfeb648b0

SHA256
04f881e084ffde8f87b38e83d0483a5cf8681b26b272a6ebbb74c305778fd6b2

SHA512
357fef48624ea41d8b344707dd938d4af40a934c21d17b1f53963f3f38da1d1f319c94ee7fecea22abbfea88b94acd965afdf6920c7a1e6db416d0e2bc37ab34

Download Submit
C:\Windows\{F9F9450B-B4D0-4871-BFCC-2ADFF404EEE7}.exe

Filesize
168KB

MD5
dd6348a3097d18eaebdcd790e8dd328f

SHA1
b5f1d66dbdd7dbe1ffd995e34266681c76cff249

SHA256
21f4c5cec4895ada0e48cab9e957c7a3ea55f907ff479618ca58f3d73895131a

SHA512
410ee79fef604cdc60da249989a95a3f9fd55867952d50d1ba9aed9cc00a0da0cab012858ca9aa2932fe448b90b4039316b8e8d5b346b912380f61b3b8a2a7f3

Download Submit
C:\Windows\{FEEACE8A-50C2-42ff-AA1E-833FD9AF9DCB}.exe

Filesize
168KB

MD5
7cbb6bc0266ffc83d42bc8592db76e81

SHA1
6975b863ae932d84af390002201d74a1a5489e24

SHA256
0218755e155941972b9f7651b5707a295fde0668e00e4fc8319bd3288a5b6aff

SHA512
4721df95e793407fff5e57d116d5bb6faa5e91962a5ba03674f352fc791ee96f64e47cfb04cbdde8178d831a9be7a789637790e539bcd69f86474c48136c7a7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads