d69e18a05677e51d9ffcdce6b18f64cca9f3ca9c6a9e914aa7215fd51fef7408

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
Size

180KB
MD5

f5e76c1cf2c795f7192c0c5bdac890e7
SHA1

dce884a55e53233be4ab0be2d8bb4e20ba2e8a0a
SHA256

d69e18a05677e51d9ffcdce6b18f64cca9f3ca9c6a9e914aa7215fd51fef7408
SHA512

458bdaed32f32a7f33ee5d72d19f4270cf20508a4ef6a0eb5720ca2106ab83a13e6514fa1a354ecd86b5829e6cd466a6eb76e8f385cb5216f71ec9d27db389d8
SSDEEP

3072:jEGh0otlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGLl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023210-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023215-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023215-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021524-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021526-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021524-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000037-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000037-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}\stubpath = "C:\\Windows\\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe"	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}\stubpath = "C:\\Windows\\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe"	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}\stubpath = "C:\\Windows\\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe"	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}\stubpath = "C:\\Windows\\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe"	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}\stubpath = "C:\\Windows\\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe"	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}\stubpath = "C:\\Windows\\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe"	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}\stubpath = "C:\\Windows\\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe"	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}\stubpath = "C:\\Windows\\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe"	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}\stubpath = "C:\\Windows\\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe"	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}\stubpath = "C:\\Windows\\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe"	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}	{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}\stubpath = "C:\\Windows\\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe"	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}\stubpath = "C:\\Windows\\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe"	{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
4652	{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe
1784	{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
File created	C:\Windows\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe	{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe
File created	C:\Windows\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
File created	C:\Windows\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
File created	C:\Windows\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
File created	C:\Windows\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
File created	C:\Windows\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
File created	C:\Windows\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
File created	C:\Windows\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
File created	C:\Windows\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
File created	C:\Windows\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
File created	C:\Windows\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
Token: SeIncBasePriorityPrivilege	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
Token: SeIncBasePriorityPrivilege	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
Token: SeIncBasePriorityPrivilege	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
Token: SeIncBasePriorityPrivilege	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
Token: SeIncBasePriorityPrivilege	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
Token: SeIncBasePriorityPrivilege	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
Token: SeIncBasePriorityPrivilege	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
Token: SeIncBasePriorityPrivilege	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
Token: SeIncBasePriorityPrivilege	5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
Token: SeIncBasePriorityPrivilege	4652	{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1848	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	91
PID 1732 wrote to memory of 1848	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	91
PID 1732 wrote to memory of 1848	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	91
PID 1732 wrote to memory of 5012	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	92
PID 1732 wrote to memory of 5012	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	92
PID 1732 wrote to memory of 5012	1732	2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe	92
PID 1848 wrote to memory of 4608	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	93
PID 1848 wrote to memory of 4608	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	93
PID 1848 wrote to memory of 4608	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	93
PID 1848 wrote to memory of 3264	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	94
PID 1848 wrote to memory of 3264	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	94
PID 1848 wrote to memory of 3264	1848	{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe	94
PID 4608 wrote to memory of 1200	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	96
PID 4608 wrote to memory of 1200	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	96
PID 4608 wrote to memory of 1200	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	96
PID 4608 wrote to memory of 1808	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	97
PID 4608 wrote to memory of 1808	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	97
PID 4608 wrote to memory of 1808	4608	{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe	97
PID 1200 wrote to memory of 1588	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	98
PID 1200 wrote to memory of 1588	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	98
PID 1200 wrote to memory of 1588	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	98
PID 1200 wrote to memory of 4540	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	99
PID 1200 wrote to memory of 4540	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	99
PID 1200 wrote to memory of 4540	1200	{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe	99
PID 1588 wrote to memory of 1720	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	100
PID 1588 wrote to memory of 1720	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	100
PID 1588 wrote to memory of 1720	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	100
PID 1588 wrote to memory of 2156	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	101
PID 1588 wrote to memory of 2156	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	101
PID 1588 wrote to memory of 2156	1588	{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe	101
PID 1720 wrote to memory of 4064	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	102
PID 1720 wrote to memory of 4064	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	102
PID 1720 wrote to memory of 4064	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	102
PID 1720 wrote to memory of 1344	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	103
PID 1720 wrote to memory of 1344	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	103
PID 1720 wrote to memory of 1344	1720	{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe	103
PID 4064 wrote to memory of 5080	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	104
PID 4064 wrote to memory of 5080	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	104
PID 4064 wrote to memory of 5080	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	104
PID 4064 wrote to memory of 1504	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	105
PID 4064 wrote to memory of 1504	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	105
PID 4064 wrote to memory of 1504	4064	{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe	105
PID 5080 wrote to memory of 4144	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	106
PID 5080 wrote to memory of 4144	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	106
PID 5080 wrote to memory of 4144	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	106
PID 5080 wrote to memory of 2072	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	107
PID 5080 wrote to memory of 2072	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	107
PID 5080 wrote to memory of 2072	5080	{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe	107
PID 4144 wrote to memory of 3668	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	108
PID 4144 wrote to memory of 3668	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	108
PID 4144 wrote to memory of 3668	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	108
PID 4144 wrote to memory of 3084	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	109
PID 4144 wrote to memory of 3084	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	109
PID 4144 wrote to memory of 3084	4144	{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe	109
PID 3668 wrote to memory of 5088	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	110
PID 3668 wrote to memory of 5088	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	110
PID 3668 wrote to memory of 5088	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	110
PID 3668 wrote to memory of 2616	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	111
PID 3668 wrote to memory of 2616	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	111
PID 3668 wrote to memory of 2616	3668	{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe	111
PID 5088 wrote to memory of 4652	5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe	112
PID 5088 wrote to memory of 4652	5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe	112
PID 5088 wrote to memory of 4652	5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe	112
PID 5088 wrote to memory of 4676	5088	{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_f5e76c1cf2c795f7192c0c5bdac890e7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
  C:\Windows\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
    C:\Windows\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
      C:\Windows\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
        
        C:\Windows\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
        
        C:\Windows\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
        
        C:\Windows\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
        
        C:\Windows\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
        
        C:\Windows\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
        
        C:\Windows\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
        
        C:\Windows\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe
        
        C:\Windows\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe
        
        C:\Windows\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe
        13⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C4A7~1.EXE > nul
        13⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7048A~1.EXE > nul
        12⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93704~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4DC1~1.EXE > nul
        10⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77CCD~1.EXE > nul
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F7F7~1.EXE > nul
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31A35~1.EXE > nul
        7⤵
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C5B7~1.EXE > nul
        6⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0734C~1.EXE > nul
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EAF9~1.EXE > nul
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2ACF~1.EXE > nul
    3⤵
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0734CD9D-20D1-4621-B71D-2FAE31D7D68C}.exe

Filesize
180KB

MD5
e3cd1ae766c8fde371356eddbe93af56

SHA1
8decb9eee4c2367897ef1a50da154a2b801ead8a

SHA256
bc0f030d52d7a977ae3f6a588508f6bff0a9c2778cb3435a07fed726d2ec3437

SHA512
a8c311b3ff929affad3640f94c9404002ed891ffaf97e20fd85a2d7043bf45dbe3cba6affe4c4881b9f8a41eaa4fed7d23289dc4a5ed4893741a8f319d50c91e

Download Submit
C:\Windows\{2F7F739A-306E-4d8f-9272-F4F28BDEA7DE}.exe

Filesize
180KB

MD5
66bf9bc710a913ea68d31248010ea17d

SHA1
5dc2408d2417a992c16b63aa21cdb16133457904

SHA256
9beee52a65ad11c1a7fcaa735512b7ae2651be10edd5d0cfd93438ec2a165dc2

SHA512
d8fd09619b93570a48fa534d37a9c79c772a983c2267d7e495d53ddab8f4206523cfe3e0439ecf8467fc21ad6e7d9e24646f33efa4399bfc6e1c88dad877a4c1

Download Submit
C:\Windows\{31A3588B-88BB-4c72-9B1E-8B7769B06BF5}.exe

Filesize
180KB

MD5
4efd71e4968a2898160e0789627db4f1

SHA1
3632b60e0fa480d662e0d504347bafe16972caaf

SHA256
eca3dfb85dda51abb6687827814da7adaa4b81cd77961eaecf9cccbf4e4872dc

SHA512
70962a7e3fb9d3991b9a78c389c595a046859c0eb1848c399d3d4ff5c34b48c16de57dcf0cb39e655df5bef6f523a8e606574987b9e9d5fbf51926021447717d

Download Submit
C:\Windows\{5EAF93FF-7E84-4771-8A55-E7C30B326B4D}.exe

Filesize
180KB

MD5
626cf3f31d0fc4a00f15b33de9c79cf2

SHA1
f05a70a651a57ba987ec3e7e00b95b824851792f

SHA256
13553e891cf2b85b08b3f1acbac3ddf007f8b2e88b2f3e4e7e20f53d2b47fa63

SHA512
dcd1b8c59d94686ea25687e5a04caec84787564d775cdeff38e6014ce974fcf056ba36692e258c6d6119a0ff6043b33cce8bcc96eeda763c1dede8a776a46fee

Download Submit
C:\Windows\{6C4A7CC7-AF2B-4c7c-AF71-95DE26F259CE}.exe

Filesize
180KB

MD5
550fd42ea67806b1cffa1a368697093c

SHA1
80d84f29f204898f1ce0f0909009739be409c6f0

SHA256
393c7ea3db3281b6d2fff4d7773f61edf20efab9ecc72071a11310ab3b1bd9ac

SHA512
c157275f6157c4f57f757d7b6f198b816d2a9b8bf02cd0492b9ddd14b467a170d55b446ff7bf693b9942ec981df37ebb8ff7c660436079133af6a2a071c41f53

Download Submit
C:\Windows\{6C5B77C5-012A-4365-AF9B-FF364994EBAD}.exe

Filesize
180KB

MD5
787f82287b0631942ac876b86341c795

SHA1
15457c359ddd02879a5302b5cb9ad8be3b6c88e5

SHA256
cb8f5f6c380adb173c0ee38c3b7cb8af0d7714cd160fcc7cf9947cb67a1d3f94

SHA512
c1ec09734e86d7581553a520b0c84964482aed5f156c05b9a26abae8374f3a4133e0d86ed70138d0652e7bd9a2155473ec1c14983e6df95090a026a2584277b3

Download Submit
C:\Windows\{7048A3FD-D0BC-4399-9EF6-E7EFA85B28A2}.exe

Filesize
180KB

MD5
22ebef322e986a66480a65107cfbf487

SHA1
2f95563857da1cd3922a076692596480eaa2ef59

SHA256
d75e1f700c0322d03e05695efbbc3ec190d7936913793305241475e6ead63cdb

SHA512
b00c6d07ffe86b2b33a48ab5244801eb026c9376a7405edafd900ce567687946a2bb31f050e927b2b8d9a9d90daefb938e9f674d232c42e303d3ae606e1f6856

Download Submit
C:\Windows\{77CCD579-B64E-4f66-9346-BEEC36AB0EB3}.exe

Filesize
180KB

MD5
e26b7008d07d808f6aabd7ad122dabca

SHA1
c603a0908a090b15d50cb308a194089707aa07bd

SHA256
6238770d5c2d2d4945c9e2604b046f8231c3580fec26997af6665a06c77bf733

SHA512
ee73002fbc9faeffbeb3216e442a22c7798c725f00589dc0608a6b41dde02a038569a767c2ced30d569e1716605ef5b98506f195604688a6c0300af7c93b45ba

Download Submit
C:\Windows\{93704FBB-3258-46f3-9BB6-BB4058BB30AE}.exe

Filesize
180KB

MD5
ffadb00dcbca98e0ea1b6fca0afe3af7

SHA1
bf141ef33047b9faca71f7d715d23caf9cdd63e0

SHA256
ef3c92ca3bf7cb47091b9a3b0d3aa1bb1925c71893dca3dc0906f0d8d749b20e

SHA512
e8e0bb366642ad2b580ab4391e9f2c4937bcfd345d9eda411ec9e09d9953d1b9709eee5b54bdf4a4290e2ec74bd0d1e642a92bd9153bc408a488376843daaf32

Download Submit
C:\Windows\{A2ACF3E6-8B43-4ec4-9D14-8A420D91C117}.exe

Filesize
180KB

MD5
7b22c831cc61661907cfd88489e7951d

SHA1
ae4d679672be592054125de272f82e6e49292873

SHA256
9a40a0947074e70845ed89ce939d53ce3cf5045285932c2b3ad397187b7b0378

SHA512
02bb1ae7d3a8a636b11235722d625e978adb1db3bbbabdca5067fed89fa971228b4cf252681c73bc0a94d9f54b40635589a2f265bd05fcfbe0484d2256b87f02

Download Submit
C:\Windows\{B4DC12E9-6546-46ad-8F5A-426A83206D8A}.exe

Filesize
180KB

MD5
9fe2e39cb9940066e23d0563d24e0ee1

SHA1
811f71a94d151314f799c4b7e5b0be88b38d25d0

SHA256
b2a4946db52ec2259cf2f75db8267b177de2014727936b4db656dd687686467b

SHA512
461ec64f355ce9ccfba5e94eafff66ca5f1254afda3606bcb9749a59a6af96c698c6f8614e3c09af35c79d3ce99604c3fc6a2e8defdd8a6dce203b5ab4e97a93

Download Submit
C:\Windows\{D0C404FD-FC56-443f-BB84-E5A75E6A36CD}.exe

Filesize
180KB

MD5
d5c6ec5cf658c448bdaafeb85299b6ef

SHA1
bd085260f328b8889de10deb2d73dd102ee08d9f

SHA256
0bcf2684d5bcb0c466a044dcb4d8e1ebf42bbcb9e9670b06eda1545087357073

SHA512
19d30d8f0e342eddc4db040bea29b1efa1183d9a2c96112c78dcf7fa93e195ddc16a19146e0a4c8b4fa3af16e011c2179cb3b4e4a0aad275072e1b5861e1d1f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads