0709c233e528bc86cf24aecd8194f0869270d8c530b391b215aa57862c0f8d3d

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Size

216KB
MD5

8e2597679e8f0bafd6c6cf97628753a4
SHA1

e2fd0db230962e6890b8cae9b16e5f0c5744156b
SHA256

0709c233e528bc86cf24aecd8194f0869270d8c530b391b215aa57862c0f8d3d
SHA512

16e248ad8a4dc62e25ea9f16bc2b9de725bc4b440de5cb65121522258271702f58436db11394cd72d3dcab40bd7ff5273e26ae8b3494a4d1b1b499d9a1be2614
SSDEEP

3072:jEGh0o0Zl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023209-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002320e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002320e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}\stubpath = "C:\\Windows\\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe"	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E0B531-A85C-4198-B65C-7B526E47D4D6}	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E0B531-A85C-4198-B65C-7B526E47D4D6}\stubpath = "C:\\Windows\\{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe"	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A613F92-C409-41b3-9590-971BCEC8BE28}\stubpath = "C:\\Windows\\{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe"	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F82718-7E41-4fcd-8C92-B4B448A51076}	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}\stubpath = "C:\\Windows\\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe"	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}	{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A613F92-C409-41b3-9590-971BCEC8BE28}	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}\stubpath = "C:\\Windows\\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe"	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}\stubpath = "C:\\Windows\\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe"	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}\stubpath = "C:\\Windows\\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe"	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}\stubpath = "C:\\Windows\\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe"	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}\stubpath = "C:\\Windows\\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe"	{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215EB436-E756-49ad-8434-CEDFDEF5AA11}	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215EB436-E756-49ad-8434-CEDFDEF5AA11}\stubpath = "C:\\Windows\\{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe"	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F82718-7E41-4fcd-8C92-B4B448A51076}\stubpath = "C:\\Windows\\{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe"	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}\stubpath = "C:\\Windows\\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe"	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
4404	{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
2644	{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
File created	C:\Windows\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
File created	C:\Windows\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe	{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
File created	C:\Windows\{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
File created	C:\Windows\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
File created	C:\Windows\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
File created	C:\Windows\{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
File created	C:\Windows\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
File created	C:\Windows\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
File created	C:\Windows\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
File created	C:\Windows\{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
File created	C:\Windows\{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
Token: SeIncBasePriorityPrivilege	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
Token: SeIncBasePriorityPrivilege	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
Token: SeIncBasePriorityPrivilege	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
Token: SeIncBasePriorityPrivilege	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
Token: SeIncBasePriorityPrivilege	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
Token: SeIncBasePriorityPrivilege	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
Token: SeIncBasePriorityPrivilege	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
Token: SeIncBasePriorityPrivilege	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
Token: SeIncBasePriorityPrivilege	2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
Token: SeIncBasePriorityPrivilege	4404	{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4140	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	90
PID 4172 wrote to memory of 4140	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	90
PID 4172 wrote to memory of 4140	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	90
PID 4172 wrote to memory of 4792	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	91
PID 4172 wrote to memory of 4792	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	91
PID 4172 wrote to memory of 4792	4172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	91
PID 4140 wrote to memory of 3160	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	92
PID 4140 wrote to memory of 3160	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	92
PID 4140 wrote to memory of 3160	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	92
PID 4140 wrote to memory of 4328	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	93
PID 4140 wrote to memory of 4328	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	93
PID 4140 wrote to memory of 4328	4140	{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe	93
PID 3160 wrote to memory of 3396	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	95
PID 3160 wrote to memory of 3396	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	95
PID 3160 wrote to memory of 3396	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	95
PID 3160 wrote to memory of 2524	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	96
PID 3160 wrote to memory of 2524	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	96
PID 3160 wrote to memory of 2524	3160	{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe	96
PID 3396 wrote to memory of 2800	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	97
PID 3396 wrote to memory of 2800	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	97
PID 3396 wrote to memory of 2800	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	97
PID 3396 wrote to memory of 1688	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	98
PID 3396 wrote to memory of 1688	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	98
PID 3396 wrote to memory of 1688	3396	{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe	98
PID 2800 wrote to memory of 1656	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	99
PID 2800 wrote to memory of 1656	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	99
PID 2800 wrote to memory of 1656	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	99
PID 2800 wrote to memory of 3896	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	100
PID 2800 wrote to memory of 3896	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	100
PID 2800 wrote to memory of 3896	2800	{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe	100
PID 1656 wrote to memory of 4532	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	101
PID 1656 wrote to memory of 4532	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	101
PID 1656 wrote to memory of 4532	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	101
PID 1656 wrote to memory of 1044	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	102
PID 1656 wrote to memory of 1044	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	102
PID 1656 wrote to memory of 1044	1656	{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe	102
PID 4532 wrote to memory of 1484	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	103
PID 4532 wrote to memory of 1484	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	103
PID 4532 wrote to memory of 1484	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	103
PID 4532 wrote to memory of 3556	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	104
PID 4532 wrote to memory of 3556	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	104
PID 4532 wrote to memory of 3556	4532	{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe	104
PID 1484 wrote to memory of 2840	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	105
PID 1484 wrote to memory of 2840	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	105
PID 1484 wrote to memory of 2840	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	105
PID 1484 wrote to memory of 5012	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	106
PID 1484 wrote to memory of 5012	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	106
PID 1484 wrote to memory of 5012	1484	{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe	106
PID 2840 wrote to memory of 2428	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	107
PID 2840 wrote to memory of 2428	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	107
PID 2840 wrote to memory of 2428	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	107
PID 2840 wrote to memory of 940	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	108
PID 2840 wrote to memory of 940	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	108
PID 2840 wrote to memory of 940	2840	{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe	108
PID 2428 wrote to memory of 2992	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	109
PID 2428 wrote to memory of 2992	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	109
PID 2428 wrote to memory of 2992	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	109
PID 2428 wrote to memory of 4052	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	110
PID 2428 wrote to memory of 4052	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	110
PID 2428 wrote to memory of 4052	2428	{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe	110
PID 2992 wrote to memory of 4404	2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe	111
PID 2992 wrote to memory of 4404	2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe	111
PID 2992 wrote to memory of 4404	2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe	111
PID 2992 wrote to memory of 2772	2992	{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
  C:\Windows\{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
    C:\Windows\{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
      C:\Windows\{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
        
        C:\Windows\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
        
        C:\Windows\{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
        
        C:\Windows\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
        
        C:\Windows\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
        
        C:\Windows\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
        
        C:\Windows\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
        
        C:\Windows\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
        
        C:\Windows\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe
        
        C:\Windows\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB1E1~1.EXE > nul
        13⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E85B0~1.EXE > nul
        12⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C19DD~1.EXE > nul
        11⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7941B~1.EXE > nul
        10⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6785~1.EXE > nul
        9⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43A69~1.EXE > nul
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27F82~1.EXE > nul
        7⤵
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC4F~1.EXE > nul
        6⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A613~1.EXE > nul
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18E0B~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{215EB~1.EXE > nul
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18E0B531-A85C-4198-B65C-7B526E47D4D6}.exe

Filesize
216KB

MD5
62a7fcdf21ed54f70deb048728c59d92

SHA1
5975667942f6bf0cf7cff8591879e42ef5e2b973

SHA256
6f432a54365fda492d3576457bf60166d635e5629b4e53eca4494c38a6e19a0a

SHA512
5e88053c2b790430168afc792f96637ef782e4e8446b38da78f24001c4b85ad784450b5759b69ff4f11c29d789ec4bc830e2722f9f6741b0335f938f81595cef

Download Submit
C:\Windows\{215EB436-E756-49ad-8434-CEDFDEF5AA11}.exe

Filesize
216KB

MD5
e530cecae4d0c85795272bd3eb56971d

SHA1
ae75777cbe85ce6d24b456c1c89071cc2c852318

SHA256
8ac39c7db0e4c4b2f906fb380e1f04271bdaaf9bbbe7aa7fd5c6b7fb4f775f34

SHA512
3c45f41e69b9440a46fe86b680e8da30f603fe29678293aa5fc773bd00bfbac473d8200ed5d9747d4b1d39953e6490be32ab45788f9d176c834534e0d5aa3a5b

Download Submit
C:\Windows\{27F82718-7E41-4fcd-8C92-B4B448A51076}.exe

Filesize
216KB

MD5
509dd905ef30a5dac9ba4226cac14c24

SHA1
37a34c3410c5b482cd96cad0529f2b0130a768b8

SHA256
fe7f8f4b8bbda655a5a854e242448695de83af59b9c49cebcca1e04fcbfd04c2

SHA512
f26debca78f041ff9b24dd5ce4a48c39f7bb89baa6f877c4b0fde7ecdcf2fe5983593ce44c97f450ff275e49efab814569e1487f07ea6dd24badd692eca99a33

Download Submit
C:\Windows\{2A613F92-C409-41b3-9590-971BCEC8BE28}.exe

Filesize
216KB

MD5
a08dfea3e3bd1164a3d4bb48a082de99

SHA1
9a8807a33791e5bb187f79203288b8f9145a475d

SHA256
2cd7712c4c37eab76bd54a91a8f85b801d87944f57643a585791d77fcfc85908

SHA512
c8f5540b35b2c4ef95b6a8c23b0a290ea65cfbc0669a65f866ada8774f03e173dfae674beaa4a2362f6404c46978ccbd9690e2ac74b323551365d7cc3543152e

Download Submit
C:\Windows\{2BE13793-F2F5-45c5-8B14-85416D09A1F4}.exe

Filesize
216KB

MD5
2f7e240c908a10aa052a609aab916ea1

SHA1
9048218293047fb6e1c18af6e8be7a014f2d1bf0

SHA256
d9069aa8ef5364f27382f23275f410a882fc133935d05275f6771d5a297eca5c

SHA512
be106a0e29b89c852c026fcd6409d6f636788a211e059f1ecd162c555d6f1bfda5bbe619329a07089e8cd8e9b022cae9f4af6e59f37d9cbbf4c62ff18e066eaf

Download Submit
C:\Windows\{43A69D1B-2A3C-42f5-9ECB-8BC8F717D982}.exe

Filesize
216KB

MD5
9964e32561d498597058aa84d75c763a

SHA1
7fa30f91ba5c05ca94f69d9f1e2d1bcdb0a346eb

SHA256
26cc49f8b0b9c5bcbb94dfef5386fb7b33a0e88f736ddc733b25d38a2f80991f

SHA512
48beee9d7572e1fd6a1c9078a3ae524aedba6de67f82d177f5561b6ef062974bd8e7023fce0be0440b750939760d3c4fa30fd78873489289b55a25b357e4195f

Download Submit
C:\Windows\{5AC4FCA3-B678-4377-B33B-F86F10E6674B}.exe

Filesize
216KB

MD5
8836c7a90e8e8602cf042dbe5bf83311

SHA1
218b559dd8e71decb605716de0e2c91f15b8ca22

SHA256
dcf6ce6265127008a018e8492d14cf3bb6f4720acd0d04fd2a77c8834e650f73

SHA512
9fe71de1ba4806b864ec66152d688ecf8ab19b923883d2710f09c2194c0b8622a80c2a3eef95522f491cf621389cef36894ddc37133c8bfc21d5104d15fcc330

Download Submit
C:\Windows\{7941B7DE-98A3-4040-859C-4DD64E3EE82E}.exe

Filesize
216KB

MD5
85a9f445293495cb2f065117431a1d15

SHA1
6684b6e73052770290a6473cb20939a3608d6f78

SHA256
bd3d61cc5627f4c8f59288d70308797eec3741119632b2f10996c1a811f36628

SHA512
541900b697f108d476db3e4e086cdb3188f2e486f440aa24bdbdcbf912e0c7c178926a17eb00e67031da86bc5a200668a61ca5f606e0bc01adbbb04e7a3a78d8

Download Submit
C:\Windows\{C19DD5AD-B1D1-4410-B9EE-77D1796113AA}.exe

Filesize
216KB

MD5
daabca3630c3698e3ba0e0c56d66f129

SHA1
b9721cb701408c162ca286b2a39b8996ca9ff5c7

SHA256
f59e93113b8523bf211dfe0bb5a366441cef257e631c5c082ba591902743d76e

SHA512
427c20ced4ae65dae57b0433ec0bedf2b30ead944c7b8cf630f1cba650eac6bba3849f6b1a3391dca95591c3b750eddc1384127c05ee2df0c714e2e43db2cf37

Download Submit
C:\Windows\{C6785517-D92E-43ec-BED4-ED5E2DDB6C3F}.exe

Filesize
216KB

MD5
47e5388e6e9c04ff72786741333d1660

SHA1
5e1f7514a64a59d4481609a8b06b7efaf8de7285

SHA256
48d0f1cf71174e484a0c35b37e0c9dd9317d366f09d3da250525eed064012fa4

SHA512
42debffba0d2970e684be9c2755f50fe29c03a24bf16a327b8db9ab7e067b23a37af966cf4124e38bedc1e0f0213bc837339c26f17d5bba601d87fafb84ec20a

Download Submit
C:\Windows\{E85B04A4-33CA-4c8b-87F6-6E71983C15BF}.exe

Filesize
216KB

MD5
ba0500b8f3075492b56b955fde8f65f9

SHA1
a9a8456138389e49b5a41b18701ec359c36c2ed5

SHA256
4b7020b60fc1790bb88b047b8e341d9523f216f5108da39c740f896902c52a7d

SHA512
b1e51d56dbab53ae4ff70f2fd20fa9b780b63f0c0b92c516b00d9a21cf2529258ae5d43767b5deaaed88a1ca9b303bb16ae54e79ebaf1f9965b5a2ee2a5597a3

Download Submit
C:\Windows\{FB1E1340-5733-4e70-B7E7-DA958D4F51D3}.exe

Filesize
216KB

MD5
458233e9770857b4447bd3d2256ea38f

SHA1
4b20a7c2f793363901c791751927b9c06a53d4c5

SHA256
ecd6ad590d59b85f9b4040f135c963ac8c4a364cb0eeba85f7c2d877df94e53a

SHA512
f39eb609099448168dda04ed677ecc3d1a43de1035e0e570553239f06cad98ba16bcbd99b4dd857576acccf193a9d314e1f670b4725e4a9211d34dd5bc693dc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads