87ea24086f194ac2b65e5b9e0feff7c8971d20479d2e542a7ebc612ed143b986

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
Size

204KB
MD5

1020dc73c0c855fec71b874dbbc91613
SHA1

cee58f17626149ec83bd88d72140407929ed2d7e
SHA256

87ea24086f194ac2b65e5b9e0feff7c8971d20479d2e542a7ebc612ed143b986
SHA512

cac24170fc90f9681d54c8cffefc33b95db1d324768a6938d803175e90718216db1772cd5791de7df474d3a60656990436e10314a6883000a50b1cbda0c2f012
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023219-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}\stubpath = "C:\\Windows\\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe"	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}\stubpath = "C:\\Windows\\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe"	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39F9EA3-CABF-4106-9F37-21C6265E832D}	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32373BE9-7751-43e7-904A-C870AC5B2C18}	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE4DA83F-AB1C-4475-A1CB-222C78218590}	{E3572706-E745-408d-9D56-D63595AA4D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39F9EA3-CABF-4106-9F37-21C6265E832D}\stubpath = "C:\\Windows\\{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe"	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32373BE9-7751-43e7-904A-C870AC5B2C18}\stubpath = "C:\\Windows\\{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe"	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}\stubpath = "C:\\Windows\\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe"	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3572706-E745-408d-9D56-D63595AA4D02}\stubpath = "C:\\Windows\\{E3572706-E745-408d-9D56-D63595AA4D02}.exe"	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE4DA83F-AB1C-4475-A1CB-222C78218590}\stubpath = "C:\\Windows\\{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe"	{E3572706-E745-408d-9D56-D63595AA4D02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}\stubpath = "C:\\Windows\\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe"	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}\stubpath = "C:\\Windows\\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe"	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}\stubpath = "C:\\Windows\\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe"	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3572706-E745-408d-9D56-D63595AA4D02}	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}\stubpath = "C:\\Windows\\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe"	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}\stubpath = "C:\\Windows\\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe"	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe

Executes dropped EXE 12 IoCs

pid	Process
648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
5020	{E3572706-E745-408d-9D56-D63595AA4D02}.exe
2416	{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
File created	C:\Windows\{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
File created	C:\Windows\{E3572706-E745-408d-9D56-D63595AA4D02}.exe	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
File created	C:\Windows\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
File created	C:\Windows\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
File created	C:\Windows\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
File created	C:\Windows\{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
File created	C:\Windows\{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe	{E3572706-E745-408d-9D56-D63595AA4D02}.exe
File created	C:\Windows\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
File created	C:\Windows\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
File created	C:\Windows\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
File created	C:\Windows\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
Token: SeIncBasePriorityPrivilege	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
Token: SeIncBasePriorityPrivilege	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
Token: SeIncBasePriorityPrivilege	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
Token: SeIncBasePriorityPrivilege	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
Token: SeIncBasePriorityPrivilege	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
Token: SeIncBasePriorityPrivilege	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
Token: SeIncBasePriorityPrivilege	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
Token: SeIncBasePriorityPrivilege	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
Token: SeIncBasePriorityPrivilege	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
Token: SeIncBasePriorityPrivilege	3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
Token: SeIncBasePriorityPrivilege	5020	{E3572706-E745-408d-9D56-D63595AA4D02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 648	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	86
PID 4192 wrote to memory of 648	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	86
PID 4192 wrote to memory of 648	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	86
PID 4192 wrote to memory of 4756	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	87
PID 4192 wrote to memory of 4756	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	87
PID 4192 wrote to memory of 4756	4192	2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe	87
PID 648 wrote to memory of 2452	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	93
PID 648 wrote to memory of 2452	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	93
PID 648 wrote to memory of 2452	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	93
PID 648 wrote to memory of 1104	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	94
PID 648 wrote to memory of 1104	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	94
PID 648 wrote to memory of 1104	648	{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe	94
PID 2452 wrote to memory of 5084	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	96
PID 2452 wrote to memory of 5084	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	96
PID 2452 wrote to memory of 5084	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	96
PID 2452 wrote to memory of 3712	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	97
PID 2452 wrote to memory of 3712	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	97
PID 2452 wrote to memory of 3712	2452	{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe	97
PID 5084 wrote to memory of 4452	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	98
PID 5084 wrote to memory of 4452	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	98
PID 5084 wrote to memory of 4452	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	98
PID 5084 wrote to memory of 4124	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	99
PID 5084 wrote to memory of 4124	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	99
PID 5084 wrote to memory of 4124	5084	{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe	99
PID 4452 wrote to memory of 3404	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	100
PID 4452 wrote to memory of 3404	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	100
PID 4452 wrote to memory of 3404	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	100
PID 4452 wrote to memory of 4504	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	101
PID 4452 wrote to memory of 4504	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	101
PID 4452 wrote to memory of 4504	4452	{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe	101
PID 3404 wrote to memory of 1360	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	102
PID 3404 wrote to memory of 1360	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	102
PID 3404 wrote to memory of 1360	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	102
PID 3404 wrote to memory of 2908	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	103
PID 3404 wrote to memory of 2908	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	103
PID 3404 wrote to memory of 2908	3404	{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe	103
PID 1360 wrote to memory of 4960	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	104
PID 1360 wrote to memory of 4960	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	104
PID 1360 wrote to memory of 4960	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	104
PID 1360 wrote to memory of 1476	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	105
PID 1360 wrote to memory of 1476	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	105
PID 1360 wrote to memory of 1476	1360	{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe	105
PID 4960 wrote to memory of 384	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	106
PID 4960 wrote to memory of 384	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	106
PID 4960 wrote to memory of 384	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	106
PID 4960 wrote to memory of 5052	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	107
PID 4960 wrote to memory of 5052	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	107
PID 4960 wrote to memory of 5052	4960	{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe	107
PID 384 wrote to memory of 2308	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	108
PID 384 wrote to memory of 2308	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	108
PID 384 wrote to memory of 2308	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	108
PID 384 wrote to memory of 436	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	109
PID 384 wrote to memory of 436	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	109
PID 384 wrote to memory of 436	384	{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe	109
PID 2308 wrote to memory of 3492	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	110
PID 2308 wrote to memory of 3492	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	110
PID 2308 wrote to memory of 3492	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	110
PID 2308 wrote to memory of 332	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	111
PID 2308 wrote to memory of 332	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	111
PID 2308 wrote to memory of 332	2308	{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe	111
PID 3492 wrote to memory of 5020	3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe	112
PID 3492 wrote to memory of 5020	3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe	112
PID 3492 wrote to memory of 5020	3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe	112
PID 3492 wrote to memory of 4524	3492	{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
  C:\Windows\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
    C:\Windows\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
      C:\Windows\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
        
        C:\Windows\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
        
        C:\Windows\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
        
        C:\Windows\{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
        
        C:\Windows\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
        
        C:\Windows\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
        
        C:\Windows\{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
        
        C:\Windows\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{E3572706-E745-408d-9D56-D63595AA4D02}.exe
        
        C:\Windows\{E3572706-E745-408d-9D56-D63595AA4D02}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe
        
        C:\Windows\{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe
        13⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3572~1.EXE > nul
        13⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87A99~1.EXE > nul
        12⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32373~1.EXE > nul
        11⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C8F~1.EXE > nul
        10⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA68A~1.EXE > nul
        9⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C39F9~1.EXE > nul
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2FC~1.EXE > nul
        7⤵
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F014F~1.EXE > nul
        6⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23CD0~1.EXE > nul
        5⤵
        
        PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE01F~1.EXE > nul
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DADC3~1.EXE > nul
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23CD0D23-26D3-4db6-9501-B77B5BC65C6E}.exe

Filesize
204KB

MD5
a0bee35537fad3f4e03b50dfc6795cfd

SHA1
5b4654db8a770f8677e851fbd2cb522dc9d2691c

SHA256
232330f3dded59e372988ea212d76f588a7d53b814bfb4ab03b9a6c287dce485

SHA512
610bc46d5a3d164877238f97ddc5778726f7dd424343004ec8f587dd8595f2e18eadcd0e560a55f8841e3c633e4cdf02accbc134e2e0e48b2634b136f1a02db2

Download Submit
C:\Windows\{32373BE9-7751-43e7-904A-C870AC5B2C18}.exe

Filesize
204KB

MD5
5a57b59546ab11a12efbd0c76acce8da

SHA1
a6fb7a8c5457cebcbab03595a8f41765ef1c1728

SHA256
daec75bec462ff624ef8bd1b83387a9a7b6c5af257b4276b5e31bff34cda6e85

SHA512
e7689011b1742e62f577a52f537cceb663785171f053df847059203cf15a7b93282126c9841491b6ac403588a7ad4ef87d34c770702736b82722ecf444802cc4

Download Submit
C:\Windows\{57C8F941-627F-4f6c-81C6-EAE04F3A58B6}.exe

Filesize
204KB

MD5
532accc505320a35f1f8f5b1c1c3db0c

SHA1
7cb7a839ff489fc07550548347969fb722733e0a

SHA256
27cd3d20b6f768abc73779de77ad6592d2e14e21ccf979e4c03d21a34b163fef

SHA512
99b021a1837971ed83b469252e19a68bf4c25f7b558f751322ed28b67c33780a38744132346f4d1fb1853200a220f015c0729adf31e229f5d4ee498cae2c7e73

Download Submit
C:\Windows\{87A99C16-4E8B-4627-8EA5-21BAEC9D6C11}.exe

Filesize
204KB

MD5
ca3bd8b07c40563896b9c3d2febbb777

SHA1
d1df5be969a80650a6933b5e599efbd00702e708

SHA256
b5fb4518b14708627334f0f6003c68c633b875d23feae1e2801d3d8b7b2b6242

SHA512
e4e1a58ddf64930d12c0f23afa3a8aaedcc58338541cb350097b746e69d18ac454921077c72381972a9541747a35fd83e1c70ac5ab09af160936c69e647daed7

Download Submit
C:\Windows\{9E2FC2FC-FB93-4cd2-B705-DBCB987DEEF8}.exe

Filesize
204KB

MD5
770035587dd3c0993ea0170e6224d943

SHA1
90ac18816e53568164d2f7d073d6901b94bf7ef0

SHA256
af8aff6400abc805b89070995adb540cc5667d177ac00584be4f9116a6f90d02

SHA512
589602d058f23582f9e6aa1d52eeb68774d3e2ecd7cfad4991f9a05f148ab01b0f7ff9097a18e1c0088abb9f6ecaa9494cae1a7347a07125e78f896473dee58d

Download Submit
C:\Windows\{BA68A6AF-34B7-49e6-9981-A47C4FF42D6C}.exe

Filesize
204KB

MD5
c98dc5885a964339441e08d98d4893d0

SHA1
9ef59752e8aef5d47bbf2873b65be4a45c5969f1

SHA256
c775b7d1c76d768ab1b74a5abaa8643da5112c15294c61487fe484659736d014

SHA512
a2046a40d65acda886bff2d7e4994a0ce21afc040156f1ce4d5db08be7b477ff149d5f69af34d8a01924a063ff2bcbd04c293007bdcfab0a5d658988020962aa

Download Submit
C:\Windows\{C39F9EA3-CABF-4106-9F37-21C6265E832D}.exe

Filesize
204KB

MD5
e1ef096d8ed91af6aa435e4f5ff7841c

SHA1
f2bf702cd5e34025fccb94dbd70abcedf714e331

SHA256
9589032c5518e1680ee6db8971ade72f0b777514ea96ea34b342ab4940c74ab1

SHA512
e7016524dbaf9f75864b27d991325fbd400d4877319209fbde958976922bd3e338258da213ed4bb34ff1e2beb03cdf262157dbe64a7d4cb4fc10dfd45280f19e

Download Submit
C:\Windows\{DADC3DC0-1F91-44cc-8DF4-1C1CAC3C5753}.exe

Filesize
204KB

MD5
7736d236fc2fe450f7f14724659985f6

SHA1
175c98444303d88e511f8ad81321539f492baab4

SHA256
74ce469f6d18ae64c9d348dbd92ccc0315aded021adce6454c475e2bcb7022cb

SHA512
cbb59456d2947d3b454898bf28687e810ede583f1a60422a1589b0d046eb07ef9c0ca442ae77fdeec4c32a1a5ee0188f4e2618a0c15d31912f6b10b871a74d1a

Download Submit
C:\Windows\{E3572706-E745-408d-9D56-D63595AA4D02}.exe

Filesize
204KB

MD5
714bb0f34b8101214c70b2d5395140db

SHA1
e14828082a2924d85ecca85dba03ad1267771032

SHA256
688d11e9cae9ec6b34b293dc567cbcad87a27b54a859cb4c3e0d4754f81b9e94

SHA512
d609ff56ddbebad342f3c51a12ad495e331a878ece2a9e63b4e1197f9c34db0cd968f258aa0f3a14147ceac336383f11e2a639d2d411225fe354fa400afc45a1

Download Submit
C:\Windows\{F014FCF4-DEC3-494a-A6EF-064DD46E2A43}.exe

Filesize
204KB

MD5
8c587b3dbf9bfd3ab0419db8280f8c3b

SHA1
57f8eeec1d3e8e6fb484b4624b37c13e1ceed331

SHA256
00bbf9646aff9316ff290cc6108cf05eb432fdffe7a9b8295a679750a02e5111

SHA512
e95aa280f0dde7f7e3812871eff07224e01ca03836b486562c2012670436cd515065ea252a2ece01213bc09eaa9ad16c165128ce2ac19020c86a1a44d356ed73

Download Submit
C:\Windows\{FE01F332-39DA-48c0-B8F4-C57BD07A6778}.exe

Filesize
204KB

MD5
ebc9374742e263b3709717facf86c8e4

SHA1
0607b6c96e999c24c7ebbaaabd8945daa419df09

SHA256
573a84efb0371337b4cb8a72bf026f6b7382f8b9ea87c4147f95a3a4e03482d7

SHA512
613e53a1ef0e64855e25d96cd4184ad92660b9fe7c70105de74ac726e9d5613cbcfaaf33da8e2ca59a69845ab2238974f1da4a43215cdd91fb7e107871ec077c

Download Submit
C:\Windows\{FE4DA83F-AB1C-4475-A1CB-222C78218590}.exe

Filesize
204KB

MD5
5fea58e07d5ced1f2b297129810f1fd5

SHA1
57e330953597fe08396d44d2329f2aefcd2d74e2

SHA256
527e0b1ce31c83fef643131b4a39d62f789bf48726df1cb39d8913e5292ef994

SHA512
d1ff2f3fb463452b11c252b00ad990111313b4bac4b30b53e67a7fc95300d7d0b4b1f5b2e7bd3f1cb8ef1242c400ec85dae5f148ca8d7c920e714e74e7406784

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads