df6a11b78706c9203a545b8045c0df488572297a248ed7307b50be5afe741892

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 04:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
Size

197KB
MD5

9e788f5faceeae869eb04202a9c171ef
SHA1

f68a516e15926e251babaef1b0a83a836f7f52ba
SHA256

df6a11b78706c9203a545b8045c0df488572297a248ed7307b50be5afe741892
SHA512

5baae3fa002caf27d23b6e0c302f1010c48cdd0eadf98d7602064ff16e028aa198cda59f0a9f7575dc27084d6e1fdad8f40cf09e138cb57983637637a8a24ca9
SSDEEP

3072:jEGh0oql+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGslEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023213-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023208-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023208-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2926CEE4-1608-4614-BA53-C876961CCBFF}	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}\stubpath = "C:\\Windows\\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe"	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE39D044-2E12-4587-A2EA-FABAA4E68351}\stubpath = "C:\\Windows\\{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe"	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}\stubpath = "C:\\Windows\\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe"	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}\stubpath = "C:\\Windows\\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe"	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8A3811-6612-46e3-9F14-F245E7B38A00}\stubpath = "C:\\Windows\\{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe"	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF03B11A-E3F6-4d16-B701-1408B01987FC}\stubpath = "C:\\Windows\\{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe"	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8A3811-6612-46e3-9F14-F245E7B38A00}	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}\stubpath = "C:\\Windows\\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe"	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF03B11A-E3F6-4d16-B701-1408B01987FC}	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}\stubpath = "C:\\Windows\\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe"	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}	{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}\stubpath = "C:\\Windows\\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe"	{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}\stubpath = "C:\\Windows\\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe"	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE39D044-2E12-4587-A2EA-FABAA4E68351}	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}\stubpath = "C:\\Windows\\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe"	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2926CEE4-1608-4614-BA53-C876961CCBFF}\stubpath = "C:\\Windows\\{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe"	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
5028	{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
3728	{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
File created	C:\Windows\{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
File created	C:\Windows\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
File created	C:\Windows\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe	{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
File created	C:\Windows\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
File created	C:\Windows\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
File created	C:\Windows\{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
File created	C:\Windows\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
File created	C:\Windows\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
File created	C:\Windows\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
File created	C:\Windows\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
File created	C:\Windows\{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
Token: SeIncBasePriorityPrivilege	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
Token: SeIncBasePriorityPrivilege	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
Token: SeIncBasePriorityPrivilege	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
Token: SeIncBasePriorityPrivilege	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
Token: SeIncBasePriorityPrivilege	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
Token: SeIncBasePriorityPrivilege	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
Token: SeIncBasePriorityPrivilege	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
Token: SeIncBasePriorityPrivilege	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
Token: SeIncBasePriorityPrivilege	3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
Token: SeIncBasePriorityPrivilege	5028	{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1560	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	92
PID 4900 wrote to memory of 1560	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	92
PID 4900 wrote to memory of 1560	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	92
PID 4900 wrote to memory of 3972	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	93
PID 4900 wrote to memory of 3972	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	93
PID 4900 wrote to memory of 3972	4900	2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe	93
PID 1560 wrote to memory of 4452	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	94
PID 1560 wrote to memory of 4452	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	94
PID 1560 wrote to memory of 4452	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	94
PID 1560 wrote to memory of 2876	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	95
PID 1560 wrote to memory of 2876	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	95
PID 1560 wrote to memory of 2876	1560	{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe	95
PID 4452 wrote to memory of 740	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	97
PID 4452 wrote to memory of 740	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	97
PID 4452 wrote to memory of 740	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	97
PID 4452 wrote to memory of 1552	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	98
PID 4452 wrote to memory of 1552	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	98
PID 4452 wrote to memory of 1552	4452	{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe	98
PID 740 wrote to memory of 4720	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	99
PID 740 wrote to memory of 4720	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	99
PID 740 wrote to memory of 4720	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	99
PID 740 wrote to memory of 3556	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	100
PID 740 wrote to memory of 3556	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	100
PID 740 wrote to memory of 3556	740	{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe	100
PID 4720 wrote to memory of 4816	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	101
PID 4720 wrote to memory of 4816	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	101
PID 4720 wrote to memory of 4816	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	101
PID 4720 wrote to memory of 1860	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	102
PID 4720 wrote to memory of 1860	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	102
PID 4720 wrote to memory of 1860	4720	{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe	102
PID 4816 wrote to memory of 2168	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	103
PID 4816 wrote to memory of 2168	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	103
PID 4816 wrote to memory of 2168	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	103
PID 4816 wrote to memory of 1808	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	104
PID 4816 wrote to memory of 1808	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	104
PID 4816 wrote to memory of 1808	4816	{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe	104
PID 2168 wrote to memory of 4988	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	105
PID 2168 wrote to memory of 4988	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	105
PID 2168 wrote to memory of 4988	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	105
PID 2168 wrote to memory of 4260	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	106
PID 2168 wrote to memory of 4260	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	106
PID 2168 wrote to memory of 4260	2168	{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe	106
PID 4988 wrote to memory of 1264	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	107
PID 4988 wrote to memory of 1264	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	107
PID 4988 wrote to memory of 1264	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	107
PID 4988 wrote to memory of 3476	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	108
PID 4988 wrote to memory of 3476	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	108
PID 4988 wrote to memory of 3476	4988	{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe	108
PID 1264 wrote to memory of 2780	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	109
PID 1264 wrote to memory of 2780	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	109
PID 1264 wrote to memory of 2780	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	109
PID 1264 wrote to memory of 1068	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	110
PID 1264 wrote to memory of 1068	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	110
PID 1264 wrote to memory of 1068	1264	{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe	110
PID 2780 wrote to memory of 3572	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	111
PID 2780 wrote to memory of 3572	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	111
PID 2780 wrote to memory of 3572	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	111
PID 2780 wrote to memory of 4408	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	112
PID 2780 wrote to memory of 4408	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	112
PID 2780 wrote to memory of 4408	2780	{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe	112
PID 3572 wrote to memory of 5028	3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe	113
PID 3572 wrote to memory of 5028	3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe	113
PID 3572 wrote to memory of 5028	3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe	113
PID 3572 wrote to memory of 1844	3572	{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_9e788f5faceeae869eb04202a9c171ef_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
  C:\Windows\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
    C:\Windows\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
      C:\Windows\{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
        
        C:\Windows\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
        
        C:\Windows\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
        
        C:\Windows\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
        
        C:\Windows\{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
        
        C:\Windows\{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
        
        C:\Windows\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
        
        C:\Windows\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
        
        C:\Windows\{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe
        
        C:\Windows\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe
        13⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE39D~1.EXE > nul
        13⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41DB5~1.EXE > nul
        12⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB49~1.EXE > nul
        11⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2926C~1.EXE > nul
        10⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF03B~1.EXE > nul
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93EF4~1.EXE > nul
        8⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B8E~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2988B~1.EXE > nul
        6⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8A3~1.EXE > nul
        5⤵
        
        PID:3556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD45F~1.EXE > nul
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87932~1.EXE > nul
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B8EED6-C5AA-45d7-B47B-A41755FCABD7}.exe

Filesize
197KB

MD5
4c636c1c01d141dea9a49fb9e03ebf02

SHA1
08e3dade22a621d386cff46120b3bc2ce88fcb2d

SHA256
ee8f96e654ecca6c1ba9fe4c2f70b5da144a04e27e55151dd1c445b7602ecbd0

SHA512
48a5ac908c84fceff56d9a6ecb30eb47d24381ffa641de34c2a45f9c58e4db6e05d120db5729c0418ad6e6ec4ab2f9bb422d22ded1ebbeda921897b89216cad6

Download Submit
C:\Windows\{2926CEE4-1608-4614-BA53-C876961CCBFF}.exe

Filesize
197KB

MD5
35a72415acc99318d39d59b702b88d67

SHA1
ceca6431b5a67cc85c865c7a580b115441851ef4

SHA256
cee491137604baeedee4b0621403840aaf9b4934a1ec8da3e9c69dabb08a22b2

SHA512
c783f5cda9bad0cbac446a4c8e8250c94bb26acdbd68640bdd28ca50591bd9d4af0b9ad89cd640cfc910aa427bf02cd299b7fc1c92bcb8a0b67fae4d2bdaf6c7

Download Submit
C:\Windows\{2988B45F-D9AB-418f-86F3-A3A20642AAF8}.exe

Filesize
197KB

MD5
399c55ecaf8b34c677c7feaf8ae045d9

SHA1
2f91960dadc5019640639d3233e98e38c0a0c974

SHA256
d3850c96646959895d8adcadafcb18f33f31caa4eb22813748cf2b3e696b06db

SHA512
bd4dcb184dae959b435f4900cd6e4f7589cd9b9590c04a8d04675c969ba567562f84dfe9f5a670d1c082287946c8611bc51678cbc2b90e2a6286d630e4bfcc89

Download Submit
C:\Windows\{41DB5253-2CAC-489a-BE7A-2CFA70931F1B}.exe

Filesize
197KB

MD5
ef4db4a8c81aa5d7fdcd0d2661c41f75

SHA1
d6e3ca89b61248a2ee47a010d1e5fc02d877c9c4

SHA256
a5210896fa0ff2281a0a7ddbd448aab1923e138f1c5d490d1fe819235418200b

SHA512
a4b006171a5b050b50290b82ccbf1c3e64628a52c58b914d75fdfcb0ac6730c2be8db2c067e995f634b539f2cb8ad82c7063940d89318619524aa165551f7942

Download Submit
C:\Windows\{4A41FF56-EECF-42b7-9569-A2D6E541DF21}.exe

Filesize
197KB

MD5
c5249dfe61fd98a46103789b8a9063ab

SHA1
3a967fe3145b781d3c94322458769bca00c40ca9

SHA256
9a4dfe9e8492e6cf3bf7cd9a9a4e383499dc89b583e0640808f090de8d8cf01f

SHA512
d6cb43f2771eb4f8844a285af4226faa8a718f5b5d8140bed6aa371fd411de8e4668d6171b04a28cba4bc92a0d54e74c19d19540d9eba5d0e5c8a320a44f4565

Download Submit
C:\Windows\{7DB499F3-5D55-4c94-8D0E-68DBF108677D}.exe

Filesize
197KB

MD5
7e56c5fa4ed9bdbd23c4b684d05c495b

SHA1
24ebb0159e452c1860a04c4408cd49a11081e2c8

SHA256
d5039ac9e5a48277364d395fc6bbfe893484bc4dad29b3a6528012cf1ffe15e8

SHA512
5a66769b86d2f7be23f158a3e0c52a3df7307860dec6e81fe965b03db90893543f48cbaf3a9c7624c5c84df021494f7e95abbdaa3d4670bcc0e1e6871fb06483

Download Submit
C:\Windows\{87932FE3-5DA7-4c2c-9B5F-5A4ADC55DEB4}.exe

Filesize
197KB

MD5
a920691b76256b4e10b8fa1c90616c51

SHA1
6c6b3fb4ef53012e039ba110e1c871086151db9c

SHA256
6d7e3904f7bd3582f74485406e85023476dfd5ba9eef9083675384b31a2c2564

SHA512
71f42a1b094eb4303e8d22e11fd6cc295a591927f81cd73ac36249d8157160e32ba5f46d825ec66165e8ed26847f66379189a3d112321ea094f6e432ec590bc6

Download Submit
C:\Windows\{93EF4C0B-EE0D-4725-9ED9-91AAB0A04B38}.exe

Filesize
197KB

MD5
821652f498eb3acf8e39b2a066850f16

SHA1
4fb875ea4ddf0fcb212cfa17b42904d3a0cd261f

SHA256
52a7735b1fd4ac39954575d5ed4ab5d013d25ebae4bc20c4c1e8c8d82a972eb8

SHA512
86fa8942fa63db7da50b10b5654dbc561b148b569c1f56eba20b4247872952a36860564a69f2b4af25884aade7e554a7083065c3976d546291ee917327f4fd16

Download Submit
C:\Windows\{AD45F304-E9AC-4ef5-87CD-055F2EC668F6}.exe

Filesize
197KB

MD5
a650fbbf19db50876913791b21415c67

SHA1
89d3b8b948b90a2a70a1338fb0b05d886a1abde1

SHA256
411e8964136d4f5e9f0e7dcd8297e16ed77dd11a4b0e376e3b897edfa452dd4b

SHA512
0624dbb23e62b955c981ce8bd63d311f77a44ebabaf014a53b93114b311c21361cf213a88bb1c5281abfe8cbabe809f1ff9ed5de909eae24c09cb96a23077e86

Download Submit
C:\Windows\{AE39D044-2E12-4587-A2EA-FABAA4E68351}.exe

Filesize
197KB

MD5
c4fbf317842e7a74721976dbbb78c74c

SHA1
1fd81228dc5ef4b268638f72e49c119b4efcf842

SHA256
23ff820b53fe87480bb06f508a43ca963fa71890e17614246f1c60eb726b7ec6

SHA512
262470c49e262f2e0c594e3ebdb2a7c524f3a9c10f0dfa6a7f72addfb689ac8223473cb582ac003b7d32b1c892a693736ea0d20681a9839eaf7baf077e8ec480

Download Submit
C:\Windows\{CF03B11A-E3F6-4d16-B701-1408B01987FC}.exe

Filesize
197KB

MD5
e815556dd298d6f0a98a2c93d70551a5

SHA1
24e46bb6e806ec978c11ae799cd984358ccc48f5

SHA256
5a7d828c78bd512a3dd50726ed4bd274b9b17ea41d35d2786fba7b74b0deb5dc

SHA512
702dc158b5fff099cfc5e2290587f0d39965f8f2c7e66196e9b4807d84899103a59bbad3c96940a5512288473129e1c9e368ddeb019b8132cba116adc3b4f851

Download Submit
C:\Windows\{DD8A3811-6612-46e3-9F14-F245E7B38A00}.exe

Filesize
197KB

MD5
2c2d6ff2d8107d0b02d410f6b978b4c8

SHA1
4b917968e0a21407b7689f12b756788a7d5b6102

SHA256
ee9f357c6e508a41425be6112ad83dbf7bab88ada669a7d67ebe672df20336ef

SHA512
5acfc8fafcd7c7eddc6448c711a61fbd7b7e7b7a2caffb86a17026ce3aab6faabe9475382792862867a3efe45f4de6424d46fdf4dfe695f8c64a187da0c8c1e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads