6b270516afca2c07b220b3c4d79b1361928275af2caf4b63286a01ab359a1458

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
Size

168KB
MD5

03960f088f471904c894ec5f2f411328
SHA1

63bfdfcef1f84a4ce00a90f8789b5b4d19b9464c
SHA256

6b270516afca2c07b220b3c4d79b1361928275af2caf4b63286a01ab359a1458
SHA512

32195a4923aab5fd913706d258acfcbfa467a97b78eb348a667f0aaaf52ae80c1a6c9f5c37038d783ab43cee43b5a4afcce160814f279ed46a018b1283582c6d
SSDEEP

1536:1EGh0oeli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oeliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233d1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233d4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002348c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233d4-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002348c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233d4-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002348c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233be-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233c2-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233be-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233c2-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000233be-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}\stubpath = "C:\\Windows\\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe"	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}\stubpath = "C:\\Windows\\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe"	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04054499-F825-4393-99E2-ACA9D705293C}	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04054499-F825-4393-99E2-ACA9D705293C}\stubpath = "C:\\Windows\\{04054499-F825-4393-99E2-ACA9D705293C}.exe"	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}\stubpath = "C:\\Windows\\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe"	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}\stubpath = "C:\\Windows\\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe"	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}\stubpath = "C:\\Windows\\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe"	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB21E27-8ED5-40b6-A184-00B4330A2199}\stubpath = "C:\\Windows\\{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe"	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}	{04054499-F825-4393-99E2-ACA9D705293C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}\stubpath = "C:\\Windows\\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe"	{04054499-F825-4393-99E2-ACA9D705293C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}\stubpath = "C:\\Windows\\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe"	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}	{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}\stubpath = "C:\\Windows\\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe"	{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}\stubpath = "C:\\Windows\\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe"	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}\stubpath = "C:\\Windows\\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe"	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB21E27-8ED5-40b6-A184-00B4330A2199}	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe

Executes dropped EXE 12 IoCs

pid	Process
3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe
2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
4580	{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
3672	{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
File created	C:\Windows\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe	{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
File created	C:\Windows\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
File created	C:\Windows\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
File created	C:\Windows\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	{04054499-F825-4393-99E2-ACA9D705293C}.exe
File created	C:\Windows\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
File created	C:\Windows\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
File created	C:\Windows\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
File created	C:\Windows\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
File created	C:\Windows\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
File created	C:\Windows\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
File created	C:\Windows\{04054499-F825-4393-99E2-ACA9D705293C}.exe	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
Token: SeIncBasePriorityPrivilege	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe
Token: SeIncBasePriorityPrivilege	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
Token: SeIncBasePriorityPrivilege	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
Token: SeIncBasePriorityPrivilege	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
Token: SeIncBasePriorityPrivilege	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
Token: SeIncBasePriorityPrivilege	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
Token: SeIncBasePriorityPrivilege	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
Token: SeIncBasePriorityPrivilege	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
Token: SeIncBasePriorityPrivilege	1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
Token: SeIncBasePriorityPrivilege	4580	{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3204	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	94
PID 4880 wrote to memory of 3204	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	94
PID 4880 wrote to memory of 3204	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	94
PID 4880 wrote to memory of 1488	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	95
PID 4880 wrote to memory of 1488	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	95
PID 4880 wrote to memory of 1488	4880	2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe	95
PID 3204 wrote to memory of 2156	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	96
PID 3204 wrote to memory of 2156	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	96
PID 3204 wrote to memory of 2156	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	96
PID 3204 wrote to memory of 3292	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	97
PID 3204 wrote to memory of 3292	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	97
PID 3204 wrote to memory of 3292	3204	{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe	97
PID 2156 wrote to memory of 2544	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	101
PID 2156 wrote to memory of 2544	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	101
PID 2156 wrote to memory of 2544	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	101
PID 2156 wrote to memory of 4888	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	102
PID 2156 wrote to memory of 4888	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	102
PID 2156 wrote to memory of 4888	2156	{04054499-F825-4393-99E2-ACA9D705293C}.exe	102
PID 2544 wrote to memory of 4600	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	103
PID 2544 wrote to memory of 4600	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	103
PID 2544 wrote to memory of 4600	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	103
PID 2544 wrote to memory of 4612	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	104
PID 2544 wrote to memory of 4612	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	104
PID 2544 wrote to memory of 4612	2544	{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe	104
PID 4600 wrote to memory of 3208	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	105
PID 4600 wrote to memory of 3208	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	105
PID 4600 wrote to memory of 3208	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	105
PID 4600 wrote to memory of 1360	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	106
PID 4600 wrote to memory of 1360	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	106
PID 4600 wrote to memory of 1360	4600	{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe	106
PID 3208 wrote to memory of 2972	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	107
PID 3208 wrote to memory of 2972	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	107
PID 3208 wrote to memory of 2972	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	107
PID 3208 wrote to memory of 3700	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	108
PID 3208 wrote to memory of 3700	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	108
PID 3208 wrote to memory of 3700	3208	{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe	108
PID 2972 wrote to memory of 1944	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	109
PID 2972 wrote to memory of 1944	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	109
PID 2972 wrote to memory of 1944	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	109
PID 2972 wrote to memory of 1296	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	110
PID 2972 wrote to memory of 1296	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	110
PID 2972 wrote to memory of 1296	2972	{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe	110
PID 1944 wrote to memory of 2756	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	113
PID 1944 wrote to memory of 2756	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	113
PID 1944 wrote to memory of 2756	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	113
PID 1944 wrote to memory of 4752	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	114
PID 1944 wrote to memory of 4752	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	114
PID 1944 wrote to memory of 4752	1944	{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe	114
PID 2756 wrote to memory of 2536	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	115
PID 2756 wrote to memory of 2536	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	115
PID 2756 wrote to memory of 2536	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	115
PID 2756 wrote to memory of 920	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	116
PID 2756 wrote to memory of 920	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	116
PID 2756 wrote to memory of 920	2756	{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe	116
PID 2536 wrote to memory of 1396	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	117
PID 2536 wrote to memory of 1396	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	117
PID 2536 wrote to memory of 1396	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	117
PID 2536 wrote to memory of 464	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	118
PID 2536 wrote to memory of 464	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	118
PID 2536 wrote to memory of 464	2536	{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe	118
PID 1396 wrote to memory of 4580	1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe	119
PID 1396 wrote to memory of 4580	1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe	119
PID 1396 wrote to memory of 4580	1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe	119
PID 1396 wrote to memory of 2856	1396	{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_03960f088f471904c894ec5f2f411328_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
  C:\Windows\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\{04054499-F825-4393-99E2-ACA9D705293C}.exe
    C:\Windows\{04054499-F825-4393-99E2-ACA9D705293C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
      C:\Windows\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
        
        C:\Windows\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
        
        C:\Windows\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
        
        C:\Windows\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
        
        C:\Windows\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
        
        C:\Windows\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
        
        C:\Windows\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
        
        C:\Windows\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
        
        C:\Windows\{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe
        
        C:\Windows\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe
        13⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FB21~1.EXE > nul
        13⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19CFA~1.EXE > nul
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E45F4~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA209~1.EXE > nul
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A5F~1.EXE > nul
        9⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AC31~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE48~1.EXE > nul
        7⤵
        
        PID:3700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5D0~1.EXE > nul
        6⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C6E~1.EXE > nul
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04054~1.EXE > nul
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F2E9~1.EXE > nul
    3⤵
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04054499-F825-4393-99E2-ACA9D705293C}.exe

Filesize
168KB

MD5
5395173285e978b0001ccccdf1bf0286

SHA1
762a5486be84688b5f5cf9bda139aa669bd2c18e

SHA256
5f86f7488ca35b89ee50d7ad2a2c5d8c23dc44d33523ade0b0e37fdf18710265

SHA512
0105e01205ba06eb62fda73611beda4ed1c23880a900386664f165af751bec30b390b80ad74b49ef6fd38b7301e043221ddfd5f6274561fc9fec0649c22b4ec0

Download Submit
C:\Windows\{0F2E9073-605B-4167-A3A9-67CE3F4CCBD7}.exe

Filesize
168KB

MD5
503f4ba30f4216ea0e0664fba10c195e

SHA1
3fde3d0bfb80bbd614d0078c65246971fcf791c5

SHA256
56ce2c0e2c0365ecd42b793de292f270dc20639c450ad29b16cf4cad27faf863

SHA512
ad880c67c02cf2af340d119a0f2597cabf518aeccc9629b057e768d604830915dfdb7058067d76e8389fdd0349828eb14b98a1fcf10a7cb188a9b1a9aae41eab

Download Submit
C:\Windows\{0F5D0883-0FBC-48c4-99F3-A8F8A27EE24C}.exe

Filesize
168KB

MD5
6e8ceab550593d1fe43151d21197a42f

SHA1
8b84a7a55c9abfc9b43e83a968ed408c988f59d9

SHA256
6d3fd5ebae52fa623407a267679190e98c590c12767c3a520997f2cfd50f7f36

SHA512
3a088e361cb8faa48eced80c7ab8001022f9a5eaec44b44131c80229a3433934c8be21a7e04699235d9e227b75d29ee9558bf548bd91e07ab53b06ec9ea2a420

Download Submit
C:\Windows\{19CFA851-69B9-4e82-AAC1-A03BD1E41317}.exe

Filesize
168KB

MD5
2489d37f3e3b45340e4d22bc51b3fac1

SHA1
fe4aac6ae1d96ee4f5539bc5d9e028714e175bb5

SHA256
e13b7990936fe6469bc215a3e4d218e9ba17b86fb71acd2f403bab20e0eb740f

SHA512
0520170e4d4c08168df766f3fc4802375983da1574ae76f895b3b12d6bd278afc1ff2a8a0ac2c275fcacc120aa4230868f43a9769d732fa91db5e630df86fdec

Download Submit
C:\Windows\{1FB21E27-8ED5-40b6-A184-00B4330A2199}.exe

Filesize
168KB

MD5
7d6abdaa1e73d729f87e3957bf625337

SHA1
067c5072e568cebf87afd77b647266cca686e823

SHA256
ca34d720eceb59099aaf81b91f502ebec92a9d4b12df9ba9f8cbd6838fe1e1f2

SHA512
5f4fa10495427b6be687ab61b7b8c6d321f50201a965f014b97f34dce99eac9c8b883a997101070ae5e4a718a33e3e95bb21034731ec802fc6012e70f3b14d42

Download Submit
C:\Windows\{1FE489F5-55FE-41b1-95A7-76B6FAA37A77}.exe

Filesize
168KB

MD5
219e895b94d82e728c2ce5317ac2c8c7

SHA1
e73af7e8996c928334b9ed84d25e2dafd894cd98

SHA256
81c89a75231442721803d288ab116c5d65991ad2641f647dd40e5d58f093b7f8

SHA512
e47152ff472282ec51f03b063a2caa5ea9c394615eaeb50ced8133543b0d0a703fa1fd2ccaf36fc7e351d8d47c144327ea1bb0060cfbb023b544a1523711cea9

Download Submit
C:\Windows\{9AC3137A-0F4C-469a-B6E9-EF873511ED06}.exe

Filesize
168KB

MD5
fb29927f3ec34e8db1eaf487b789941e

SHA1
e1f561b69b05eae443940959fae1af377de878ae

SHA256
cd4e891dde57664b5266dc2b9c295112cbf8d8eed1a061ef832740d63d87d28b

SHA512
1a64298eb414286627faca9628ac62ae77f27d30c4fb033365683b6b7f5e4096ac8cbfac758447e559e63c8187061f735f75ef104ca446bac3992510e9c66f92

Download Submit
C:\Windows\{AA209BC4-CC1B-4784-B420-9FC2DFA06365}.exe

Filesize
168KB

MD5
5d75da65f45af52b2f7e605aaa60414d

SHA1
a03240a8fdfc932eda7c5a7b3d63d305e8092a82

SHA256
dae58c464e1be2ebbe0cef2d7979181963dd9fb54054f80b015d47d6ef25a264

SHA512
3a79b8096fcb25517d2f3e389da304415e691acae0e93ca800c12457016dbbd05c6a0799e4764eedefaaeede71c1c692c73cfa8a30cfffc4f33462d3ae25968a

Download Submit
C:\Windows\{B032DC20-0092-407c-A8E5-5D5AAC106DFC}.exe

Filesize
168KB

MD5
2fb574d96ddecbc5208377c51499e9de

SHA1
563994ee77e91b4937ce0aa62f5dd37e659097ad

SHA256
45a45eb5313b19ec4eadac062afedc651cef2bb51257705f2b9c378cc89bac71

SHA512
067b295cf35678ff39d7544521b25e5d539126399af9280f52bc2f0e6000208e4a037c9fc7da07a86267541cbc2bd5b2620dc2d2cf7701d617a6aef36691e946

Download Submit
C:\Windows\{E1C6E42E-6DF3-4a5f-BC44-A449E1155DFC}.exe

Filesize
168KB

MD5
668c2a6c2db69b76bfd9363f43765f2c

SHA1
4c1757ffa1fb12dfd9ae8df6ef5e549f31d8f24e

SHA256
d082a7f55b048319c954aea321d7a0e15a3b69c6bad772aff0c9685c1e24913f

SHA512
d56b797766f80b794fd5c6140a9140f7fb562f34e7c1e12d393b9e66373c720a5d17f0bbf17ca55b357f57c3b50a5990ddc14c057a086bdf0708c461c6494626

Download Submit
C:\Windows\{E45F4E12-A1A1-4b89-BA4B-0C04E236ECF3}.exe

Filesize
168KB

MD5
52d022484a61e8224619cf7933141758

SHA1
f36f6f99ee280acd0dd99379b02f55d537a59617

SHA256
2a9dd7045daa826bc0a467148024f3d9980a12725a64b2c23bacb212b64c5331

SHA512
399d9f9ca64bce5a86925e7c8bfa2b04f44f4c9a2d92ed84eda9cedafcc4da727f9ca5559399ca1110baf95a238fc918c4baadb0e7cdb5b60e0a384e380b5c08

Download Submit
C:\Windows\{E7A5F77A-071A-4741-ABD3-CE76A2E871CB}.exe

Filesize
168KB

MD5
fd5da16b40d4a175d062349c86e4c827

SHA1
18d1fc1c6566139987475854bfc281de95106392

SHA256
ed73043409d09e389f9390746b4f5d748dffb6e914dd227b4d8f9a7210e5ab43

SHA512
b5622184fd390ea2a56f3c0bb43bc84e189bef027dff3fefaac751f30942854dae644c80b33bba0a5bc832e72c7a716735f5fe33304a01a27d4529d224475406

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads