ff61ca5fe75ef4a28044cb1f7a68f36d2d8472866d35f01fe1fb7db67c02e33b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
Size

380KB
MD5

d5cce7bfe07889865487b2d81b886485
SHA1

22f06018275b07eddcaa4b297aa06f42edbfcb79
SHA256

ff61ca5fe75ef4a28044cb1f7a68f36d2d8472866d35f01fe1fb7db67c02e33b
SHA512

895b6821aa17d896d90c4087d821983e811b31a8f0f17e69c3fde83c39701ac196d5b39905d3380bd895c7c2f516029e5533f415ea92a6ff02bc0dd0f6cbd461
SSDEEP

3072:mEGh0odZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEG1l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002338a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002338c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002338c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002338c-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e752-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002338c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e752-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002338c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D75B9A-7075-4025-88D6-3FD87945FF41}\stubpath = "C:\\Windows\\{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe"	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}\stubpath = "C:\\Windows\\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe"	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}\stubpath = "C:\\Windows\\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe"	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}\stubpath = "C:\\Windows\\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe"	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}\stubpath = "C:\\Windows\\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe"	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}\stubpath = "C:\\Windows\\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe"	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}\stubpath = "C:\\Windows\\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe"	{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}\stubpath = "C:\\Windows\\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe"	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}\stubpath = "C:\\Windows\\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe"	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D75B9A-7075-4025-88D6-3FD87945FF41}	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}\stubpath = "C:\\Windows\\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe"	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}\stubpath = "C:\\Windows\\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe"	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}\stubpath = "C:\\Windows\\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe"	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}	{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe

Executes dropped EXE 12 IoCs

pid	Process
1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
2860	{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe
5072	{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe	{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe
File created	C:\Windows\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
File created	C:\Windows\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
File created	C:\Windows\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
File created	C:\Windows\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
File created	C:\Windows\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
File created	C:\Windows\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
File created	C:\Windows\{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
File created	C:\Windows\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
File created	C:\Windows\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
File created	C:\Windows\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
File created	C:\Windows\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
Token: SeIncBasePriorityPrivilege	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
Token: SeIncBasePriorityPrivilege	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
Token: SeIncBasePriorityPrivilege	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
Token: SeIncBasePriorityPrivilege	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
Token: SeIncBasePriorityPrivilege	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
Token: SeIncBasePriorityPrivilege	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
Token: SeIncBasePriorityPrivilege	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
Token: SeIncBasePriorityPrivilege	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
Token: SeIncBasePriorityPrivilege	2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
Token: SeIncBasePriorityPrivilege	2860	{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1092	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	92
PID 1576 wrote to memory of 1092	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	92
PID 1576 wrote to memory of 1092	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	92
PID 1576 wrote to memory of 2860	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	93
PID 1576 wrote to memory of 2860	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	93
PID 1576 wrote to memory of 2860	1576	2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe	93
PID 1092 wrote to memory of 3948	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	94
PID 1092 wrote to memory of 3948	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	94
PID 1092 wrote to memory of 3948	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	94
PID 1092 wrote to memory of 2976	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	95
PID 1092 wrote to memory of 2976	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	95
PID 1092 wrote to memory of 2976	1092	{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe	95
PID 3948 wrote to memory of 4648	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	99
PID 3948 wrote to memory of 4648	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	99
PID 3948 wrote to memory of 4648	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	99
PID 3948 wrote to memory of 3480	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	100
PID 3948 wrote to memory of 3480	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	100
PID 3948 wrote to memory of 3480	3948	{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe	100
PID 4648 wrote to memory of 2880	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	101
PID 4648 wrote to memory of 2880	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	101
PID 4648 wrote to memory of 2880	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	101
PID 4648 wrote to memory of 4276	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	102
PID 4648 wrote to memory of 4276	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	102
PID 4648 wrote to memory of 4276	4648	{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe	102
PID 2880 wrote to memory of 808	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	103
PID 2880 wrote to memory of 808	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	103
PID 2880 wrote to memory of 808	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	103
PID 2880 wrote to memory of 3464	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	104
PID 2880 wrote to memory of 3464	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	104
PID 2880 wrote to memory of 3464	2880	{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe	104
PID 808 wrote to memory of 3716	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	105
PID 808 wrote to memory of 3716	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	105
PID 808 wrote to memory of 3716	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	105
PID 808 wrote to memory of 2332	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	106
PID 808 wrote to memory of 2332	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	106
PID 808 wrote to memory of 2332	808	{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe	106
PID 3716 wrote to memory of 1620	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	107
PID 3716 wrote to memory of 1620	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	107
PID 3716 wrote to memory of 1620	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	107
PID 3716 wrote to memory of 4220	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	108
PID 3716 wrote to memory of 4220	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	108
PID 3716 wrote to memory of 4220	3716	{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe	108
PID 1620 wrote to memory of 1764	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	109
PID 1620 wrote to memory of 1764	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	109
PID 1620 wrote to memory of 1764	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	109
PID 1620 wrote to memory of 2584	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	110
PID 1620 wrote to memory of 2584	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	110
PID 1620 wrote to memory of 2584	1620	{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe	110
PID 1764 wrote to memory of 4264	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	111
PID 1764 wrote to memory of 4264	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	111
PID 1764 wrote to memory of 4264	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	111
PID 1764 wrote to memory of 5064	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	112
PID 1764 wrote to memory of 5064	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	112
PID 1764 wrote to memory of 5064	1764	{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe	112
PID 4264 wrote to memory of 2124	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	113
PID 4264 wrote to memory of 2124	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	113
PID 4264 wrote to memory of 2124	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	113
PID 4264 wrote to memory of 5060	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	114
PID 4264 wrote to memory of 5060	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	114
PID 4264 wrote to memory of 5060	4264	{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe	114
PID 2124 wrote to memory of 2860	2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe	115
PID 2124 wrote to memory of 2860	2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe	115
PID 2124 wrote to memory of 2860	2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe	115
PID 2124 wrote to memory of 684	2124	{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_d5cce7bfe07889865487b2d81b886485_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
  C:\Windows\{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
    C:\Windows\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
      C:\Windows\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
        
        C:\Windows\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
        
        C:\Windows\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
        
        C:\Windows\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
        
        C:\Windows\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
        
        C:\Windows\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
        
        C:\Windows\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
        
        C:\Windows\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe
        
        C:\Windows\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe
        
        C:\Windows\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe
        13⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1D71~1.EXE > nul
        13⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{014BA~1.EXE > nul
        12⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE68~1.EXE > nul
        11⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1A9~1.EXE > nul
        10⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFA3~1.EXE > nul
        9⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B699~1.EXE > nul
        8⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB87~1.EXE > nul
        7⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{304E4~1.EXE > nul
        6⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26EC3~1.EXE > nul
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC161~1.EXE > nul
      4⤵
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D75~1.EXE > nul
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{014BACD7-D87B-4a5b-A6C0-4151F5B90FFE}.exe

Filesize
380KB

MD5
5db6ea07fb3beb31bc79a1d902670df8

SHA1
e4da74eaad2fdfeb8274943981802f242b4c4836

SHA256
523dd15ecd3a3657ffd579929cc7e52174e4c4be680f1f3ae18980b2935110e3

SHA512
c6ec9cab23b62ea286b6bbc6d9c2507d9a351d15b799217352bb0c5155d0a913112fc692695dc06411d9e38b86e9edf1737002013c6671e25a6f22f011e00aa3

Download Submit
C:\Windows\{26EC38AB-5B2F-4ff0-B0EC-70D3F05E06D6}.exe

Filesize
380KB

MD5
bc04412ed00878ca04c6a9b159f91c86

SHA1
5ca0ebf112d8019b2a30895dd33b271fab984836

SHA256
b27970007085dec10edfe658efb02a189aff0f3f6acc88446729ff3aab52f7c9

SHA512
28943845625703581d47fdbe30e0ded06724b01f352d729037b60c3702df42d30ff851dcfeaf8f6ceedb6ddc63c11a33e9daf2418c9210ca6e6defa29f53d02e

Download Submit
C:\Windows\{304E4416-8BEE-4e1e-B52D-F32D11F029F2}.exe

Filesize
380KB

MD5
3df77c90e584f5fa4f989b1bd9f58b8c

SHA1
8153ed80253b91f18f29c0e80eb9b65d34de897b

SHA256
40c3d5f7e187018e2f24a0d4e2c80cc1cb501766522ecde918e85aaff80b0292

SHA512
c0b482ccadc8d56263fbbfcc051016a7c555852adf91ebffac7e86bf53f540efbfca097c5b62796ef340a0b62a23252179fb0dd6d6c5ae9a6c0656bc51429a69

Download Submit
C:\Windows\{3BE68DFA-47A5-43d0-A3F6-BFB33FE72B63}.exe

Filesize
380KB

MD5
11f40792d516a3d629a40de731a04a97

SHA1
f93cb8b40b6db621203a7a40d755a3de13dc55bf

SHA256
ad9944f80052972d494c9853c93691bf531cbef840c2020fdff7d14ac2dffa80

SHA512
22c1b823ffaece22e0c8ae9bba6f05166492603e82a31d7eea817a4fbf950bbd8de3fb0e9dbe4b2e08c9571e6d9bbc1f019d16000e178c4efdb52d31c15f2175

Download Submit
C:\Windows\{3C1A9CD5-B8F5-48b9-9631-9C983A977D33}.exe

Filesize
380KB

MD5
032ada94f4cdc7bb96041ae33749db4e

SHA1
b46852ff5d3cd6e4497cfaa362fcdf714e15e849

SHA256
364f247da33349d90f191b764b7239deff7f3fea10d5ad88efaa038e3beca0d4

SHA512
d24f4c2f18a7fee25d4ec5ba2b753a1a348d287fe2f8726b8a31ae6a921937e1429e9b405d7d857df70dd9a6e7080daf4de93710bc51709f557e1c5b375ed83e

Download Submit
C:\Windows\{6B699DBF-5255-4c3a-9029-4FD75A62B6AA}.exe

Filesize
380KB

MD5
7b11e374d452bd19d3d5dbebee1451d9

SHA1
3c366571c03ff2510ec391722717bd95b377efb5

SHA256
3a7807eda8e626e73545d4af815bb6311f6809d8e168dcb6e65fbe43483934b2

SHA512
2b5c1edf4fa63fd0cc886433665c5765a7656edbbe6b24b7b6da943ff431a22b62f9cec08d9f0feb4dd1aed4f80d2146c7609b3f842003bd38585373f6f60540

Download Submit
C:\Windows\{7AFA36B5-773B-4600-BD23-5F8B7FD78267}.exe

Filesize
380KB

MD5
c0e40e0e9963962295fea68978c8caf7

SHA1
2da0ee13b98450fa599329d8cdb33a415cecff08

SHA256
6d6dd8bcbc970883b54800b67a0dc82830018bba5367418d1b3a99a0bcc8591a

SHA512
56ddef0422b0e39cd289b0d2761256efb9e49219c855e572de1ad71bbad022f1b6438f928e8d7f89b293695c36adc4f9a7bb8c7621cfdbc5060e269dfc3f8a7d

Download Submit
C:\Windows\{7FB87E3A-E012-4c04-8F45-AE7A9B11ABE9}.exe

Filesize
380KB

MD5
d6538007b432bc698a01f5522fee4499

SHA1
0c49e48a64db212b174e0516621d9a74ca9b70ab

SHA256
4ddc8c2d444f04e2532a960a29e54f290d116fe84a8843f58f9e5d3337db00c4

SHA512
1c05a71404fd9715c8429f2c39e4b106247a6d9ebe0b4eff10980e1171c4f80c840e6288765a49b531f772382e223ee3bd22a2cac8f92e2d8a8c2c90c986d4df

Download Submit
C:\Windows\{A1D75B9A-7075-4025-88D6-3FD87945FF41}.exe

Filesize
380KB

MD5
dc15afd3e04238781f5c383d9176b202

SHA1
db0d8877fc2e09fce755cf9f0de53c58ef357db7

SHA256
38ab4027e35f7c359a52e77203e05d87f5f3907b73d3f589017cb2a087163a39

SHA512
48212c813d55797c8cd6177d634bedf8a62aa192cf8a0d8806bebf459b6336c551d7a229ac8574e29a97cac07caa210b727da0ea15314de0899e3ac3370b6b2c

Download Submit
C:\Windows\{D1D7170C-B1D8-4b78-B94E-A3F58DD53CE2}.exe

Filesize
380KB

MD5
8db4ddb7dc05f1f1c078a3f1199e2d88

SHA1
37e8036dedeb10ebefddfcfd4b5ea55a79facfcb

SHA256
dbac77f1de88b1111bd106e01342be48f63c7b97e2b0896799fe8257f182f402

SHA512
23d982d3da0d5dbb3d3cd9e409eacd4ef5caf3115fea91f7efc2a17b1e9f5588212e649f733017d75b0c3aa076c9ebcb3a139e945fbf702a86d1275a5eb5b4b4

Download Submit
C:\Windows\{FB616BFF-CF29-4d37-9F4C-A752B8A7684B}.exe

Filesize
380KB

MD5
99e41841c91f534f378b6d9eb956a649

SHA1
2556611e7f209403d5820ece47c3b8b61d97d7c8

SHA256
21db14155dafe06a6dab554c6f60306e3ff489e299fcec7298b99282dbad1c4c

SHA512
ba8538033ed9798cfbf395d36180a4aa221f7b31634f6b987c586031614783c3f6431cd97dc561a394541a2e3df73f1e8541ffac054ab07184d049b6b4e1d13c

Download Submit
C:\Windows\{FC1611BA-636B-42a3-BD29-AF5EAEFF6D89}.exe

Filesize
380KB

MD5
1e63024673b3493d356c7eb9ea26ca76

SHA1
a5a017c10a8ffb06599ec5fe142bb168cd748b7f

SHA256
2c455cc0059d335ecf2dd0efd2e503d87f1f20cf4e05d46fc2a33d15929b2933

SHA512
2f2a2c83bf596b395628d6f0c2b6bba087d85da5a9fd223c948fc0749b0ca809e36e44d826952bb76a5b4dbac133e016951a6927cdf1a07b53fbe720b17cc122

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads