db91628f2e212116cf5d67f72eb988cf9e9226face956f670daa8ac86a6f46f1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
Size

216KB
MD5

a55b3fbaab5a66224abffa43a0d38ea6
SHA1

5571d0bd22526062f73b7ac2d3aac012461663d6
SHA256

db91628f2e212116cf5d67f72eb988cf9e9226face956f670daa8ac86a6f46f1
SHA512

033ebb2bbf15d06819a1a7a5bbce244432b6ffa30b46b6eac96fc97d877bc3207bba6280edf4ec47e87b29a9037c5b390115b51632f20f112d300a6fbc559f05
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023418-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023452-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023462-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023452-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e743-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023452-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e743-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023452-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e743-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023452-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e743-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023452-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}\stubpath = "C:\\Windows\\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe"	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A647713A-2972-4ab0-BD97-57D37816BD6C}\stubpath = "C:\\Windows\\{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe"	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}\stubpath = "C:\\Windows\\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe"	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}\stubpath = "C:\\Windows\\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe"	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}\stubpath = "C:\\Windows\\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe"	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}\stubpath = "C:\\Windows\\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe"	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}\stubpath = "C:\\Windows\\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe"	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A647713A-2972-4ab0-BD97-57D37816BD6C}	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83D51A57-9E52-4926-8C84-17B343FCF135}	{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83D51A57-9E52-4926-8C84-17B343FCF135}\stubpath = "C:\\Windows\\{83D51A57-9E52-4926-8C84-17B343FCF135}.exe"	{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38C11DF6-67B1-4914-955D-674D6E472AA8}\stubpath = "C:\\Windows\\{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe"	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}\stubpath = "C:\\Windows\\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe"	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}\stubpath = "C:\\Windows\\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe"	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}\stubpath = "C:\\Windows\\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe"	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38C11DF6-67B1-4914-955D-674D6E472AA8}	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
4476	{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
1408	{83D51A57-9E52-4926-8C84-17B343FCF135}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
File created	C:\Windows\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
File created	C:\Windows\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
File created	C:\Windows\{83D51A57-9E52-4926-8C84-17B343FCF135}.exe	{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
File created	C:\Windows\{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
File created	C:\Windows\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
File created	C:\Windows\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
File created	C:\Windows\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
File created	C:\Windows\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
File created	C:\Windows\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
File created	C:\Windows\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
File created	C:\Windows\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
Token: SeIncBasePriorityPrivilege	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
Token: SeIncBasePriorityPrivilege	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
Token: SeIncBasePriorityPrivilege	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
Token: SeIncBasePriorityPrivilege	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
Token: SeIncBasePriorityPrivilege	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
Token: SeIncBasePriorityPrivilege	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
Token: SeIncBasePriorityPrivilege	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
Token: SeIncBasePriorityPrivilege	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
Token: SeIncBasePriorityPrivilege	4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
Token: SeIncBasePriorityPrivilege	4476	{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4480	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	82
PID 4244 wrote to memory of 4480	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	82
PID 4244 wrote to memory of 4480	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	82
PID 4244 wrote to memory of 2404	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	83
PID 4244 wrote to memory of 2404	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	83
PID 4244 wrote to memory of 2404	4244	2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe	83
PID 4480 wrote to memory of 4800	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	84
PID 4480 wrote to memory of 4800	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	84
PID 4480 wrote to memory of 4800	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	84
PID 4480 wrote to memory of 2704	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	85
PID 4480 wrote to memory of 2704	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	85
PID 4480 wrote to memory of 2704	4480	{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe	85
PID 4800 wrote to memory of 3100	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	97
PID 4800 wrote to memory of 3100	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	97
PID 4800 wrote to memory of 3100	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	97
PID 4800 wrote to memory of 216	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	98
PID 4800 wrote to memory of 216	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	98
PID 4800 wrote to memory of 216	4800	{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe	98
PID 3100 wrote to memory of 3428	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	99
PID 3100 wrote to memory of 3428	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	99
PID 3100 wrote to memory of 3428	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	99
PID 3100 wrote to memory of 4976	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	100
PID 3100 wrote to memory of 4976	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	100
PID 3100 wrote to memory of 4976	3100	{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe	100
PID 3428 wrote to memory of 2040	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	102
PID 3428 wrote to memory of 2040	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	102
PID 3428 wrote to memory of 2040	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	102
PID 3428 wrote to memory of 2480	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	103
PID 3428 wrote to memory of 2480	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	103
PID 3428 wrote to memory of 2480	3428	{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe	103
PID 2040 wrote to memory of 4384	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	104
PID 2040 wrote to memory of 4384	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	104
PID 2040 wrote to memory of 4384	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	104
PID 2040 wrote to memory of 2612	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	105
PID 2040 wrote to memory of 2612	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	105
PID 2040 wrote to memory of 2612	2040	{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe	105
PID 4384 wrote to memory of 4280	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	106
PID 4384 wrote to memory of 4280	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	106
PID 4384 wrote to memory of 4280	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	106
PID 4384 wrote to memory of 4416	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	107
PID 4384 wrote to memory of 4416	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	107
PID 4384 wrote to memory of 4416	4384	{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe	107
PID 4280 wrote to memory of 1292	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	108
PID 4280 wrote to memory of 1292	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	108
PID 4280 wrote to memory of 1292	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	108
PID 4280 wrote to memory of 1488	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	109
PID 4280 wrote to memory of 1488	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	109
PID 4280 wrote to memory of 1488	4280	{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe	109
PID 1292 wrote to memory of 2008	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	110
PID 1292 wrote to memory of 2008	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	110
PID 1292 wrote to memory of 2008	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	110
PID 1292 wrote to memory of 3968	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	111
PID 1292 wrote to memory of 3968	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	111
PID 1292 wrote to memory of 3968	1292	{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe	111
PID 2008 wrote to memory of 4696	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	112
PID 2008 wrote to memory of 4696	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	112
PID 2008 wrote to memory of 4696	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	112
PID 2008 wrote to memory of 644	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	113
PID 2008 wrote to memory of 644	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	113
PID 2008 wrote to memory of 644	2008	{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe	113
PID 4696 wrote to memory of 4476	4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe	114
PID 4696 wrote to memory of 4476	4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe	114
PID 4696 wrote to memory of 4476	4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe	114
PID 4696 wrote to memory of 416	4696	{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_a55b3fbaab5a66224abffa43a0d38ea6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
  C:\Windows\{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
    C:\Windows\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
      C:\Windows\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
        
        C:\Windows\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
        
        C:\Windows\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
        
        C:\Windows\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
        
        C:\Windows\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
        
        C:\Windows\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
        
        C:\Windows\{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
        
        C:\Windows\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
        
        C:\Windows\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\{83D51A57-9E52-4926-8C84-17B343FCF135}.exe
        
        C:\Windows\{83D51A57-9E52-4926-8C84-17B343FCF135}.exe
        13⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D11A~1.EXE > nul
        13⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B36~1.EXE > nul
        12⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6477~1.EXE > nul
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F2A~1.EXE > nul
        10⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{136D3~1.EXE > nul
        9⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7277~1.EXE > nul
        8⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2EF8~1.EXE > nul
        7⤵
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D21CF~1.EXE > nul
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613BF~1.EXE > nul
        5⤵
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A1B7~1.EXE > nul
      4⤵
      PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38C11~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{136D3482-06F5-438e-96D7-3FBC5F56E0CC}.exe

Filesize
216KB

MD5
eac82964ba83cd34cecef88c14a24753

SHA1
8aec1fb84b2294faa9185cf9bc5e643c8014b72b

SHA256
43947700311b9f93ccf106d62f808bf31abead212e1dbccd9c04bfb875bc1d49

SHA512
20a6e8ec542f5e62da017712b87efe57debe65e8adb90fb6b180e8eeb67ad326972f979cd262265ab3d751b3ff6e09d5b60b8a66262d87fc15f7bdbbe2bcea6a

Download Submit
C:\Windows\{1A1B756C-ACA3-4f95-8B73-1210D5AEEA93}.exe

Filesize
216KB

MD5
504a9a59955a34414e14979c7935512b

SHA1
4001b3901c76f47140456b4088130bd6e5440a05

SHA256
a2cfae428512a0f39021a8114c0d59535faebbcc2e24bcc476cf50f8699d765b

SHA512
8535618323d6df00f159e03200b021231792512a11846d60e077d4792f66fe1c903c92a58f01db57a3584f1adedfc3919dfc8bf24b7bf6f19ac9eca5d771781a

Download Submit
C:\Windows\{38C11DF6-67B1-4914-955D-674D6E472AA8}.exe

Filesize
216KB

MD5
1252ea079c1797b6eb963eba93e36747

SHA1
9173c68d28d54232801905f37c82bcd9497b8519

SHA256
156ce4a1870bf54d8160f2ffb230798ea25260a5228897e7e098461066503748

SHA512
1466d9c9f8b41c81ddb411e584bb760d7102b8ba59862a28fe20c558a4de29cd238100250345b63a56a6179f6ab8478b240ab66dc3918327591fe16f9703ee96

Download Submit
C:\Windows\{613BF607-A3E6-4ad5-B696-19912EE4C2CD}.exe

Filesize
216KB

MD5
240a0fd63ff1aeca17bd2d28c5df1bd2

SHA1
8254e7e016aea63cb67fb0831c22e5b30bf21ed7

SHA256
10eb5f8dd3c66b11d5486856bfe7f2feefd0614a77103a19a15abb06cdd796c3

SHA512
474f777525b1a41a42323277406e6ee696614f57a11ef4c38b49a56bd05de20f95a04268894594ec663f95404b37010fe181c7e73a26b36267b2bce14e018855

Download Submit
C:\Windows\{6D11A0E4-2D82-4903-A8ED-74EF5017A862}.exe

Filesize
216KB

MD5
7d88438d205f8d8a0757145b400799f0

SHA1
2aa2f4523d644a0019929a5de62c6c7705239852

SHA256
eab39281bc5dada5aefe207aa44c2fe4f8648cba16bec03f389ba27a71877d7a

SHA512
eca7a5335f201d0ca0863eab75c7cdf7369578ca2ff58379649125b84035ef587548d9a2a2c5142716d818dca6b4fde7ae02261e2de7b3bcc5cc09bfb68e21bf

Download Submit
C:\Windows\{83D51A57-9E52-4926-8C84-17B343FCF135}.exe

Filesize
216KB

MD5
f59f436489ef496d7d541f7a9eacaf0b

SHA1
d35c2498950ece40e6aa74a6ad3e2b75ddb1a4c3

SHA256
e352cc50c132364c008e5d081ab2d846c78f169864acba27a4fa795cad203061

SHA512
5f83139abaa12ba05df42ee551c218deafe1cfb16dd971f4eeaa8b937097f217ed6c0bde0317f2002d3bf2aaaf6f99745609e5c77b5a293a804bf63de6b930b6

Download Submit
C:\Windows\{A0F2AFA0-D4E6-4528-93D8-773FB2046ADF}.exe

Filesize
216KB

MD5
eafb644d615ee6bf06d43963e141610e

SHA1
157034fe5dba5c7f3f5ff4521c9e395f70fd881d

SHA256
35edc2ceb5863ab39c86b6a7adf8ec58a1eb6aea00fe6e63437f81a8b8392fa0

SHA512
8546d62a02ce2556be79f1a1211647a0174028d3aee2c3056b93612c9c2fad2decb35cc555200355f5c60bea03dedb2c9f713a0b7b255c6944ed30f45336213a

Download Submit
C:\Windows\{A647713A-2972-4ab0-BD97-57D37816BD6C}.exe

Filesize
216KB

MD5
6cd14005bdf72e72d1d1712e55a5d724

SHA1
8a199e9f21050c7c5ae047ceb1306a041194fa2b

SHA256
e20751ba91a9be5b06b07464cda503d040fdc60f973db6b8db905556d924b169

SHA512
dfe4a3669906d3886839b7ab51a74ef544f9e87de47325f06fa1e5b205951acfe0ff63efad476de670b3839e229df50470884bd722da0ab1cff8b2157ffe147f

Download Submit
C:\Windows\{D21CFDB2-E775-4d4b-A23D-E8D5D319B9CC}.exe

Filesize
216KB

MD5
d4c74d1320ebd302e33762fd100be335

SHA1
ed6f1b0dfc356b06947495f500a94934c75332ca

SHA256
4c1a0cd32648a41f131307621a5d2f55592da4241035a04c7007c9c9fb44c248

SHA512
758cb217522f050ebe942949b9988fd496ea58cc1da27ccf93d3fba7babebf7d93ba577496d305927d5ac18a68f557e03d8bce8a17c1d78bb2b38d427aa6582e

Download Submit
C:\Windows\{D72772B0-98BA-4326-9FDA-99A1797C6BB2}.exe

Filesize
216KB

MD5
9dfa7005dda8719fa00b02fa2a56cec4

SHA1
e75aadf42751d8580a7bc2f498a191dd4b3c8db8

SHA256
238b5be9cb5351c39fe7281d9bf3220dcaadf0dd885d56fbd4b0fb0577afea47

SHA512
18719e59fecb531858aac0ae61c6b1fcd80837e9a1127317d17e1d04577b0bb98d65a3bf6499ccba1e408eb320bf2598230704c8c924bac3510f104daad78507

Download Submit
C:\Windows\{E2EF8E7C-CF13-4e31-8ED0-F998AC31BA27}.exe

Filesize
216KB

MD5
cd055e447aec02aa4267e42066ed1666

SHA1
66ca77bc51ba1968e9848ae500dee347cf30898c

SHA256
0e73f897d2d72aa2f418b1d8ddd2c5a0d802c191aaee9a36cd8f760580be08f8

SHA512
d1b31b8be0fc409b1845d4db4074d6741041ef760130fdc52625a20b82d18b93f3953c40f71813e7e688123622f267ff68bfd6966005d9364630e973326cda77

Download Submit
C:\Windows\{F2B36A5C-9E94-4cf7-A589-9F673EB481D8}.exe

Filesize
216KB

MD5
2382bf5c2ea2027327fb89306b4722d7

SHA1
0a773ed8397c524198ab6a5fdec36c94340dd617

SHA256
6c6bf82c6095cdc48bf7bfdef07e45f214e791a6b3081020d90858b13a8623ba

SHA512
d3568324391f256767167f80a9d4847d81ed9385b5607c27a37cce33a10e189399c5ce761adbb4b294b814bf48504af551d24fa45e248c8be3625723c7d9ed5e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads