3d0723b933ffb88de6b22abf168873b36d2e9d266d98aeb0e39184ed2e284553

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Size

216KB
MD5

6dd96150c05b8e203ccdc1ce196840aa
SHA1

adc3efa726e09d2bcbe1581f08ef6380632eb110
SHA256

3d0723b933ffb88de6b22abf168873b36d2e9d266d98aeb0e39184ed2e284553
SHA512

a6a864f37460bfdbd566683a923d9af260963237be80fd2d8417a125a00a0b090e7df4cd7b91ee241b00381a7fed5442c5f3949ca38c5ad25ef05afb7cc392dd
SSDEEP

3072:jEGh0oJl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGPlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000022ea7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002344e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022ea7-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002344e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000022ea7-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002344e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000022ea7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002344e-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000022ea7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002344e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000022ea7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e093-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46904E-93F4-4ade-B355-585BF0F692B7}\stubpath = "C:\\Windows\\{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe"	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762FC8C-B709-4237-85C6-CC16898B192B}	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}\stubpath = "C:\\Windows\\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe"	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{955DC561-782F-4c9c-B63C-6DD64A486396}\stubpath = "C:\\Windows\\{955DC561-782F-4c9c-B63C-6DD64A486396}.exe"	{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46904E-93F4-4ade-B355-585BF0F692B7}	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8208354C-BA77-4b21-B442-2A8A072946D0}\stubpath = "C:\\Windows\\{8208354C-BA77-4b21-B442-2A8A072946D0}.exe"	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7574513-F4AC-43b3-855F-125B9B68E845}\stubpath = "C:\\Windows\\{A7574513-F4AC-43b3-855F-125B9B68E845}.exe"	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}\stubpath = "C:\\Windows\\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe"	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}\stubpath = "C:\\Windows\\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe"	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{955DC561-782F-4c9c-B63C-6DD64A486396}	{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762FC8C-B709-4237-85C6-CC16898B192B}\stubpath = "C:\\Windows\\{0762FC8C-B709-4237-85C6-CC16898B192B}.exe"	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}\stubpath = "C:\\Windows\\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe"	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}\stubpath = "C:\\Windows\\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe"	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}\stubpath = "C:\\Windows\\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe"	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8208354C-BA77-4b21-B442-2A8A072946D0}	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}\stubpath = "C:\\Windows\\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe"	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7574513-F4AC-43b3-855F-125B9B68E845}	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe

Executes dropped EXE 12 IoCs

pid	Process
4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
3668	{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
416	{955DC561-782F-4c9c-B63C-6DD64A486396}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
File created	C:\Windows\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
File created	C:\Windows\{0762FC8C-B709-4237-85C6-CC16898B192B}.exe	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
File created	C:\Windows\{955DC561-782F-4c9c-B63C-6DD64A486396}.exe	{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
File created	C:\Windows\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
File created	C:\Windows\{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
File created	C:\Windows\{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
File created	C:\Windows\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
File created	C:\Windows\{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
File created	C:\Windows\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
File created	C:\Windows\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
File created	C:\Windows\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
Token: SeIncBasePriorityPrivilege	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
Token: SeIncBasePriorityPrivilege	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
Token: SeIncBasePriorityPrivilege	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
Token: SeIncBasePriorityPrivilege	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
Token: SeIncBasePriorityPrivilege	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
Token: SeIncBasePriorityPrivilege	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
Token: SeIncBasePriorityPrivilege	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
Token: SeIncBasePriorityPrivilege	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
Token: SeIncBasePriorityPrivilege	3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
Token: SeIncBasePriorityPrivilege	3668	{0762FC8C-B709-4237-85C6-CC16898B192B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4936	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	84
PID 4144 wrote to memory of 4936	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	84
PID 4144 wrote to memory of 4936	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	84
PID 4144 wrote to memory of 4488	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	85
PID 4144 wrote to memory of 4488	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	85
PID 4144 wrote to memory of 4488	4144	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	85
PID 4936 wrote to memory of 3516	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	86
PID 4936 wrote to memory of 3516	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	86
PID 4936 wrote to memory of 3516	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	86
PID 4936 wrote to memory of 1264	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	87
PID 4936 wrote to memory of 1264	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	87
PID 4936 wrote to memory of 1264	4936	{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe	87
PID 3516 wrote to memory of 1952	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	88
PID 3516 wrote to memory of 1952	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	88
PID 3516 wrote to memory of 1952	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	88
PID 3516 wrote to memory of 4940	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	89
PID 3516 wrote to memory of 4940	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	89
PID 3516 wrote to memory of 4940	3516	{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe	89
PID 1952 wrote to memory of 3184	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	90
PID 1952 wrote to memory of 3184	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	90
PID 1952 wrote to memory of 3184	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	90
PID 1952 wrote to memory of 5112	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	91
PID 1952 wrote to memory of 5112	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	91
PID 1952 wrote to memory of 5112	1952	{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe	91
PID 3184 wrote to memory of 1544	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	92
PID 3184 wrote to memory of 1544	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	92
PID 3184 wrote to memory of 1544	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	92
PID 3184 wrote to memory of 3204	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	93
PID 3184 wrote to memory of 3204	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	93
PID 3184 wrote to memory of 3204	3184	{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe	93
PID 1544 wrote to memory of 4392	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	94
PID 1544 wrote to memory of 4392	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	94
PID 1544 wrote to memory of 4392	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	94
PID 1544 wrote to memory of 488	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	95
PID 1544 wrote to memory of 488	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	95
PID 1544 wrote to memory of 488	1544	{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe	95
PID 4392 wrote to memory of 4684	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	96
PID 4392 wrote to memory of 4684	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	96
PID 4392 wrote to memory of 4684	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	96
PID 4392 wrote to memory of 60	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	97
PID 4392 wrote to memory of 60	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	97
PID 4392 wrote to memory of 60	4392	{8208354C-BA77-4b21-B442-2A8A072946D0}.exe	97
PID 4684 wrote to memory of 4076	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	98
PID 4684 wrote to memory of 4076	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	98
PID 4684 wrote to memory of 4076	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	98
PID 4684 wrote to memory of 448	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	99
PID 4684 wrote to memory of 448	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	99
PID 4684 wrote to memory of 448	4684	{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe	99
PID 4076 wrote to memory of 1112	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	100
PID 4076 wrote to memory of 1112	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	100
PID 4076 wrote to memory of 1112	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	100
PID 4076 wrote to memory of 3532	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	101
PID 4076 wrote to memory of 3532	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	101
PID 4076 wrote to memory of 3532	4076	{A7574513-F4AC-43b3-855F-125B9B68E845}.exe	101
PID 1112 wrote to memory of 3996	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	102
PID 1112 wrote to memory of 3996	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	102
PID 1112 wrote to memory of 3996	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	102
PID 1112 wrote to memory of 4132	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	103
PID 1112 wrote to memory of 4132	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	103
PID 1112 wrote to memory of 4132	1112	{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe	103
PID 3996 wrote to memory of 3668	3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe	104
PID 3996 wrote to memory of 3668	3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe	104
PID 3996 wrote to memory of 3668	3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe	104
PID 3996 wrote to memory of 3108	3996	{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
  C:\Windows\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
    C:\Windows\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
      C:\Windows\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
        
        C:\Windows\{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
        
        C:\Windows\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
        
        C:\Windows\{8208354C-BA77-4b21-B442-2A8A072946D0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
        
        C:\Windows\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
        
        C:\Windows\{A7574513-F4AC-43b3-855F-125B9B68E845}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
        
        C:\Windows\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
        
        C:\Windows\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
        
        C:\Windows\{0762FC8C-B709-4237-85C6-CC16898B192B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\{955DC561-782F-4c9c-B63C-6DD64A486396}.exe
        
        C:\Windows\{955DC561-782F-4c9c-B63C-6DD64A486396}.exe
        13⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0762F~1.EXE > nul
        13⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0797C~1.EXE > nul
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ABE1~1.EXE > nul
        11⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7574~1.EXE > nul
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30BDB~1.EXE > nul
        9⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82083~1.EXE > nul
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8F0~1.EXE > nul
        7⤵
        
        PID:488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E469~1.EXE > nul
        6⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF26~1.EXE > nul
        5⤵
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB47~1.EXE > nul
      4⤵
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6AC1~1.EXE > nul
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0762FC8C-B709-4237-85C6-CC16898B192B}.exe

Filesize
216KB

MD5
66c9e2a740cbcd60d2621f48cbe438e8

SHA1
8531a2f28caab0dec5fa00f0dbae6a81d4b9127d

SHA256
6a96a0fd894ff4c2689a9040a425e903396727e3e520cb40cf6b46212221c02d

SHA512
ff395e236af6c9b4e9c9041b37ab5d4fdba5c7648cde8aceb2136dc7e89701070e595a0b5cc6e7878d0897f4d8b2d8843f2358ad2f8289fcfe2e14b3dabf1d46

Download Submit
C:\Windows\{0797C189-9FF7-4bc9-AA0B-2AA4B8EF240B}.exe

Filesize
216KB

MD5
8dbcb2872272d26f1ef56fa3652aeb5d

SHA1
cf261d9150d8573c74f5de1c96d1f7185806d480

SHA256
6cbe0bdaf3cb4d5d6ef0ea4838147837de31524e98f050eb0048980b3f31e085

SHA512
7085834e44dc2ae34b247a6259188b4cc5378107ffaca8a25d54c9481126783e2f56890217426571e457bcecb23fe5016a87ae918e29ce908e043a86ed1867ae

Download Submit
C:\Windows\{30BDB27C-5ECF-4c8a-A5D0-CC4A27324117}.exe

Filesize
216KB

MD5
8a18dc2a4f642c1d3474a8cf78e92a94

SHA1
a5436b055548ff6a34a7584354512fb2879e330d

SHA256
677e5e23bb07bb325b89a06a3e1ba4320e84413f87ffb9117d95a0b4f904c861

SHA512
80057a85c0808975acb41a5b83ca2041d886876b341be447a5ad106753668761d26852273d9059133b1bd6283a3bdbc9f4ae68628b4dc88710dda190badf7a17

Download Submit
C:\Windows\{3E46904E-93F4-4ade-B355-585BF0F692B7}.exe

Filesize
216KB

MD5
efe536724b323fcce92686672600fc73

SHA1
18b1214c8c1d3179e99cf694af1aecb02f05dfcd

SHA256
39ae183700bbdbaa68060bfbdd2eab44ae8953a6c83ac0844decf8130cd34f87

SHA512
bafbfbaf57b8a591fcddd7492dbe0af38e172b8014042b3a0ac92a7df55ca03b3eb722b52edc4deb01a5ababd623b77336d733e29bb2f12c42cd900fa4056d82

Download Submit
C:\Windows\{7BB47D3F-EFE1-4ba1-960E-56A4E7C67CE9}.exe

Filesize
216KB

MD5
e229c5f28f9d4e440239c7e300811e49

SHA1
ecc0bac9197c75e5cebf8dc8527893864c2925e8

SHA256
b6092981e518b88031662f996afb124e46ebd746367e74f8f7ae053eac0f22fd

SHA512
c61c9d6b477f6a7f68b00ccd845d15ff426425daceac45414860a3c6f85b73cb154d54d028f98d3a9e79e777036dcc463014392288370650f47d14f2ee89ceb7

Download Submit
C:\Windows\{8208354C-BA77-4b21-B442-2A8A072946D0}.exe

Filesize
216KB

MD5
58f002be8bdf31b90ab6dd9b813f1fde

SHA1
4f338a929de9c45cd0da1eacbd15890c5094f1c2

SHA256
33be8c39d3fbb6044cc0282e9ab90f4983142f7e9e02e49ac1aedc54dd0cd7ff

SHA512
735d1d4d1c0bf81ae4917b666394a115a3f86bd26d89fdb0cf97abbc935e05ac28fed85fefbc98bba6b815ca0d6fa048a140f2965ca5f876d1e3cce3c9ce06ac

Download Submit
C:\Windows\{8ABE1D2B-A6DA-44ad-9F01-DBF5AF884379}.exe

Filesize
216KB

MD5
e6262a282c9b18ad1532599e1d07fa91

SHA1
81e01118618f38d088c17b81234c9f742ad70194

SHA256
3a8c36960edd25b463554618a9ae37ed65dc9ad837dbc416bbf4101964e2483f

SHA512
7615d50c570c89fe00a41c832bae47d7514f4f11beab7177784e89e6029d8658f4d71f2b2e69c2acb87a04b7427bbb067009e8fbb17adef6628531f3824fc35d

Download Submit
C:\Windows\{8B8F0F91-2B7C-441e-94EC-5C596CB2BE26}.exe

Filesize
216KB

MD5
cb940e3d87502d2598a3d8f886937317

SHA1
d64396ea6b514c72ab04ac9646653042567e7282

SHA256
bc16e28065a10b63b72f549080f4423741bd0d779a3dd0df36d3b89c80fcd358

SHA512
fe7e7c826ce9a7dea11707df38ee216608ef18c3b746bd5ed98cf81ba185905124eb4decef528a850eae74ba5284ae070b14c75bbd5276eb3e9fa3d22a04373d

Download Submit
C:\Windows\{955DC561-782F-4c9c-B63C-6DD64A486396}.exe

Filesize
216KB

MD5
bcb2c6bb93ec915f44abcd48b0863cbf

SHA1
c7323f96b517254d7691a9af16d07af29e605ba2

SHA256
221af949b59c6103fe94fbe305528d3017c7ad01e838a401bb9f5663ef68b74d

SHA512
4fdbd8adb91e799027bd84bb60b66024a7770cb1a436cb5ea3196ff44e8adb194b7a36b52c1dcd1d61a31e5e7e43b85f7d2bc70733d27c200b4e6012620b3cc9

Download Submit
C:\Windows\{9DF26F28-CFDA-4695-8886-7A2E3A09E5E5}.exe

Filesize
216KB

MD5
3cc299e1f65606fb2181a2c1b284be87

SHA1
56849a0e5ea114ba013c166d91f6a4dd1067a63b

SHA256
167d9ebda0a9a67d319d50f1623be564f183f38b4a1070424fb8e7c6f5ed4449

SHA512
9239d20800dc24e2895a7ae5ffb616fd94185785a00a179448f8275c0d8d7e228814dd9ec101bf0ee9d086f5e8b0addf0c213ae44af941cb310b3612c0e746fd

Download Submit
C:\Windows\{A7574513-F4AC-43b3-855F-125B9B68E845}.exe

Filesize
216KB

MD5
a709dc78596dd092152a02719bb875e1

SHA1
61152f2a27fd3cced589b9627ea3ffd23b2f404a

SHA256
9966288579d0c64190c63210f2edb6ddec8477e6f7cbc06511e4369a468d8463

SHA512
82468124d8be0ffc332312665c32e9b0026547194115c1cba7ddabfae45ebd6db08e8d60f91b59865744163382fa4c0412956fd269df75e4e0c38cc51f9eac1b

Download Submit
C:\Windows\{C6AC1A76-BF5D-48e1-8CDC-6B0392B338DA}.exe

Filesize
216KB

MD5
ed16f8d41b8e5c8e506ae99c1bca9e20

SHA1
cc58e47fed7a5a23695ea342c87c38af8ce4cece

SHA256
ddcdc2a6d26f77dd9679d86e869d2f160b818ff0c94bbb37f5de614e16f168e5

SHA512
af4e083a7d68c52292f45c524e09798c039578ce11f444f22fc684912bab33db436f84aadf6064a633688abe2ef71ac7c48b3e7a190a46829db579d02817d876

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads