344e49da626af3c7b2f9ed75611263c42ccc9ff465ff49623a02faac18e74e79

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
Size

216KB
MD5

b8680a52977490ac4a1841252c0a2dc8
SHA1

9dd2384cb5b1e0ca2ed1fb921e6345875f9f18b5
SHA256

344e49da626af3c7b2f9ed75611263c42ccc9ff465ff49623a02faac18e74e79
SHA512

51b7f5e92bcbec9238a1c6cd7fc0d0593eec867a709c6aab600596d8ea2d9e86bac346cca1e22b8fec36ed5634269d33d396161c152508ed80acf1680dc93f3b
SSDEEP

3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023401-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023402-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e752-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002340c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e752-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}\stubpath = "C:\\Windows\\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe"	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D20205-C1E3-40d9-A2C9-64330A60F776}\stubpath = "C:\\Windows\\{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe"	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}\stubpath = "C:\\Windows\\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe"	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}\stubpath = "C:\\Windows\\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe"	{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}\stubpath = "C:\\Windows\\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe"	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}\stubpath = "C:\\Windows\\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe"	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}\stubpath = "C:\\Windows\\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe"	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}\stubpath = "C:\\Windows\\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe"	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}\stubpath = "C:\\Windows\\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe"	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}\stubpath = "C:\\Windows\\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe"	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}\stubpath = "C:\\Windows\\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe"	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}\stubpath = "C:\\Windows\\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe"	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D20205-C1E3-40d9-A2C9-64330A60F776}	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}	{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe

Executes dropped EXE 12 IoCs

pid	Process
3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
4264	{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe
2380	{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
File created	C:\Windows\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe	{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe
File created	C:\Windows\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
File created	C:\Windows\{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
File created	C:\Windows\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
File created	C:\Windows\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
File created	C:\Windows\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
File created	C:\Windows\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
File created	C:\Windows\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
File created	C:\Windows\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
File created	C:\Windows\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
File created	C:\Windows\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
Token: SeIncBasePriorityPrivilege	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
Token: SeIncBasePriorityPrivilege	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
Token: SeIncBasePriorityPrivilege	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
Token: SeIncBasePriorityPrivilege	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
Token: SeIncBasePriorityPrivilege	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
Token: SeIncBasePriorityPrivilege	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
Token: SeIncBasePriorityPrivilege	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
Token: SeIncBasePriorityPrivilege	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
Token: SeIncBasePriorityPrivilege	3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
Token: SeIncBasePriorityPrivilege	4264	{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3764	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	84
PID 2092 wrote to memory of 3764	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	84
PID 2092 wrote to memory of 3764	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	84
PID 2092 wrote to memory of 3292	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	85
PID 2092 wrote to memory of 3292	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	85
PID 2092 wrote to memory of 3292	2092	2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe	85
PID 3764 wrote to memory of 2256	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	86
PID 3764 wrote to memory of 2256	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	86
PID 3764 wrote to memory of 2256	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	86
PID 3764 wrote to memory of 5004	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	87
PID 3764 wrote to memory of 5004	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	87
PID 3764 wrote to memory of 5004	3764	{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe	87
PID 2256 wrote to memory of 2912	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	90
PID 2256 wrote to memory of 2912	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	90
PID 2256 wrote to memory of 2912	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	90
PID 2256 wrote to memory of 4220	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	91
PID 2256 wrote to memory of 4220	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	91
PID 2256 wrote to memory of 4220	2256	{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe	91
PID 2912 wrote to memory of 4168	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	93
PID 2912 wrote to memory of 4168	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	93
PID 2912 wrote to memory of 4168	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	93
PID 2912 wrote to memory of 4876	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	94
PID 2912 wrote to memory of 4876	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	94
PID 2912 wrote to memory of 4876	2912	{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe	94
PID 4168 wrote to memory of 2980	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	95
PID 4168 wrote to memory of 2980	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	95
PID 4168 wrote to memory of 2980	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	95
PID 4168 wrote to memory of 4868	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	96
PID 4168 wrote to memory of 4868	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	96
PID 4168 wrote to memory of 4868	4168	{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe	96
PID 2980 wrote to memory of 3196	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	97
PID 2980 wrote to memory of 3196	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	97
PID 2980 wrote to memory of 3196	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	97
PID 2980 wrote to memory of 3564	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	98
PID 2980 wrote to memory of 3564	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	98
PID 2980 wrote to memory of 3564	2980	{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe	98
PID 3196 wrote to memory of 2312	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	99
PID 3196 wrote to memory of 2312	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	99
PID 3196 wrote to memory of 2312	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	99
PID 3196 wrote to memory of 4836	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	100
PID 3196 wrote to memory of 4836	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	100
PID 3196 wrote to memory of 4836	3196	{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe	100
PID 2312 wrote to memory of 456	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	101
PID 2312 wrote to memory of 456	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	101
PID 2312 wrote to memory of 456	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	101
PID 2312 wrote to memory of 4920	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	102
PID 2312 wrote to memory of 4920	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	102
PID 2312 wrote to memory of 4920	2312	{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe	102
PID 456 wrote to memory of 776	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	103
PID 456 wrote to memory of 776	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	103
PID 456 wrote to memory of 776	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	103
PID 456 wrote to memory of 3308	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	104
PID 456 wrote to memory of 3308	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	104
PID 456 wrote to memory of 3308	456	{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe	104
PID 776 wrote to memory of 3436	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	105
PID 776 wrote to memory of 3436	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	105
PID 776 wrote to memory of 3436	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	105
PID 776 wrote to memory of 3792	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	106
PID 776 wrote to memory of 3792	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	106
PID 776 wrote to memory of 3792	776	{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe	106
PID 3436 wrote to memory of 4264	3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe	107
PID 3436 wrote to memory of 4264	3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe	107
PID 3436 wrote to memory of 4264	3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe	107
PID 3436 wrote to memory of 1696	3436	{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
  C:\Windows\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
    C:\Windows\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
      C:\Windows\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
        
        C:\Windows\{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
        
        C:\Windows\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
        
        C:\Windows\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
        
        C:\Windows\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
        
        C:\Windows\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
        
        C:\Windows\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
        
        C:\Windows\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe
        
        C:\Windows\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe
        
        C:\Windows\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe
        13⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E6D~1.EXE > nul
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA81~1.EXE > nul
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51C67~1.EXE > nul
        11⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B36~1.EXE > nul
        10⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62436~1.EXE > nul
        9⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E200~1.EXE > nul
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8011E~1.EXE > nul
        7⤵
        
        PID:3564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D20~1.EXE > nul
        6⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2007F~1.EXE > nul
        5⤵
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB7A3~1.EXE > nul
      4⤵
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6961~1.EXE > nul
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07E60AD0-98A2-4f8d-B6E2-B43DE2F03E44}.exe

Filesize
216KB

MD5
17150441f9ed25a292e69dde53e08d53

SHA1
76457e0beed26f4380f71bed740e62e4b1089c23

SHA256
0bf3fce11bd7ff309615c44ef0b35a1dca791a7d7ccde41cd46cd234fdeaeb2c

SHA512
2aab1bc1e89718b3219fe50fd48d73add27211f6d3cfa00f8110c50368099962e8a56c5fb463b9e9f212f022493cbbc3918ab902b9bbe3755e0dc3c35dfe84ed

Download Submit
C:\Windows\{19E6D2D0-DDAD-408e-834E-09F0AACDEC02}.exe

Filesize
216KB

MD5
ca3379fcb31ae654daa0bb4f5243efaa

SHA1
b4c7a9c9543ff25924037afdacdf85701b6c1407

SHA256
d89ba64f10958927b9df91caf1ec587924be61267e98f8f73fb4d57fbde2acf6

SHA512
ae89f4e4eee1a467e6fb97fcd1444243d1cd856abd1ead2821e48f0fe51e42f88635fa33b147d3491c0508acbe0d12e83ce344ed498c2e1ab09db50d61cab3d0

Download Submit
C:\Windows\{2007F2AF-2ECF-4c93-95BB-7BD84B71EB02}.exe

Filesize
216KB

MD5
0825661bce3bc5ed81456fe98499c9df

SHA1
feb1615e51dfd07aa8c2f366deb0504711baa342

SHA256
52ec384900e78693bdd8c06547aa73c302a691f92ee42961781585c90c1464cd

SHA512
de41e7baa89569467ef7de319080edf79f39a933707cbe80dab8c4a25a2168626f2479c8f23cc3f755dd5afd529bda75f57691deff789a9ab57b9c3951958bf0

Download Submit
C:\Windows\{23B3639A-F1BC-4063-AC84-E40763C0B3BB}.exe

Filesize
216KB

MD5
4d43741bd972e9bd3de6417053cb8dd3

SHA1
4691b02fda66e064a4cebd1dc4be546ba483bed8

SHA256
7152a7b23240790a8e43e8b66acbdc5bde8fdfe3027c67546258a809dda963fb

SHA512
134bbded307ec2f586e1868e5f28250366f0ca7b8e26320dc6006c77c7a717a49beb026516c79b44c69eb33cdeac8783e04edf977fed3b7b29cc30322f379a89

Download Submit
C:\Windows\{51C679B9-D103-4c28-9E1A-6DEE0B4A7782}.exe

Filesize
216KB

MD5
c535e741de752a9bf91b346bfe4e9aa6

SHA1
34e66bd50dc57835127051a92cc48256f6fa2160

SHA256
54d1175fdd6211df70309671333f37ba406ddf8a621516b64ddf727e55613439

SHA512
e59610b57e0261fd00edb35aa15b6130833da2880daf29b571401135c39c5a29b4ca4b124003a9e0d9f80fbbaac1b106da3fe2f7621774f13ab25c06a4d00116

Download Submit
C:\Windows\{624360B4-E6E1-42e7-A738-CF2E29FDCB1D}.exe

Filesize
216KB

MD5
099b038de4d8f53ddc7b58909cd33a01

SHA1
7a481c9e1c437062389618467fa189c338c8cdb9

SHA256
ae326bb16db14ccd68973493cfd09471e3efbde1dd7917b0375198c33ae80cce

SHA512
ea79e8ad7c97700344230ed6c6fb4792f35c552c275622523bacbe0363607d69fe3a93e7903f593b2066783003e77e7fc548f5422eacff08512084b6325ab12c

Download Submit
C:\Windows\{8011E7D4-C176-4ed5-A89E-CEA61832B7E4}.exe

Filesize
216KB

MD5
ac0e881d46f5d7324ecf04ab6879746e

SHA1
a79641ba8ae2834866114c00116e14de348a6558

SHA256
8b988df509cd7666c4c6a50bec2cf230d3e7d5145a3ceef20ad7af0342082ac0

SHA512
c2920ec48bb4c82ccaee344b40ac609308ada32f263c8568ae58d67aa9858759fc911e87aac62aad77119372843382fa751e0ec5018792f86ca7c846add969f0

Download Submit
C:\Windows\{8CA815EA-F089-48c7-81D3-051F9BEB6D4B}.exe

Filesize
216KB

MD5
b9eca39137c7d524fd3d072f10613aba

SHA1
b835b072e9315c0a6abcd6ccfb1dd43f665dd01a

SHA256
87584e9d200cb10b1581a6644021abe187bb76251d15d9f68ec1b76cee7af143

SHA512
3000682ddf7078b3a639336c4bf8980a167b4b1513b50fce07f25e97bd324de50d6754d259c504840a628fe9c70c6f13a03bfe8039e77d5ca8284b83a3f4ea10

Download Submit
C:\Windows\{8E20074E-9449-4bf5-A4F4-072AECFDD9C5}.exe

Filesize
216KB

MD5
4714bb0cf0e52cda32c46133b2cad985

SHA1
f17eef82775c8d5be46ecf8b00d192eadbbc5870

SHA256
32823158f1ef4b0a238f559dcf7fa1b09b9420a72dff864e7c97a00b79bdb3f4

SHA512
45926f1d13b3ae6d506f071390cd05bcd4952fac2f8ca89c9af0b31dabf0e5bb129071f631263cd0b6039adfcd10131352f172dc0cb212fecc5bd9d2be3b609f

Download Submit
C:\Windows\{B6961AA7-E09B-4bf3-8803-327E5EF77BCC}.exe

Filesize
216KB

MD5
636ae8fe3de5b188b062543182bed0c9

SHA1
cbf7dea52eb9b18e7f00b2a80f312d1230b5e6ca

SHA256
042fbdbea2e1f390534ebf29ce14c95b0c95e653001fa8442ee010ae44658642

SHA512
5025f5d6050338c63326489ff6f621967023a2a0472dcd938e5d719bacd45b7b2625a38c7521d3d23513d3b3dbe17a9619819978f3977c86c4f4f67be67be51e

Download Submit
C:\Windows\{EB7A3F1C-DF56-4ed4-98AD-8F3927954F75}.exe

Filesize
216KB

MD5
e4ecfca66c9fa6fac7e91aac7a9a3ad6

SHA1
1113f1203806e384380b6d22d5d540636c61602c

SHA256
c34435bbccce6c2565dc219ece5ce98f6b1930d19f8e3de3e85d2e90e5f9e3f8

SHA512
321e7243f8dd42a94be92d570792e96ffff89d9b21a1e99eda62eecd04ab8a7e45e715034dfe2c471af77be0de81920d08732e4e94ac1bf66e073bc66e183eee

Download Submit
C:\Windows\{F5D20205-C1E3-40d9-A2C9-64330A60F776}.exe

Filesize
216KB

MD5
220b74f9b54130775d422c977ef9466b

SHA1
ef97a1353a2e6f9d2ed149cfec2d6131e8d28637

SHA256
51e3c9b1e065dea7793989f9deb38999366e6b34ac5de7f3b1d635d665f23f0b

SHA512
b3301057bb4906f4c0cc04880d505c5cff9f7195526859ff0b7d55eac6d74bc2a076dc5ab09c104110580942b6447babe9b2958303f3b779808949c1181fb481

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads