9815e6c33aeff4e3a0a1eec0feea25ee0eee8da8fef7ecf560650d11be7be909

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Size

168KB
MD5

ef46ef420bb1268618af4fc848316ab3
SHA1

abe787fd5f0aa4f0b5b54e45074047fb6b5af532
SHA256

9815e6c33aeff4e3a0a1eec0feea25ee0eee8da8fef7ecf560650d11be7be909
SHA512

74d9295b855663a102fd7e1dee6b571b0342e331869ceefa3a5ece2879bfd989b730c6cb3599de186e958e501768071efdbf5ec52b37ecc07217a88e3af5822e
SSDEEP

1536:1EGh0oBli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oBliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002340b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fe-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023413-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002335d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023413-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002335d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023413-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002335d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023413-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002335d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023410-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002335d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417CC648-1F1E-47e9-A117-5EE9A258DD33}\stubpath = "C:\\Windows\\{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe"	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A7AA1A-6861-4002-8B41-998A04461DF1}	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}\stubpath = "C:\\Windows\\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe"	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}\stubpath = "C:\\Windows\\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe"	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C84258C-DCF0-455f-8A9E-6744359C204A}	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C84258C-DCF0-455f-8A9E-6744359C204A}\stubpath = "C:\\Windows\\{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe"	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}\stubpath = "C:\\Windows\\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe"	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}\stubpath = "C:\\Windows\\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe"	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}\stubpath = "C:\\Windows\\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe"	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417CC648-1F1E-47e9-A117-5EE9A258DD33}	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}\stubpath = "C:\\Windows\\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe"	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}\stubpath = "C:\\Windows\\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe"	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}\stubpath = "C:\\Windows\\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe"	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A7AA1A-6861-4002-8B41-998A04461DF1}\stubpath = "C:\\Windows\\{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe"	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}\stubpath = "C:\\Windows\\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe"	{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}	{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
4972	{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe
3044	{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
File created	C:\Windows\{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
File created	C:\Windows\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
File created	C:\Windows\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
File created	C:\Windows\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
File created	C:\Windows\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
File created	C:\Windows\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
File created	C:\Windows\{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
File created	C:\Windows\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe	{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe
File created	C:\Windows\{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
File created	C:\Windows\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
File created	C:\Windows\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
Token: SeIncBasePriorityPrivilege	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
Token: SeIncBasePriorityPrivilege	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
Token: SeIncBasePriorityPrivilege	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
Token: SeIncBasePriorityPrivilege	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
Token: SeIncBasePriorityPrivilege	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
Token: SeIncBasePriorityPrivilege	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
Token: SeIncBasePriorityPrivilege	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
Token: SeIncBasePriorityPrivilege	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
Token: SeIncBasePriorityPrivilege	1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
Token: SeIncBasePriorityPrivilege	4972	{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3996	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	92
PID 552 wrote to memory of 3996	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	92
PID 552 wrote to memory of 3996	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	92
PID 552 wrote to memory of 4664	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	93
PID 552 wrote to memory of 4664	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	93
PID 552 wrote to memory of 4664	552	2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe	93
PID 3996 wrote to memory of 4780	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	94
PID 3996 wrote to memory of 4780	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	94
PID 3996 wrote to memory of 4780	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	94
PID 3996 wrote to memory of 1748	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	95
PID 3996 wrote to memory of 1748	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	95
PID 3996 wrote to memory of 1748	3996	{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe	95
PID 4780 wrote to memory of 2036	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	98
PID 4780 wrote to memory of 2036	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	98
PID 4780 wrote to memory of 2036	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	98
PID 4780 wrote to memory of 5072	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	99
PID 4780 wrote to memory of 5072	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	99
PID 4780 wrote to memory of 5072	4780	{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe	99
PID 2036 wrote to memory of 3920	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	101
PID 2036 wrote to memory of 3920	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	101
PID 2036 wrote to memory of 3920	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	101
PID 2036 wrote to memory of 4004	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	102
PID 2036 wrote to memory of 4004	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	102
PID 2036 wrote to memory of 4004	2036	{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe	102
PID 3920 wrote to memory of 1196	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	103
PID 3920 wrote to memory of 1196	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	103
PID 3920 wrote to memory of 1196	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	103
PID 3920 wrote to memory of 1192	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	104
PID 3920 wrote to memory of 1192	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	104
PID 3920 wrote to memory of 1192	3920	{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe	104
PID 1196 wrote to memory of 2628	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	105
PID 1196 wrote to memory of 2628	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	105
PID 1196 wrote to memory of 2628	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	105
PID 1196 wrote to memory of 4540	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	106
PID 1196 wrote to memory of 4540	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	106
PID 1196 wrote to memory of 4540	1196	{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe	106
PID 2628 wrote to memory of 1392	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	107
PID 2628 wrote to memory of 1392	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	107
PID 2628 wrote to memory of 1392	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	107
PID 2628 wrote to memory of 4848	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	108
PID 2628 wrote to memory of 4848	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	108
PID 2628 wrote to memory of 4848	2628	{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe	108
PID 1392 wrote to memory of 1572	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	109
PID 1392 wrote to memory of 1572	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	109
PID 1392 wrote to memory of 1572	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	109
PID 1392 wrote to memory of 2108	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	110
PID 1392 wrote to memory of 2108	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	110
PID 1392 wrote to memory of 2108	1392	{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe	110
PID 1572 wrote to memory of 884	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	111
PID 1572 wrote to memory of 884	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	111
PID 1572 wrote to memory of 884	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	111
PID 1572 wrote to memory of 1736	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	112
PID 1572 wrote to memory of 1736	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	112
PID 1572 wrote to memory of 1736	1572	{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe	112
PID 884 wrote to memory of 1724	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	113
PID 884 wrote to memory of 1724	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	113
PID 884 wrote to memory of 1724	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	113
PID 884 wrote to memory of 4064	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	114
PID 884 wrote to memory of 4064	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	114
PID 884 wrote to memory of 4064	884	{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe	114
PID 1724 wrote to memory of 4972	1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe	115
PID 1724 wrote to memory of 4972	1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe	115
PID 1724 wrote to memory of 4972	1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe	115
PID 1724 wrote to memory of 812	1724	{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_ef46ef420bb1268618af4fc848316ab3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
  C:\Windows\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
    C:\Windows\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
      C:\Windows\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
        
        C:\Windows\{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
        
        C:\Windows\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
        
        C:\Windows\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
        
        C:\Windows\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
        
        C:\Windows\{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
        
        C:\Windows\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
        
        C:\Windows\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe
        
        C:\Windows\{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe
        
        C:\Windows\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27A7A~1.EXE > nul
        13⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA9FC~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C4A1~1.EXE > nul
        11⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{417CC~1.EXE > nul
        10⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D08D~1.EXE > nul
        9⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A020~1.EXE > nul
        8⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F58~1.EXE > nul
        7⤵
        
        PID:4540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C842~1.EXE > nul
        6⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A82BC~1.EXE > nul
        5⤵
        
        PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A5ECF~1.EXE > nul
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33FD3~1.EXE > nul
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27A7AA1A-6861-4002-8B41-998A04461DF1}.exe

Filesize
168KB

MD5
4cd3f74ed0fdafd8317bd5ff46ea4fd7

SHA1
86d67509cf11aa27c4ac342ec922fa77bcafbf24

SHA256
f635dbdb5deb540eadfd8b741d7a2dec65b6231c53e56c6b8f3ac01b4b76df54

SHA512
e7f8150f431738c98c25c022b949491e288bd94e2a1e5c639eb107812e86268ae969d7c34c17c2edc47873a2b0c2b10cd696cd40178151e1b64e2bba9b6b1ec5

Download Submit
C:\Windows\{33FD3F4C-4BC2-4e57-BA5B-FB33FF1AA36B}.exe

Filesize
168KB

MD5
8c7942e30f797699e5185fc37c24f09d

SHA1
a465fda88151cf3c76969a23b7c52d430172cd83

SHA256
ec175ad91fddb2984327e018a08088f6e9c0b141ac968310457b4ba5b2f22539

SHA512
97605e9d26475cbc3d0070dc8d18d82c93a9c4703b904d55c04c67ef5f9d92a048a963d991970858b962466d6673cd40cb252bee29a2064e5812552e6a25258e

Download Submit
C:\Windows\{417CC648-1F1E-47e9-A117-5EE9A258DD33}.exe

Filesize
168KB

MD5
e96db24b40ff2a27534a0d1c65fcf777

SHA1
0a5cb966ef18abf0c11436945b7514770aa21d39

SHA256
54583ba683d774fea1115ef1a6f6fb55c4d0488134cd8e6e221c33bc1f3b1e91

SHA512
d2454cd5ad4c84d6e0d9d71f666c2f382e6e84b2a55a9c582e395433a600810a1b99fe27301bcb8cc803304e8b57e65eafd38a6190dc5450387e77da9a5b0f03

Download Submit
C:\Windows\{5C4A1F02-2CDB-4ef6-BAB0-00CE80381545}.exe

Filesize
168KB

MD5
6256ab0a4e7e2cba1e931df745c8cba9

SHA1
935727ba3b2e8c6eb807cb31d04a60b62dd830ad

SHA256
69f4d5a6028efdf4c362b2d2510d27cdf887cc92f7221f270d34331b68018f4a

SHA512
2444fa743cf82c5971ed7a74c607db545cddb7ec804712c5215ecd08804f5c4823ec9f8239f81a2af3fc0f5bfb348d9a60bc7640e31c1ea69fe194544ade48e7

Download Submit
C:\Windows\{7C84258C-DCF0-455f-8A9E-6744359C204A}.exe

Filesize
168KB

MD5
c76dcb4c91b7db2febb64688b02ad637

SHA1
2e565238871862a5ba8d34cee88fd72cf2a6a7f3

SHA256
6618108ddc50544ecfa750515722abc2f6d2f64d82743ab769f62ff59778904d

SHA512
92fa72ec092fda8c5471a82fa5f40c1051da9c5269c99d62ca01ef37e4fc6434cc18956ebc61cb10f2d2dbd7edc6fd9086a27e3b3942bd6635a3884097a9f72a

Download Submit
C:\Windows\{8A020B8B-84D7-4998-B7D5-555E34E07DFC}.exe

Filesize
168KB

MD5
ef23e6d52a25f25e679acdda6254b55d

SHA1
57e0515a828b42ed9029d74b4a87dd1b8e6d058c

SHA256
419b9fc9c0a853f26fc019cfd53b4e64417a6c5e326563249445e03343bc6e33

SHA512
eaec9404ba738a7168a73b594aa488530969f654ea2640c47b2e1f6d9bee8df56c84c9aad661d9a4ed4158ad4c3e2a6f05d852a0a16769dbe008104c8803295e

Download Submit
C:\Windows\{9D08D8F9-E8D5-42a3-BC3B-3E637AB6C7A7}.exe

Filesize
168KB

MD5
0b95d008c8da011505f4589a6eaa3c33

SHA1
c261ebd42ef26a4314d3e6556f4ed7ded70f9ab3

SHA256
2570801968fc1ee480f89c11be654bfe80862f88116aace9abdf095db241a234

SHA512
885966ad55d12b7c2eab5bdd98c7fc1f6b896164d679e368f5dd41c1a53e7e55769f44457265bb11b2ba3667be2a9517572a6104c4d6a8359c42e6eb296ae5eb

Download Submit
C:\Windows\{A5ECF61C-8C82-4ce7-95ED-D6E2019BC188}.exe

Filesize
168KB

MD5
d84fe5f3cbc4657730d62f40617383c5

SHA1
384632114167d4300e374b0f3d7af68b9cb1b1cd

SHA256
e5e10813b79e3a37d633ee19cf78cec40f9efd11393feb8c147318eb3010954c

SHA512
ed80b4f023f4518175e2b10e93ebba9a53d768dc9d9b2bdc70c907efdc4821ce5c0df0f03416414b697b86f27483a1300c7c8ee83b1c1cfdf2ffd10ef1134697

Download Submit
C:\Windows\{A82BCCF6-8E68-47fb-A0DC-812E796A91B1}.exe

Filesize
168KB

MD5
7f07bba9fd266d1f4915633afb02dede

SHA1
d392f3efd9b4511322428a3ccead4785ef410a73

SHA256
f3f21e1ea949fb01bbd6f7b0685b9da4c95031b55484bcfb2305f3586991b78d

SHA512
d68e877dfbdde8b4622ccd8056ec63cd06b298df22ae1925cb04be6c9f2e0c2927cdf8ce0b442721b01f27bc5ceccdc6abfbc6262668014b6bbb0604aa2c1508

Download Submit
C:\Windows\{B6F58020-0629-4dab-ADA1-2F056CF81EE2}.exe

Filesize
168KB

MD5
67bf39d8867273a6d30295f7cb8f0d6b

SHA1
4287ef44d03bb33fe4c353527ea0e120ee695252

SHA256
19eae154001f4f8573244d723ad8454a544205439c4052ffdd8e6c970e3b91e4

SHA512
b68f707e20b5a564ed771147b35c7acaf99f872f02356b628b8f9099a7731f69202e05316ff388e05cf0fad6f1f313ad04475ba35f8e98f17b1e4e7e84a4c4a8

Download Submit
C:\Windows\{DA9FC219-25A7-4294-AF9B-D195CCA0261C}.exe

Filesize
168KB

MD5
a8e3160ce7b750cf3b2d32e4dbe0beeb

SHA1
d0dfc7e8707a2d48609296ca5f2d8dde3de8de6b

SHA256
0bbc56ac50c9ae0ad52083afe5419eb812d8286b0899d74e5b226f8e4c802d57

SHA512
5f8928d792af3caac7483db12e3d2d4c65619bab10950648a8ea7b852892a065f31835858e4270f6f001005052f434f27cce0cf0e8630c972872970bfc39350e

Download Submit
C:\Windows\{E6FD451B-7DFB-436c-8EDC-70E1A201A3AB}.exe

Filesize
168KB

MD5
6e07ffc49730c19a5bba89ad041058c6

SHA1
bf847c11fe5b5225b9f0a1320a3aea897c460b6e

SHA256
67d1ed90a47d3f7a4290c0e6cfb67e432fa3810bd9c35eb0fed703c12341f2b1

SHA512
90db27eec6f96153e7fe7f4e90b09a91c62bfbb9581efe8ff0669f7b31c8cfdf4fa52e1ffb9020aefc8c10d2a2fc6b6673abe94be74f7fb278ebf7c3ca3071a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads