eb6f85d55873e3f527dbd010af1d360092bf5b0d42a7c3f671beea885ebcf165

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 11:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
Size

168KB
MD5

4dd4f56c6d0ab4e3d921dc1ac2574a2c
SHA1

3dc3f40fa408263f173da969b7812ff1b41fe2df
SHA256

eb6f85d55873e3f527dbd010af1d360092bf5b0d42a7c3f671beea885ebcf165
SHA512

6e261e3b90b34461d7610c809466b534259b51afbbf8d01abd23686640628f41334c1dfa35743002f26095451780a578c60fcb5e472844bfbf05f60ba2b515e0
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002337d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002337e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f6-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233f9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f6-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233f9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233f9-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f6-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023383-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233f6-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023383-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}\stubpath = "C:\\Windows\\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe"	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}\stubpath = "C:\\Windows\\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe"	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B52882E-72F7-415e-B9A1-EA231F7FD594}	{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B52882E-72F7-415e-B9A1-EA231F7FD594}\stubpath = "C:\\Windows\\{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe"	{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}\stubpath = "C:\\Windows\\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe"	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}\stubpath = "C:\\Windows\\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe"	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89871D5-B13A-44f8-B77B-531660428EF7}	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89871D5-B13A-44f8-B77B-531660428EF7}\stubpath = "C:\\Windows\\{A89871D5-B13A-44f8-B77B-531660428EF7}.exe"	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}\stubpath = "C:\\Windows\\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe"	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}\stubpath = "C:\\Windows\\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe"	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1571592-89EB-4b17-BCF5-17C99528458F}\stubpath = "C:\\Windows\\{A1571592-89EB-4b17-BCF5-17C99528458F}.exe"	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05AB2006-3E7D-495f-B0AA-271584C334FA}\stubpath = "C:\\Windows\\{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe"	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}\stubpath = "C:\\Windows\\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe"	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}\stubpath = "C:\\Windows\\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe"	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1571592-89EB-4b17-BCF5-17C99528458F}	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05AB2006-3E7D-495f-B0AA-271584C334FA}	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
2488	{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe
3464	{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
File created	C:\Windows\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
File created	C:\Windows\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
File created	C:\Windows\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
File created	C:\Windows\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
File created	C:\Windows\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
File created	C:\Windows\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
File created	C:\Windows\{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
File created	C:\Windows\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
File created	C:\Windows\{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
File created	C:\Windows\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
File created	C:\Windows\{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe	{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
Token: SeIncBasePriorityPrivilege	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
Token: SeIncBasePriorityPrivilege	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
Token: SeIncBasePriorityPrivilege	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
Token: SeIncBasePriorityPrivilege	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
Token: SeIncBasePriorityPrivilege	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
Token: SeIncBasePriorityPrivilege	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
Token: SeIncBasePriorityPrivilege	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
Token: SeIncBasePriorityPrivilege	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
Token: SeIncBasePriorityPrivilege	3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
Token: SeIncBasePriorityPrivilege	2488	{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2824	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	92
PID 4512 wrote to memory of 2824	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	92
PID 4512 wrote to memory of 2824	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	92
PID 4512 wrote to memory of 3944	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	93
PID 4512 wrote to memory of 3944	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	93
PID 4512 wrote to memory of 3944	4512	2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe	93
PID 2824 wrote to memory of 4240	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	94
PID 2824 wrote to memory of 4240	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	94
PID 2824 wrote to memory of 4240	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	94
PID 2824 wrote to memory of 3972	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	95
PID 2824 wrote to memory of 3972	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	95
PID 2824 wrote to memory of 3972	2824	{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe	95
PID 4240 wrote to memory of 4012	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	98
PID 4240 wrote to memory of 4012	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	98
PID 4240 wrote to memory of 4012	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	98
PID 4240 wrote to memory of 1584	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	99
PID 4240 wrote to memory of 1584	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	99
PID 4240 wrote to memory of 1584	4240	{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe	99
PID 4012 wrote to memory of 1992	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	101
PID 4012 wrote to memory of 1992	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	101
PID 4012 wrote to memory of 1992	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	101
PID 4012 wrote to memory of 1784	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	102
PID 4012 wrote to memory of 1784	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	102
PID 4012 wrote to memory of 1784	4012	{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe	102
PID 1992 wrote to memory of 2208	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	103
PID 1992 wrote to memory of 2208	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	103
PID 1992 wrote to memory of 2208	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	103
PID 1992 wrote to memory of 4516	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	104
PID 1992 wrote to memory of 4516	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	104
PID 1992 wrote to memory of 4516	1992	{A1571592-89EB-4b17-BCF5-17C99528458F}.exe	104
PID 2208 wrote to memory of 944	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	105
PID 2208 wrote to memory of 944	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	105
PID 2208 wrote to memory of 944	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	105
PID 2208 wrote to memory of 4384	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	106
PID 2208 wrote to memory of 4384	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	106
PID 2208 wrote to memory of 4384	2208	{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe	106
PID 944 wrote to memory of 4320	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	107
PID 944 wrote to memory of 4320	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	107
PID 944 wrote to memory of 4320	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	107
PID 944 wrote to memory of 4684	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	108
PID 944 wrote to memory of 4684	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	108
PID 944 wrote to memory of 4684	944	{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe	108
PID 4320 wrote to memory of 380	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	109
PID 4320 wrote to memory of 380	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	109
PID 4320 wrote to memory of 380	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	109
PID 4320 wrote to memory of 4916	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	110
PID 4320 wrote to memory of 4916	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	110
PID 4320 wrote to memory of 4916	4320	{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe	110
PID 380 wrote to memory of 2964	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	111
PID 380 wrote to memory of 2964	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	111
PID 380 wrote to memory of 2964	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	111
PID 380 wrote to memory of 2160	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	112
PID 380 wrote to memory of 2160	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	112
PID 380 wrote to memory of 2160	380	{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe	112
PID 2964 wrote to memory of 3888	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	113
PID 2964 wrote to memory of 3888	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	113
PID 2964 wrote to memory of 3888	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	113
PID 2964 wrote to memory of 4528	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	114
PID 2964 wrote to memory of 4528	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	114
PID 2964 wrote to memory of 4528	2964	{A89871D5-B13A-44f8-B77B-531660428EF7}.exe	114
PID 3888 wrote to memory of 2488	3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe	115
PID 3888 wrote to memory of 2488	3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe	115
PID 3888 wrote to memory of 2488	3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe	115
PID 3888 wrote to memory of 3204	3888	{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_4dd4f56c6d0ab4e3d921dc1ac2574a2c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
  C:\Windows\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
    C:\Windows\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
      C:\Windows\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
        
        C:\Windows\{A1571592-89EB-4b17-BCF5-17C99528458F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
        
        C:\Windows\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
        
        C:\Windows\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
        
        C:\Windows\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
        
        C:\Windows\{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
        
        C:\Windows\{A89871D5-B13A-44f8-B77B-531660428EF7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
        
        C:\Windows\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe
        
        C:\Windows\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe
        
        C:\Windows\{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe
        13⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D30B~1.EXE > nul
        13⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D14~1.EXE > nul
        12⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8987~1.EXE > nul
        11⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05AB2~1.EXE > nul
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A19~1.EXE > nul
        9⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EA3A~1.EXE > nul
        8⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E03~1.EXE > nul
        7⤵
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1571~1.EXE > nul
        6⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A77A5~1.EXE > nul
        5⤵
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{479DB~1.EXE > nul
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F6CFF~1.EXE > nul
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05AB2006-3E7D-495f-B0AA-271584C334FA}.exe

Filesize
168KB

MD5
f61fb59830ddc92d99168272990c793d

SHA1
d2c6b15044de57c58aeedb99a9d2b6775cbc2d80

SHA256
4e708a7582451afd6d762127afd4f6a276ae3e8674156d7c3f9eca43c329f4bf

SHA512
9f2f35a06fa10064cfe936b1e84c869da3d5d1effdf3a3447e6b7079e901b285e56b195d0e50cca7a746c86da46eabd240f45db9e270920232c79655bbcb7eda

Download Submit
C:\Windows\{13D14B6D-FAA2-4b03-90CE-0B08B1F28875}.exe

Filesize
168KB

MD5
9ae1001cf7fa2f32fe53191e1e89bd3b

SHA1
0ecacc0caf01b5c9dc64998d9cf8f358bae49a85

SHA256
ff812435aa684346bc9045e16389b82e57770e0c7dcb36a71a3336df8e3a78cd

SHA512
ed669d620046aabe0860d70e07f3451add6af825924dc7ce15cc22d8c9c6812fa474f1572d9c441ecce0aa22ebff8584bd8954f667a15bb924732bb817649c1c

Download Submit
C:\Windows\{479DB422-1FDB-4073-BDEA-5A3E8EB889F1}.exe

Filesize
168KB

MD5
fde6f824a1043294adef5217ce55f5c3

SHA1
3390de6e43c5f8014b74cdc57f5bac4718ef4132

SHA256
7617c00b1882e21ee4633dbb954f28e5862fb37416ac0040ccd409215e1854b9

SHA512
2a359879ec87ff52cb18040088e5665747d21ade6c14a26ec743a5a04353af82c679141809768cd916cbf81f1f57b31d951547932de76e4fbf9f9949635e4912

Download Submit
C:\Windows\{5D30B1FC-1D77-40c1-AA2D-2F939EA4391B}.exe

Filesize
168KB

MD5
616b4754a936845b244a42a8f6b8a86a

SHA1
75857ec181d81eeba7339c47306e5eefc9c7de95

SHA256
8ef28ccc3da61ef86f2d11d9cf2bdbd2310518f01a038dff00d1aad1d6eea30e

SHA512
8f8ca0531f6a94f0dc5d7087a6e33fda56eb7165cc89b4fe5384fd70a335a7b228c38e0573f2ef021b242d20fa59ef0f7c79a2f2e439000181d69c56d3fd5054

Download Submit
C:\Windows\{6B52882E-72F7-415e-B9A1-EA231F7FD594}.exe

Filesize
168KB

MD5
4ac2b2479878a75c243286ae6509adc9

SHA1
16eb2c9d8fa56735eda8c9b672c0aa81dca795c7

SHA256
bd86fa4125a0245452a9f5b4fde777d823809034c31efe4423363dc09b50c1b1

SHA512
81c6d7d4deb732ea53d92a268c018acc4deff8d259d84920cdaba284a6739228a033c481b2e38fc18e538ae2e694a2754ec73f762eb6cfaa644ba952d6b30788

Download Submit
C:\Windows\{9EA3AF83-1030-4035-8FCA-5A1A79BB8326}.exe

Filesize
168KB

MD5
0ee09e58e90f8c3b30f56dd5086d37e1

SHA1
c3befb86a9cf411558199a192cd1dc26db54ee64

SHA256
0807afc82f6b7e44279a88b5943bfb22ec47a8480fd49ac33912d6dd8cd24d46

SHA512
4d55062fe2a66efda4ad791a3aceeb4ea828b8fa41500618050bc799cb3e57906c5531ace77df9201b41a7bc1f7766ddfd4ccc330fd9a619614eae64b8a17044

Download Submit
C:\Windows\{A1571592-89EB-4b17-BCF5-17C99528458F}.exe

Filesize
168KB

MD5
4b3f58ed8acb61c6b72974d6286c2be1

SHA1
906574c7aca615dc819fc312ed965fa179824a07

SHA256
78d5222a656fd389e1b716443f82c10730207bb850a3969d37f45565ee0d5bd5

SHA512
ed827f859a1312a9adeb10e7c826c3c4c1655c997afeb91255b044ec66551e141b50951298b9d4136023e33c9cd602d3286243ad28f7bab8c51f9e8c7e39ce34

Download Submit
C:\Windows\{A77A51BC-50AB-46f5-ABE0-C076F76032A2}.exe

Filesize
168KB

MD5
bc5e2cccadf7cb5a920bd0716b5cd9df

SHA1
4304565286703a8754c1b6630a7904744023804a

SHA256
8eb1490434ccfe8d7a791786ba5561b913c5f97a01cadf765522c55e50860067

SHA512
3be380e2acf16a5c4a93aa9cca6d348c2ebe0366b98480dbd247883c0176bd40a0755730d107cd300cfeb8a09448116f4f957ab25145c83f166e5af38c021246

Download Submit
C:\Windows\{A89871D5-B13A-44f8-B77B-531660428EF7}.exe

Filesize
168KB

MD5
f16fda94a8f4e9a367c70b05f1e3062d

SHA1
16f8c938d632d0e66188be0161d1719b980c1b08

SHA256
a5386c3d076fc9bef9d96aa7d1e1bd3a6d8653cafa2bad43dd2fde5846e682f7

SHA512
3120d6dea9e79c021d5e9033234ae2b64b24d95766cb499eb91d5122cd441202530dd02dae35f3f5afdb2a0e20a861e61e18a3fa5953c0077a3d52bb4d143a1c

Download Submit
C:\Windows\{C0E03F54-E6A2-47ae-BFF9-1593692621B0}.exe

Filesize
168KB

MD5
0f4ebba46a56bed01d48e3cc86aecb82

SHA1
e7a2e5258207914fbb185f8137fbdc8066375a1d

SHA256
70f7ab0437570c9aaf53b112ad1fdbf06e5ccc1e867f5aa0def8d2bba7fbb6b0

SHA512
ad029ad19c7c27bb4074ba3cc6d2d19bf56ec961f98f5dfb2136ad7cce49a587484f00350db13e6758eaa5b03043380fc286ac43a5e7e2e0ac32ca3066ab718a

Download Submit
C:\Windows\{E9A197CA-15C7-4bdd-B96F-07BB5668DD22}.exe

Filesize
168KB

MD5
1b3582b41ed39d328e0c730ac7d32c50

SHA1
16992b5698af724d1379b7ad90284d301a327b24

SHA256
2ee2a28088e78c60b399bf440cc617d4b0cb909b9471136bc170ff3a47cc7dc7

SHA512
5c3a5b867413eda9da283fd7e9d7d498e08c84a9a09f092e4e91c0d004aa9f0a31a694de3e0ecd3cd8dd4b6b4f21c4de99f6a7e63f5b0a38b6ea6ccb6826f86d

Download Submit
C:\Windows\{F6CFF5F7-4FD9-4b5a-8867-70606596E33B}.exe

Filesize
168KB

MD5
dde60da39cc960eb064de246d306ccbb

SHA1
7b8a5f3f87eb0cc63c95de361323901cd722199a

SHA256
98e8fc3b978ad4c0928446e1b97c464dc8b6d25ad8173c1f5d9d2e4416f38ddf

SHA512
0bfc8755b45831ea5a4553909b7bdb7f0d5cdc7b2be2bb476acc42712ecf29119fe0fc890ab3760664e8048896bc77699224c3e03d44e373dd59e25d403d8469

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads