d3b5c12c01eb215d66392c7e3f121fbf4b4d00a0f7770c3dcef9f6d7a6b1e3a3

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
Size

180KB
MD5

52f8f92d3fed783453ad5bff2294461c
SHA1

1690c5714ab879b1b00468b7fa5840ce0a97c5ef
SHA256

d3b5c12c01eb215d66392c7e3f121fbf4b4d00a0f7770c3dcef9f6d7a6b1e3a3
SHA512

7781c6e8a64183b32103292cb34877c40485a63ef024ccbdec20a1eae8a64340b950ea83f0f98fd60539a6faae8450c79f0de5f779e67f889bedde96424cb687
SSDEEP

3072:jEGh0ozlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000121c5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000121c5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121c5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000121c5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000121c5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}\stubpath = "C:\\Windows\\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe"	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7BE001-A556-48a4-96B9-D6D911F8B754}\stubpath = "C:\\Windows\\{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe"	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D94B59-BB1F-435d-B51A-611D13E2A746}\stubpath = "C:\\Windows\\{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe"	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}\stubpath = "C:\\Windows\\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe"	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}\stubpath = "C:\\Windows\\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe"	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}	{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}\stubpath = "C:\\Windows\\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe"	{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7BE001-A556-48a4-96B9-D6D911F8B754}	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}\stubpath = "C:\\Windows\\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe"	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D94B59-BB1F-435d-B51A-611D13E2A746}	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}\stubpath = "C:\\Windows\\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe"	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E6DF6D-D7E7-461a-9D34-074903470236}	{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF20C57-9FCE-46fb-B239-436246E5513C}	{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF20C57-9FCE-46fb-B239-436246E5513C}\stubpath = "C:\\Windows\\{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe"	{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}\stubpath = "C:\\Windows\\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe"	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E6DF6D-D7E7-461a-9D34-074903470236}\stubpath = "C:\\Windows\\{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe"	{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3980E4B-586B-4738-AD36-16915E2129DD}	{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3980E4B-586B-4738-AD36-16915E2129DD}\stubpath = "C:\\Windows\\{A3980E4B-586B-4738-AD36-16915E2129DD}.exe"	{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe

Executes dropped EXE 12 IoCs

pid	Process
1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
520	{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
1752	{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
1492	{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
1284	{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
972	{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
File created	C:\Windows\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
File created	C:\Windows\{A3980E4B-586B-4738-AD36-16915E2129DD}.exe	{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
File created	C:\Windows\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
File created	C:\Windows\{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
File created	C:\Windows\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
File created	C:\Windows\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
File created	C:\Windows\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
File created	C:\Windows\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe	{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
File created	C:\Windows\{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe	{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
File created	C:\Windows\{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe	{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
File created	C:\Windows\{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
Token: SeIncBasePriorityPrivilege	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
Token: SeIncBasePriorityPrivilege	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
Token: SeIncBasePriorityPrivilege	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
Token: SeIncBasePriorityPrivilege	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
Token: SeIncBasePriorityPrivilege	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
Token: SeIncBasePriorityPrivilege	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
Token: SeIncBasePriorityPrivilege	520	{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
Token: SeIncBasePriorityPrivilege	1752	{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
Token: SeIncBasePriorityPrivilege	1492	{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
Token: SeIncBasePriorityPrivilege	1284	{A3980E4B-586B-4738-AD36-16915E2129DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1716	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	28
PID 2124 wrote to memory of 1716	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	28
PID 2124 wrote to memory of 2288	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	29
PID 2124 wrote to memory of 2288	2124	2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe	29
PID 1716 wrote to memory of 2468	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	30
PID 1716 wrote to memory of 2468	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	30
PID 1716 wrote to memory of 2468	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	30
PID 1716 wrote to memory of 2468	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	30
PID 1716 wrote to memory of 2580	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	31
PID 1716 wrote to memory of 2580	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	31
PID 1716 wrote to memory of 2580	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	31
PID 1716 wrote to memory of 2580	1716	{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe	31
PID 2468 wrote to memory of 1632	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	32
PID 2468 wrote to memory of 1632	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	32
PID 2468 wrote to memory of 1632	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	32
PID 2468 wrote to memory of 1632	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	32
PID 2468 wrote to memory of 2480	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	33
PID 2468 wrote to memory of 2480	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	33
PID 2468 wrote to memory of 2480	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	33
PID 2468 wrote to memory of 2480	2468	{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe	33
PID 1632 wrote to memory of 2436	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	36
PID 1632 wrote to memory of 2436	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	36
PID 1632 wrote to memory of 2436	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	36
PID 1632 wrote to memory of 2436	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	36
PID 1632 wrote to memory of 2884	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	37
PID 1632 wrote to memory of 2884	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	37
PID 1632 wrote to memory of 2884	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	37
PID 1632 wrote to memory of 2884	1632	{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe	37
PID 2436 wrote to memory of 876	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	38
PID 2436 wrote to memory of 876	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	38
PID 2436 wrote to memory of 876	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	38
PID 2436 wrote to memory of 876	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	38
PID 2436 wrote to memory of 2728	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	39
PID 2436 wrote to memory of 2728	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	39
PID 2436 wrote to memory of 2728	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	39
PID 2436 wrote to memory of 2728	2436	{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe	39
PID 876 wrote to memory of 2120	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	40
PID 876 wrote to memory of 2120	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	40
PID 876 wrote to memory of 2120	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	40
PID 876 wrote to memory of 2120	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	40
PID 876 wrote to memory of 2264	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	41
PID 876 wrote to memory of 2264	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	41
PID 876 wrote to memory of 2264	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	41
PID 876 wrote to memory of 2264	876	{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe	41
PID 2120 wrote to memory of 1072	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	42
PID 2120 wrote to memory of 1072	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	42
PID 2120 wrote to memory of 1072	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	42
PID 2120 wrote to memory of 1072	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	42
PID 2120 wrote to memory of 2596	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	43
PID 2120 wrote to memory of 2596	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	43
PID 2120 wrote to memory of 2596	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	43
PID 2120 wrote to memory of 2596	2120	{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe	43
PID 1072 wrote to memory of 520	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	44
PID 1072 wrote to memory of 520	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	44
PID 1072 wrote to memory of 520	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	44
PID 1072 wrote to memory of 520	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	44
PID 1072 wrote to memory of 1888	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	45
PID 1072 wrote to memory of 1888	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	45
PID 1072 wrote to memory of 1888	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	45
PID 1072 wrote to memory of 1888	1072	{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_52f8f92d3fed783453ad5bff2294461c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
  C:\Windows\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
    C:\Windows\{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
      C:\Windows\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
        
        C:\Windows\{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
        
        C:\Windows\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
        
        C:\Windows\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
        
        C:\Windows\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
        
        C:\Windows\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
        
        C:\Windows\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
        
        C:\Windows\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
        
        C:\Windows\{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
        
        C:\Windows\{A3980E4B-586B-4738-AD36-16915E2129DD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe
        
        C:\Windows\{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe
        13⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3980~1.EXE > nul
        13⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0E6D~1.EXE > nul
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E0C~1.EXE > nul
        11⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02A84~1.EXE > nul
        10⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3B9C~1.EXE > nul
        9⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A3B8~1.EXE > nul
        8⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2DD~1.EXE > nul
        7⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D94~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C047~1.EXE > nul
        5⤵
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7BE~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C549~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02A84BB7-769F-41d4-B6AC-5B95B08B1BD3}.exe

Filesize
180KB

MD5
263cd79b3c5fee78afd48500c3809a4f

SHA1
2a418384ec3de75f9f626d7cf9437259a9c1abd9

SHA256
04ae63ab59a4587b7facf7ef2d02f197ba52b2f93f72fb5f959ec81b9a4a5399

SHA512
db8c2e8654e015dbe9da09243a820cb357b4126f2e2aa1df54426d3d391ea52e23bd65b664169f54937eaabdc10487a85dc24d8ed4b4b3125151aafbbeb63d2b

Download Submit
C:\Windows\{0C2DD32B-A447-43fe-89D1-935B242FD1A3}.exe

Filesize
180KB

MD5
a890b08a204e2a23985457a64c9f6d94

SHA1
ff2aec37f2ac579b3ba5afa9f99928ece8afa39f

SHA256
a68f2d8086a6d3d48b95dff68b2f7de50b9aa9e6ccf4c05fb72491b944c14217

SHA512
75f8010753f3c12b85cab5dc8a863b7a4b8995e9301f2b7c61db7774ea88f6676fb88b5a31ea006e7c7b91e437b6fbe43b901ba104145b25e7a8f41fa7ae3fbe

Download Submit
C:\Windows\{2BF20C57-9FCE-46fb-B239-436246E5513C}.exe

Filesize
180KB

MD5
0904b7038a69247231e705413ba7026b

SHA1
995f743c3e2e93aa9bdd2dcbfe88ce156de194c9

SHA256
a9fb77facd1d6c716b1bef902ae43d7404c81bd1467ffe66e8d954dc311a7269

SHA512
0d39abbb2df06b0a738fc71e608a7ad5b35d7065ffcc81a5ff0368f7f61093beeb7d322024a09c35183c36b138467f6d287b6e92357850a392ad4fc9634607cc

Download Submit
C:\Windows\{3C549E2F-ED30-4cb1-8BB5-469EB752D9F6}.exe

Filesize
180KB

MD5
8d8c6a2970052d2510e69f30510af901

SHA1
a03b717bb5427f54d424ec301613cf430e2de019

SHA256
b2fccab085323110ef0c2e807edc3f2aaa282dd2fed2b8495cc5ba139529df08

SHA512
2617e038866db8779129093092101c3051f9c8d65d408faacc9037a9964aca2ab672df2f5391704446eaeba0bc2b3d19afb46b3cc6965fb94efd7f348c9a078a

Download Submit
C:\Windows\{46E0CA49-4E55-4c1a-8ECC-7A6785B598E8}.exe

Filesize
180KB

MD5
582cb34041b3f6fdbffadb4d8773c463

SHA1
7a902f5b4044f800b74ba0a008f0d46df21fec80

SHA256
2003e03601133c9c8a05c628d2f341ec2bb6281bc7fce3df50cf2bb2d3a33737

SHA512
8d5e6487441b496c9a8b0cc3667da9181cbe5a4dc20e53b81691038f975abd340d93930a6163af4433118a12d37516ec077b0bd844c95d197b344b011e9c20bf

Download Submit
C:\Windows\{6A3B8635-6BF0-4631-8EE3-DDB921E37A60}.exe

Filesize
180KB

MD5
ea5d90b3fbab7a0917228ec18462004d

SHA1
5a20e6e9d6187d6b616655f6a6b8e96c014d7535

SHA256
9a3861df89dd98f5ea76dcc20b84353216e41cffc3a04d9819f6a3d526c8eae4

SHA512
6e962d88f7462639801f08610e174cec10af7a007b161b6d7a0d283a07ec9c1d7a6a5f42739f98af3b4f7495d92cc50f2ae49c5ae6ae3fefca35f411790bd05c

Download Submit
C:\Windows\{7C0475EE-D49C-4384-BB66-CDEDB4C6111D}.exe

Filesize
180KB

MD5
65ca376e75bbc60b3b7b54c9e48dc5c1

SHA1
1cae747e958af3a5c720b7fdff12e5f048dc4376

SHA256
1fc12485ac14faa1b749d9f13313ed2aadc649aa11134143e0dd9e96e6294ef3

SHA512
0a1b84edc8524810e440338f2da5b39566572e595db39137868504074eb06c2312e7537921396bd9ee734ebb2475b204c2fb36f9de97579f1bb50dcc339212fd

Download Submit
C:\Windows\{A0E6DF6D-D7E7-461a-9D34-074903470236}.exe

Filesize
180KB

MD5
978cc185671cdef9d7df9da0e9b33950

SHA1
00ff58bee5701f1fac45fb4e6af0730c180bb460

SHA256
ecb17e1625c8d517feb96cc41fa7b0759bf2da462e13c00d7df441172b8d8c57

SHA512
8342d38e7b69ce6900978e8b49d515ce8971928043d6814d915d028a82c421970439ccac6f5f529f9327104c90b18f7fbb2a1b09ab8b4b2656f3e03c43d673d6

Download Submit
C:\Windows\{A3980E4B-586B-4738-AD36-16915E2129DD}.exe

Filesize
180KB

MD5
62dfa2af01f44435afc5384ea9084c12

SHA1
0118add292af20da0745bf5d9a34ec4b2b5d4762

SHA256
27e501993b6ee3af15c495407ce1cb652a703a62dbd527962d9ea93462f2745f

SHA512
82d41e422be2000d08efb7a57f5970073c048a2d45882def491d76b89763d9b18c9d88d60438bd681ce53a1b9ea8377f780d77e95e8466cc4a6d114e9a72b67c

Download Submit
C:\Windows\{AE7BE001-A556-48a4-96B9-D6D911F8B754}.exe

Filesize
180KB

MD5
d8d93ecd1f4f4a58b2b54f522d774749

SHA1
d09119fbb48f41ddc2d9fd359ba8825d5d66f337

SHA256
fcf394e60edabf19f86edc6c31bde97af0d71e9785636e09afc1f521a63f4b80

SHA512
b653300c7a92cabb9d739d154646d60991de32003ba527865cf6aac81cd9fd1fd91062d817be765ee78947df39c084b870af26854f603302db38937c92b93794

Download Submit
C:\Windows\{E0D94B59-BB1F-435d-B51A-611D13E2A746}.exe

Filesize
180KB

MD5
9af9c49c5caa076fea0180b6e61fe3eb

SHA1
5cca1d2df99de382e182b8bd239a41c155edc5c4

SHA256
f2bab8ec0ccff7cbbb750ab3b1b075e321ed7d670e5c760eb0b008e2e0ff7220

SHA512
103484a9d47dc25375bca936c9890fcfdf9bf50551f85abe7cd36e8f5adf36af9b0fc1618a511b0f478247ed48078e00a83089d607c9229bd7b1529ccf2949a4

Download Submit
C:\Windows\{E3B9CC68-CC75-40f6-82E9-74D3D1D9F190}.exe

Filesize
180KB

MD5
81a34c1e586c97f1419bf3606de7a0ef

SHA1
ed30d3131b68aeb1fc2140b124c7127f71e675ed

SHA256
1fc40d8fbfa5f5e8fa5f6ae69c79e741b00f26f05eccf67b374a99afc6cfc67f

SHA512
cd09527ccc626e3730f4f1ddfcc9862a26af4d10793a77ca788b5b5f9cfcf17f2d713c486aaf0e39104cae0049dfc07951291169b6d362fce763a903c1d839ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads