131576bee4fa688e4445a3de1b1343e5da90f80d6bbb6939f5bc7fed1625001d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Size

204KB
MD5

3aa4105943ff24d0842cfa1b57f7134b
SHA1

1284b01e2938e19ecab9c4ece9b1d073f98ce3a5
SHA256

131576bee4fa688e4445a3de1b1343e5da90f80d6bbb6939f5bc7fed1625001d
SHA512

7fe3cf7a84aca26a4ad1855d4e1a93c47efd44503466c6a634ed845b99660a82577be7cff4593f76977491000b173840a9e091fc1168fb233e70b2eb0f29e0c4
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oll1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000006d9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023380-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002338a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023380-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002338a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023380-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002338a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023380-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023380-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002338a-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}\stubpath = "C:\\Windows\\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe"	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}\stubpath = "C:\\Windows\\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe"	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}	{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}\stubpath = "C:\\Windows\\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe"	{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}\stubpath = "C:\\Windows\\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe"	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5155ACC-D794-4db6-A52F-B4634F5742FF}\stubpath = "C:\\Windows\\{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe"	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7236238C-D4E8-414d-A14D-849FADA4F9EA}\stubpath = "C:\\Windows\\{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe"	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}\stubpath = "C:\\Windows\\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe"	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5593105-09B2-4655-9AB5-C66904ACEE40}	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}\stubpath = "C:\\Windows\\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe"	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5593105-09B2-4655-9AB5-C66904ACEE40}\stubpath = "C:\\Windows\\{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe"	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}\stubpath = "C:\\Windows\\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe"	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74EDF65-EE4D-4cd9-A247-25444424430F}	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74EDF65-EE4D-4cd9-A247-25444424430F}\stubpath = "C:\\Windows\\{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe"	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5155ACC-D794-4db6-A52F-B4634F5742FF}	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7236238C-D4E8-414d-A14D-849FADA4F9EA}	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}\stubpath = "C:\\Windows\\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe"	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe

Executes dropped EXE 12 IoCs

pid	Process
3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
3120	{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
1536	{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
File created	C:\Windows\{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
File created	C:\Windows\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
File created	C:\Windows\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
File created	C:\Windows\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe	{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
File created	C:\Windows\{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
File created	C:\Windows\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
File created	C:\Windows\{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
File created	C:\Windows\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
File created	C:\Windows\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
File created	C:\Windows\{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
File created	C:\Windows\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
Token: SeIncBasePriorityPrivilege	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
Token: SeIncBasePriorityPrivilege	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
Token: SeIncBasePriorityPrivilege	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
Token: SeIncBasePriorityPrivilege	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
Token: SeIncBasePriorityPrivilege	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
Token: SeIncBasePriorityPrivilege	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
Token: SeIncBasePriorityPrivilege	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
Token: SeIncBasePriorityPrivilege	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
Token: SeIncBasePriorityPrivilege	3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
Token: SeIncBasePriorityPrivilege	3120	{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3116	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	93
PID 1872 wrote to memory of 3116	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	93
PID 1872 wrote to memory of 3116	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	93
PID 1872 wrote to memory of 4596	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	94
PID 1872 wrote to memory of 4596	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	94
PID 1872 wrote to memory of 4596	1872	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	94
PID 3116 wrote to memory of 3464	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	95
PID 3116 wrote to memory of 3464	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	95
PID 3116 wrote to memory of 3464	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	95
PID 3116 wrote to memory of 2820	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	96
PID 3116 wrote to memory of 2820	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	96
PID 3116 wrote to memory of 2820	3116	{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe	96
PID 3464 wrote to memory of 3832	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	101
PID 3464 wrote to memory of 3832	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	101
PID 3464 wrote to memory of 3832	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	101
PID 3464 wrote to memory of 1628	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	102
PID 3464 wrote to memory of 1628	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	102
PID 3464 wrote to memory of 1628	3464	{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe	102
PID 3832 wrote to memory of 2900	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	103
PID 3832 wrote to memory of 2900	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	103
PID 3832 wrote to memory of 2900	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	103
PID 3832 wrote to memory of 1264	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	104
PID 3832 wrote to memory of 1264	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	104
PID 3832 wrote to memory of 1264	3832	{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe	104
PID 2900 wrote to memory of 4948	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	106
PID 2900 wrote to memory of 4948	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	106
PID 2900 wrote to memory of 4948	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	106
PID 2900 wrote to memory of 3888	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	107
PID 2900 wrote to memory of 3888	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	107
PID 2900 wrote to memory of 3888	2900	{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe	107
PID 4948 wrote to memory of 972	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	108
PID 4948 wrote to memory of 972	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	108
PID 4948 wrote to memory of 972	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	108
PID 4948 wrote to memory of 4552	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	109
PID 4948 wrote to memory of 4552	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	109
PID 4948 wrote to memory of 4552	4948	{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe	109
PID 972 wrote to memory of 1072	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	110
PID 972 wrote to memory of 1072	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	110
PID 972 wrote to memory of 1072	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	110
PID 972 wrote to memory of 2308	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	111
PID 972 wrote to memory of 2308	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	111
PID 972 wrote to memory of 2308	972	{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe	111
PID 1072 wrote to memory of 3036	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	112
PID 1072 wrote to memory of 3036	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	112
PID 1072 wrote to memory of 3036	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	112
PID 1072 wrote to memory of 512	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	113
PID 1072 wrote to memory of 512	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	113
PID 1072 wrote to memory of 512	1072	{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe	113
PID 3036 wrote to memory of 3940	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	114
PID 3036 wrote to memory of 3940	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	114
PID 3036 wrote to memory of 3940	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	114
PID 3036 wrote to memory of 4484	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	115
PID 3036 wrote to memory of 4484	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	115
PID 3036 wrote to memory of 4484	3036	{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe	115
PID 3940 wrote to memory of 3100	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	116
PID 3940 wrote to memory of 3100	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	116
PID 3940 wrote to memory of 3100	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	116
PID 3940 wrote to memory of 768	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	117
PID 3940 wrote to memory of 768	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	117
PID 3940 wrote to memory of 768	3940	{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe	117
PID 3100 wrote to memory of 3120	3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe	118
PID 3100 wrote to memory of 3120	3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe	118
PID 3100 wrote to memory of 3120	3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe	118
PID 3100 wrote to memory of 1600	3100	{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
  C:\Windows\{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
    C:\Windows\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
      C:\Windows\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
        
        C:\Windows\{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
        
        C:\Windows\{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
        
        C:\Windows\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
        
        C:\Windows\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
        
        C:\Windows\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
        
        C:\Windows\{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
        
        C:\Windows\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
        
        C:\Windows\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe
        
        C:\Windows\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6B6~1.EXE > nul
        13⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F136~1.EXE > nul
        12⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5155~1.EXE > nul
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C80C3~1.EXE > nul
        10⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8304~1.EXE > nul
        9⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72BA5~1.EXE > nul
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C74ED~1.EXE > nul
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5593~1.EXE > nul
        6⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CADBB~1.EXE > nul
        5⤵
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21FD2~1.EXE > nul
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72362~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02031EBD-EAF5-49da-ADA6-2C4CFB330CF7}.exe

Filesize
204KB

MD5
ffc11e1c00f243e1e26f80c36ef7b029

SHA1
042d188f1454dcb38c0c36549757a25b5f8b2d20

SHA256
90781804e0b4af900e5f89ed0a47542133f41a6d359c614f0210c44adb506471

SHA512
b59d270bb4097a56fa86786c6bc9e0c243127fb7b4fefa40d9fc93a35dcc8082de125a0a0d3dba493464adbd7311f1aa938bccd89560b6a20da3e9443b85de78

Download Submit
C:\Windows\{21FD2310-B4A1-44e0-BB6C-01CF2B853487}.exe

Filesize
204KB

MD5
9e22989719ed989ada5ab406cfd2e29b

SHA1
16150dd5d81bc8269388ee1d1afff07082c0604e

SHA256
26a24e9f99304bec9ee1948956d4dad2b482b3fde97381551f6ac2642c1727ab

SHA512
be3187ae4c852924eda38dbe335166aceb4091fe8ce689949d167a056a361edcb9b21ef36a3b10910f0f8b0dd7df8ef31745d4d798c80e43b14f5baea5ce3bd8

Download Submit
C:\Windows\{3F136C30-0DDE-4404-AC5F-31C8FA9B57C9}.exe

Filesize
204KB

MD5
b663db4e7bb7b9139d70553cdfede777

SHA1
4b83f0c9d2c213eac7fab1ee55e868562f05a8b2

SHA256
db301ec80652edc4d77935ba8e510ccfa2b83e339d613d135fdff64795b72173

SHA512
7f16b77a22654db972b694933715b6abadb15ba38da9fa75ca0d1f89bd455acb13d7aa880a63376addce282380f61f6cc79df5445835253ed95edcc22eb071a1

Download Submit
C:\Windows\{6C6B6762-2C40-45b8-93CF-B22233E98CC2}.exe

Filesize
204KB

MD5
842ae4990d4d07a1aa671b70c8fdd3f7

SHA1
bd29e48b4a03276414e3ce7438a4ff1d3357abf7

SHA256
6a572b03026c4f945b211ece6ffb776400dca0c92e0174f2865b9ef1313ae201

SHA512
9575cddaef868da283c31235aec5fdd8d969263cd2c7ada671753604baca086ee5f02edc45ddb57005133a291a2efd96013a4a06d0d92c630fb6c5f20062cfc1

Download Submit
C:\Windows\{7236238C-D4E8-414d-A14D-849FADA4F9EA}.exe

Filesize
204KB

MD5
bdb16285ea8fba4412ce326b8c51e52c

SHA1
0c36ac8730a02dcf49d8c8e32039420afe4e9efe

SHA256
e7035cec9be7e182d25036f42a1224c82d8b7e81a7b04ca69a13dbfbfb4bca33

SHA512
9c07ea3a1be0cf409fd4f31fdaff55de545a8ea45b1626f25c80ce748572d29d1014298d2b87ca0a2e61fe2e0c14c7e6a5e96e0f4a2bd11d374d660246eb0dd9

Download Submit
C:\Windows\{72BA59BC-D98B-4061-8ED8-D8C941A4F6E4}.exe

Filesize
204KB

MD5
3cfbcd2d68e3f4794cef433630fb3555

SHA1
a835dd47b46617dced185ff4ea4cfd716abe0238

SHA256
4f3e23fbccad2ba7f51f4d2edbe85a48de27ac65509032568ca6142a42122b9e

SHA512
f6e7184a615112fae1f90c4955d0d597e06dfc25bdb9f9a31a2483eeaf29d785d6cf691e703987b95550ff1444e7665f5098474f70d9440599fca933cd867d68

Download Submit
C:\Windows\{A8304355-6EB4-4e5a-BE80-7FCB60FB93DB}.exe

Filesize
204KB

MD5
a16c8a5804113bbe843ed093c8cb9794

SHA1
4ddef9f60bdbbc83ec9034a272f592f1159259b0

SHA256
31ff6971cdf1262824fbcae9de6eecec1b0c823a0df556038fb475e88578e606

SHA512
91d11c35cb5aec77a397f9befc3e466fc8db241db95f930fad4db5a6e6bc0d0b02835ba08061e97de70d045d6a4872c91bd03949370f430e641b9918d6c951cd

Download Submit
C:\Windows\{C74EDF65-EE4D-4cd9-A247-25444424430F}.exe

Filesize
204KB

MD5
e402d73df3448119afd4bbfb004a0e08

SHA1
7b03d01b09ff28cc3d2560c393be009c0f0fd77c

SHA256
2c137511cfb45066dea161df20931cc87d04f71a1074e6bf6b566f45e1c50d1e

SHA512
7a0ad16b418c6f3b7602485deb9bb28bc919dc0a4096c77175eb73e05d6ed853164961f6b91e644dad9a2492f73a3c153dd6e8028a6976dcefc35517c63e927a

Download Submit
C:\Windows\{C80C31A3-267D-4f10-89CA-1BC05A36FF1A}.exe

Filesize
204KB

MD5
7a01e3b29c038b64df3a93c6fb9ba91c

SHA1
a368724d3e325d58e7429ccda75fa3ce25b6dd6d

SHA256
8a5e8752573d2e33e75179d25d8ab24b1a78242ed87d843dabcce443f1fe923c

SHA512
cf4da4b1b6b417321e444dac6b638fb74ffeee5a04d1d6c78c4d23906ddeda592018aab08b6d033bdc7dd4b33936b33d0f5f1b836685acca1d6f6155581b47a8

Download Submit
C:\Windows\{CADBBCFB-3217-46b2-A806-8CD18E8B9C4E}.exe

Filesize
204KB

MD5
e44cf2a254c7d3cf131cae873e62e441

SHA1
ee2828a530012af486446463f0bb7915a68066df

SHA256
d964bcae1f943d39d30eddf22d4e170d5962c4617c7cb719946e8681eb83ca6e

SHA512
9b1bca641879aa981367fe950bcf4e13e3d1959789065d6aaaa6d52228ffa4a0be668b95a4fb620f0d435f26a2ac19973d3ed1cd4a61387ca2b62349d9318a9c

Download Submit
C:\Windows\{D5155ACC-D794-4db6-A52F-B4634F5742FF}.exe

Filesize
204KB

MD5
e205e772068815e09e6df646f593edc9

SHA1
d49ada62c7855ce322e17bdc9e28e7a8d5e91c0e

SHA256
7a0b1fb9b57c98596aad1b0a533ad7c15db6af5f293ceb0b871cd08fed0cb313

SHA512
d346d0a21591bdcdc7fdff84f9d939c13bd9c3b5008499673ef1f32d54f726d53cb310dcfb5e30e2c273c0896a2b5255a7591c27e981c18fbe2f53412ad02bf6

Download Submit
C:\Windows\{E5593105-09B2-4655-9AB5-C66904ACEE40}.exe

Filesize
204KB

MD5
ba689281848075fdccfaad713549cc3c

SHA1
3cd217e5516ae24bf150a23470d0ce627737ee3f

SHA256
859aa8e12db466b44c54ebc2a627fae3a04edf0422ed5c1a75d60bdadfe7e749

SHA512
ec00a9a21646e04ebfd4cb4bb2c6b26ad52a186b348840be9448da2e31bc393b5c063f3df90b25cb4821c06e56f17697e08b4db701f290d75c176af045e9387c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads