2c742682ea48a9372e9a632cbdaa1f9814f739d1efd889db6722937476d12e04

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Size

380KB
MD5

019c8a65489a527e9ecb922e1f7bdd7d
SHA1

4163253e449f2f36c764fb6dc7d572438ebd50c8
SHA256

2c742682ea48a9372e9a632cbdaa1f9814f739d1efd889db6722937476d12e04
SHA512

29a12b2cea1f3726f4ef2148d4c30f5ef8f1b9bf8237a3400a4f8a82d833e58cd4109254ae9999865a0488ff45d1e48588481a45a8124ffbd2d6436e0b0db2e7
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023401-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fc-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023409-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233fc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023409-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233fc-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023409-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233fc-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023409-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233fc-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023406-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}	{A5F338F4-D7CD-403f-956E-82906C372710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}\stubpath = "C:\\Windows\\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe"	{A5F338F4-D7CD-403f-956E-82906C372710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}\stubpath = "C:\\Windows\\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe"	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}\stubpath = "C:\\Windows\\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe"	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F338F4-D7CD-403f-956E-82906C372710}\stubpath = "C:\\Windows\\{A5F338F4-D7CD-403f-956E-82906C372710}.exe"	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699E27E9-E7C2-4ddb-9289-7F2908762514}	{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C5B34FE-CF4C-449e-85C4-712483E75567}	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F338F4-D7CD-403f-956E-82906C372710}	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}\stubpath = "C:\\Windows\\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe"	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED78009E-3F68-4900-9A06-BC78E7474D44}	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED78009E-3F68-4900-9A06-BC78E7474D44}\stubpath = "C:\\Windows\\{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe"	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD910705-A19C-4c18-98E7-29CE87636CCE}	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699E27E9-E7C2-4ddb-9289-7F2908762514}\stubpath = "C:\\Windows\\{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe"	{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C5B34FE-CF4C-449e-85C4-712483E75567}\stubpath = "C:\\Windows\\{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe"	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9DA526B-4148-43f9-8C7C-A85BEA321757}	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9DA526B-4148-43f9-8C7C-A85BEA321757}\stubpath = "C:\\Windows\\{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe"	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}\stubpath = "C:\\Windows\\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe"	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD910705-A19C-4c18-98E7-29CE87636CCE}\stubpath = "C:\\Windows\\{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe"	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}\stubpath = "C:\\Windows\\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe"	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe
1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
3032	{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
3552	{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
File created	C:\Windows\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
File created	C:\Windows\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
File created	C:\Windows\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
File created	C:\Windows\{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
File created	C:\Windows\{A5F338F4-D7CD-403f-956E-82906C372710}.exe	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
File created	C:\Windows\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	{A5F338F4-D7CD-403f-956E-82906C372710}.exe
File created	C:\Windows\{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
File created	C:\Windows\{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe	{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
File created	C:\Windows\{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
File created	C:\Windows\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
File created	C:\Windows\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
Token: SeIncBasePriorityPrivilege	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
Token: SeIncBasePriorityPrivilege	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
Token: SeIncBasePriorityPrivilege	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
Token: SeIncBasePriorityPrivilege	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
Token: SeIncBasePriorityPrivilege	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
Token: SeIncBasePriorityPrivilege	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
Token: SeIncBasePriorityPrivilege	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe
Token: SeIncBasePriorityPrivilege	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
Token: SeIncBasePriorityPrivilege	1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
Token: SeIncBasePriorityPrivilege	3032	{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3328	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	91
PID 3616 wrote to memory of 3328	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	91
PID 3616 wrote to memory of 3328	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	91
PID 3616 wrote to memory of 2552	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	92
PID 3616 wrote to memory of 2552	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	92
PID 3616 wrote to memory of 2552	3616	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	92
PID 3328 wrote to memory of 3784	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	93
PID 3328 wrote to memory of 3784	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	93
PID 3328 wrote to memory of 3784	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	93
PID 3328 wrote to memory of 704	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	94
PID 3328 wrote to memory of 704	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	94
PID 3328 wrote to memory of 704	3328	{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe	94
PID 3784 wrote to memory of 3648	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	98
PID 3784 wrote to memory of 3648	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	98
PID 3784 wrote to memory of 3648	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	98
PID 3784 wrote to memory of 4140	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	99
PID 3784 wrote to memory of 4140	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	99
PID 3784 wrote to memory of 4140	3784	{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe	99
PID 3648 wrote to memory of 3884	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	100
PID 3648 wrote to memory of 3884	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	100
PID 3648 wrote to memory of 3884	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	100
PID 3648 wrote to memory of 2000	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	101
PID 3648 wrote to memory of 2000	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	101
PID 3648 wrote to memory of 2000	3648	{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe	101
PID 3884 wrote to memory of 3188	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	102
PID 3884 wrote to memory of 3188	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	102
PID 3884 wrote to memory of 3188	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	102
PID 3884 wrote to memory of 2212	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	103
PID 3884 wrote to memory of 2212	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	103
PID 3884 wrote to memory of 2212	3884	{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe	103
PID 3188 wrote to memory of 720	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	104
PID 3188 wrote to memory of 720	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	104
PID 3188 wrote to memory of 720	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	104
PID 3188 wrote to memory of 2372	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	105
PID 3188 wrote to memory of 2372	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	105
PID 3188 wrote to memory of 2372	3188	{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe	105
PID 720 wrote to memory of 4756	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	106
PID 720 wrote to memory of 4756	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	106
PID 720 wrote to memory of 4756	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	106
PID 720 wrote to memory of 3516	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	107
PID 720 wrote to memory of 3516	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	107
PID 720 wrote to memory of 3516	720	{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe	107
PID 4756 wrote to memory of 4436	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	108
PID 4756 wrote to memory of 4436	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	108
PID 4756 wrote to memory of 4436	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	108
PID 4756 wrote to memory of 868	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	109
PID 4756 wrote to memory of 868	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	109
PID 4756 wrote to memory of 868	4756	{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe	109
PID 4436 wrote to memory of 1612	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	110
PID 4436 wrote to memory of 1612	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	110
PID 4436 wrote to memory of 1612	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	110
PID 4436 wrote to memory of 1708	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	111
PID 4436 wrote to memory of 1708	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	111
PID 4436 wrote to memory of 1708	4436	{A5F338F4-D7CD-403f-956E-82906C372710}.exe	111
PID 1612 wrote to memory of 1116	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	112
PID 1612 wrote to memory of 1116	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	112
PID 1612 wrote to memory of 1116	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	112
PID 1612 wrote to memory of 1248	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	113
PID 1612 wrote to memory of 1248	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	113
PID 1612 wrote to memory of 1248	1612	{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe	113
PID 1116 wrote to memory of 3032	1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe	114
PID 1116 wrote to memory of 3032	1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe	114
PID 1116 wrote to memory of 3032	1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe	114
PID 1116 wrote to memory of 1192	1116	{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
  C:\Windows\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
    C:\Windows\{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
      C:\Windows\{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
        
        C:\Windows\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3884
      - C:\Windows\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
        
        C:\Windows\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
        
        C:\Windows\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
        
        C:\Windows\{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{A5F338F4-D7CD-403f-956E-82906C372710}.exe
        
        C:\Windows\{A5F338F4-D7CD-403f-956E-82906C372710}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
        
        C:\Windows\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
        
        C:\Windows\{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
        
        C:\Windows\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe
        
        C:\Windows\{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe
        13⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8AFE~1.EXE > nul
        13⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD910~1.EXE > nul
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19CF9~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F33~1.EXE > nul
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED780~1.EXE > nul
        9⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08D5C~1.EXE > nul
        8⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0036D~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED3A2~1.EXE > nul
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9DA5~1.EXE > nul
        5⤵
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C5B3~1.EXE > nul
      4⤵
      PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E80~1.EXE > nul
    3⤵
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0036DA7D-A76C-4b06-9FC2-C2B38B8768AF}.exe

Filesize
380KB

MD5
ad29282ef728d51b7a68c95b03b013cc

SHA1
450a6f7fe0abb23764864bb7dbeda3247eff8e1d

SHA256
01fc140dff9f1830f70c1a6712d9d7f243533a6be54f3423c2a432a17f0dea4a

SHA512
32a878f994988c077194ac3d5ea7d4b11a824d6d52bd3697ecbb093e2dc9b989d5098b1a36d83461264022e197004be8310dd4d820b3f8cc2395d2575b8306c3

Download Submit
C:\Windows\{08D5C3C1-A3D0-4fce-A7C7-DF536B153E6A}.exe

Filesize
380KB

MD5
da60e12368d34fe313fd003820923d8c

SHA1
0bd62f9208cc43dbe085ae3d473600d9354daea0

SHA256
3226e46195992a529dcc858ec13d5cea31166e7b771a143c8479520ca4176108

SHA512
617938876f3b8ff05cbe65a0b133986b2e21c4e8064fbff84e1c38f87af6c63e3aadad388d6576c0228273b2b504be290f3e3eb3a30f181e319a86e4e9b7ebd1

Download Submit
C:\Windows\{19CF9B7D-B1BB-4dac-B0F9-DC19114230A4}.exe

Filesize
380KB

MD5
1621feca287597e150828d7f88a7578f

SHA1
8221f4a51511e5639d727041ad909141151830b4

SHA256
cc2de7322ff83e04f6a725e49847e36bf1ac379bef9232598ed9bab0a398312c

SHA512
be9b0007a75bce95ac1eb884dc36a2d2e1c242c928bd437db40a4f712ba487bdcb71bdc3a3ca57ac78dc378db0b8aa053854470ea340bd7c1c3a5a305a11914e

Download Submit
C:\Windows\{1C5B34FE-CF4C-449e-85C4-712483E75567}.exe

Filesize
380KB

MD5
2d34c52d71a79231bf14539685a78321

SHA1
b4ade6998776f6e3976a5993470fb4d530322234

SHA256
0044c3cda5e6b7c67881ae9ab223c5565160732d4691e8d24084e929768925da

SHA512
e94c220d6ea40c4da2af4b2a4cf0e84e30883cb402beef5ddf278a1c87858fde6023153f0c27cc48e2982cd5d025ea6432a855fe7f8ee5199b03f79a8ffb7df0

Download Submit
C:\Windows\{699E27E9-E7C2-4ddb-9289-7F2908762514}.exe

Filesize
380KB

MD5
7bb461460ceba1687ac5588670bf3d0f

SHA1
75dbab5f250cd368f90cb46df0cfa3240d16f37d

SHA256
c3197ab62bce91fbde4e9d1af3fceef6a940e59d0b0d96fd674914fdac039f92

SHA512
035a74108d3953e99270822a62100202de0cffdaf73168252b9bc1bad30f8c29a38f432cbd996ae820a470b1f51bd7fa3dff54b29f5ff5c93d7f4d872333342b

Download Submit
C:\Windows\{A5F338F4-D7CD-403f-956E-82906C372710}.exe

Filesize
380KB

MD5
514e852ec24dc48e11eba12470e3ddab

SHA1
b3a7ff61c1ff7c3e4189e830b39804324e9b09a1

SHA256
08818982ffddbfc1749fb6af383a72568a0aa0d80bf011706fc2b2cfa1bd2f47

SHA512
f3e5bbeec54c42c43b2a4c620240c4a5836dc3f58a8a48aeab2c9ac6ebdec5a3a9028a4c6a0b63810431ff4e9e2104c98ccc9bff9d1f389e54ab9edbcfb584b5

Download Submit
C:\Windows\{AD910705-A19C-4c18-98E7-29CE87636CCE}.exe

Filesize
380KB

MD5
a811972205b4aae7acbe52901c2f20ef

SHA1
15445826c367d773881ba35a9c5b31f7da84be5b

SHA256
7b669ea4f6ba912c7624dcb7abb6bc9ce2ac2f4485dc0ca19b3bf27960d1c8e3

SHA512
fe349a1719ae66ff2eab9a62752f723786be342fc0c57124eaeaad91f6355720b55460870c2f8d0eb1c1d6075adcf23ad73d3c53d7db755f863f1121bd8cb13d

Download Submit
C:\Windows\{C9DA526B-4148-43f9-8C7C-A85BEA321757}.exe

Filesize
380KB

MD5
426b23fa07d79b727d2030203ec0f4f8

SHA1
eba1852b30259b036df72c161d1e0ec7409a5a4c

SHA256
e75b745648dc84daea84eeb373debb021e3425252241b8bbc8bd163ad7f9735d

SHA512
7a9dbe104e46aea71ac602f743ca32b8a4409c1578983e2f7998f8decc69f64bc278796387607bc263100f6066d2ea608c47d840b91b0712f4465fed9de4dc32

Download Submit
C:\Windows\{E1E803A8-9EEB-41b7-86F8-4D15A8BD0E07}.exe

Filesize
380KB

MD5
dc38189f358df5bdb2368ff5b345ac23

SHA1
49e4bedbe7342a5dd7ff3834e97a4e83f049d183

SHA256
c359b01fa6833e838fc8f420b23d91e069f54a710aa7af9a4b8097d45d3f7e46

SHA512
8bc489b1fe88eb698b1f2c949e6d7e116919e16506fbd74bd6fa8d5f9108791e11454fda4250a186ec4737ea677997c38e56e4c5ded6e25973e185e37653d7fa

Download Submit
C:\Windows\{ED3A2F78-BE2A-4771-8C06-41B9B0D7312A}.exe

Filesize
380KB

MD5
f27db4a6924312a6f63be479fe42c1f9

SHA1
481096b7cfa7e92d83fddf43ea087ead4bda0065

SHA256
19cf02cd0e9dbf834e697b299fe5fce1be123720d1114f8c6555df893eca8506

SHA512
5316f2a928531fe9f4ba5062b608edafd29dd7367487b8d1d87af50300e82a286ed0dd0c758cb39e1cca9e16f03c8df764b4673dd23fb38c5442229590e09be4

Download Submit
C:\Windows\{ED78009E-3F68-4900-9A06-BC78E7474D44}.exe

Filesize
380KB

MD5
f36f16549397025ac5d3d9bd45e501b2

SHA1
d18d5d25bc59eb5579f2d57c38cbc423e49b6bcf

SHA256
5f2b0a97dcd79f41cdd633b6132e539bbbc8eb70227fc06033b3d83124d04141

SHA512
75af14d285de480159b50ee31179fbfa62c76f7871aa646e7bb271babf4d5ba25b088f4e55eb59f3e89c5a62edb49f3f7ba521fea27a8b53c50792ff5f7c1d6c

Download Submit
C:\Windows\{F8AFEF6F-50CC-4114-9AE2-A587B743EBC8}.exe

Filesize
380KB

MD5
468e09ff8a55483d212002d597a59d27

SHA1
50d9fc1b34b46a95e3b9af55c3fbb6019184991c

SHA256
93ae95bdfc343004d77b344a522e5020f0a9f365a37b91dd4c5773dfbf984598

SHA512
47bc1ea75708512194158b9b941df54bf5bb128654a5763122fd20964e07f88ceddd74170596b0bedf8a1c612e004af656fc53df41f0b0b2c094e61700f4f8f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads