741f46d46b2c7f9b78af631e35a8450042a52e5bdc023a70cfd1e9345f4aacfa

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Size

204KB
MD5

70124ce90feffa6832ff63b72362e260
SHA1

e6e9d2a67f0fd06e6c1438f2c173cc024a0f9057
SHA256

741f46d46b2c7f9b78af631e35a8450042a52e5bdc023a70cfd1e9345f4aacfa
SHA512

4507cb130caeef9e98f8871dd294f22a77cfd49d506fab045857fdfd76f27c25296da91d7282450642e2b93215730fb899e89274e0aae479344216a8a4db620e
SSDEEP

1536:1EGh0ofl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ofl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233f1-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233e8-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f9-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002333c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002333c-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002333c-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f9-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002333c-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f6-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233fa-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}\stubpath = "C:\\Windows\\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe"	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0972D481-7DC2-40c3-AB0E-100D70E8A637}	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}\stubpath = "C:\\Windows\\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe"	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}\stubpath = "C:\\Windows\\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe"	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7840F4-71BD-4eb1-8544-594BCF61973A}\stubpath = "C:\\Windows\\{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe"	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}\stubpath = "C:\\Windows\\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe"	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B2984E-436A-49f3-B956-5C8D60009B62}\stubpath = "C:\\Windows\\{60B2984E-436A-49f3-B956-5C8D60009B62}.exe"	{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0972D481-7DC2-40c3-AB0E-100D70E8A637}\stubpath = "C:\\Windows\\{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe"	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D7840F4-71BD-4eb1-8544-594BCF61973A}	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}\stubpath = "C:\\Windows\\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe"	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}\stubpath = "C:\\Windows\\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe"	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C632FD44-0156-4e50-A492-D4B8571C72A3}	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C632FD44-0156-4e50-A492-D4B8571C72A3}\stubpath = "C:\\Windows\\{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe"	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}\stubpath = "C:\\Windows\\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe"	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}\stubpath = "C:\\Windows\\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe"	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B2984E-436A-49f3-B956-5C8D60009B62}	{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe

Executes dropped EXE 12 IoCs

pid	Process
1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
3632	{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe
480	{60B2984E-436A-49f3-B956-5C8D60009B62}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
File created	C:\Windows\{60B2984E-436A-49f3-B956-5C8D60009B62}.exe	{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe
File created	C:\Windows\{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
File created	C:\Windows\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
File created	C:\Windows\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
File created	C:\Windows\{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
File created	C:\Windows\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
File created	C:\Windows\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
File created	C:\Windows\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
File created	C:\Windows\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
File created	C:\Windows\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
File created	C:\Windows\{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
Token: SeIncBasePriorityPrivilege	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
Token: SeIncBasePriorityPrivilege	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
Token: SeIncBasePriorityPrivilege	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
Token: SeIncBasePriorityPrivilege	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
Token: SeIncBasePriorityPrivilege	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
Token: SeIncBasePriorityPrivilege	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
Token: SeIncBasePriorityPrivilege	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
Token: SeIncBasePriorityPrivilege	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
Token: SeIncBasePriorityPrivilege	4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
Token: SeIncBasePriorityPrivilege	3632	{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1088	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	88
PID 400 wrote to memory of 1088	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	88
PID 400 wrote to memory of 1088	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	88
PID 400 wrote to memory of 3536	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	89
PID 400 wrote to memory of 3536	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	89
PID 400 wrote to memory of 3536	400	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	89
PID 1088 wrote to memory of 2300	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	90
PID 1088 wrote to memory of 2300	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	90
PID 1088 wrote to memory of 2300	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	90
PID 1088 wrote to memory of 3708	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	91
PID 1088 wrote to memory of 3708	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	91
PID 1088 wrote to memory of 3708	1088	{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe	91
PID 2300 wrote to memory of 3192	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	94
PID 2300 wrote to memory of 3192	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	94
PID 2300 wrote to memory of 3192	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	94
PID 2300 wrote to memory of 1520	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	95
PID 2300 wrote to memory of 1520	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	95
PID 2300 wrote to memory of 1520	2300	{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe	95
PID 3192 wrote to memory of 1540	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	97
PID 3192 wrote to memory of 1540	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	97
PID 3192 wrote to memory of 1540	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	97
PID 3192 wrote to memory of 116	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	98
PID 3192 wrote to memory of 116	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	98
PID 3192 wrote to memory of 116	3192	{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe	98
PID 1540 wrote to memory of 2152	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	99
PID 1540 wrote to memory of 2152	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	99
PID 1540 wrote to memory of 2152	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	99
PID 1540 wrote to memory of 3352	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	100
PID 1540 wrote to memory of 3352	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	100
PID 1540 wrote to memory of 3352	1540	{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe	100
PID 2152 wrote to memory of 3948	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	101
PID 2152 wrote to memory of 3948	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	101
PID 2152 wrote to memory of 3948	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	101
PID 2152 wrote to memory of 524	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	102
PID 2152 wrote to memory of 524	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	102
PID 2152 wrote to memory of 524	2152	{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe	102
PID 3948 wrote to memory of 2460	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	103
PID 3948 wrote to memory of 2460	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	103
PID 3948 wrote to memory of 2460	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	103
PID 3948 wrote to memory of 4940	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	104
PID 3948 wrote to memory of 4940	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	104
PID 3948 wrote to memory of 4940	3948	{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe	104
PID 2460 wrote to memory of 2228	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	105
PID 2460 wrote to memory of 2228	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	105
PID 2460 wrote to memory of 2228	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	105
PID 2460 wrote to memory of 3388	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	106
PID 2460 wrote to memory of 3388	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	106
PID 2460 wrote to memory of 3388	2460	{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe	106
PID 2228 wrote to memory of 4068	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	107
PID 2228 wrote to memory of 4068	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	107
PID 2228 wrote to memory of 4068	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	107
PID 2228 wrote to memory of 1836	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	108
PID 2228 wrote to memory of 1836	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	108
PID 2228 wrote to memory of 1836	2228	{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe	108
PID 4068 wrote to memory of 4456	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	109
PID 4068 wrote to memory of 4456	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	109
PID 4068 wrote to memory of 4456	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	109
PID 4068 wrote to memory of 1488	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	110
PID 4068 wrote to memory of 1488	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	110
PID 4068 wrote to memory of 1488	4068	{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe	110
PID 4456 wrote to memory of 3632	4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe	111
PID 4456 wrote to memory of 3632	4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe	111
PID 4456 wrote to memory of 3632	4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe	111
PID 4456 wrote to memory of 3128	4456	{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
  C:\Windows\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
    C:\Windows\{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
      C:\Windows\{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
        
        C:\Windows\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
        
        C:\Windows\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
        
        C:\Windows\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
        
        C:\Windows\{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
        
        C:\Windows\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
        
        C:\Windows\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
        
        C:\Windows\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe
        
        C:\Windows\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\{60B2984E-436A-49f3-B956-5C8D60009B62}.exe
        
        C:\Windows\{60B2984E-436A-49f3-B956-5C8D60009B62}.exe
        13⤵
        Executes dropped EXE
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3B3~1.EXE > nul
        13⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08EF5~1.EXE > nul
        12⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D244~1.EXE > nul
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B51~1.EXE > nul
        10⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D784~1.EXE > nul
        9⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{225B1~1.EXE > nul
        8⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E846~1.EXE > nul
        7⤵
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B9DE~1.EXE > nul
        6⤵
        
        PID:3352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C632F~1.EXE > nul
        5⤵
        
        PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0972D~1.EXE > nul
      4⤵
      PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1DDD~1.EXE > nul
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08EF52A6-825F-4a56-9FA1-B1B33B36F0DA}.exe

Filesize
204KB

MD5
a54393f90381f36334e338a04f046eb3

SHA1
c817dd96e00767e904d09f57b56b8d4e8c16c131

SHA256
52340ebf1bfb4e0129d41c1861d4a090425fdb68923fe1b8757d815da7cdf061

SHA512
cc7d80d4aa5648f41f0305848961b5942ab149d28816b27c228e6bfb94404165e9bc5b70cdaa80f8a60554625d7c58036acab49cb0dbcbb262a288bfa73fa395

Download Submit
C:\Windows\{0972D481-7DC2-40c3-AB0E-100D70E8A637}.exe

Filesize
204KB

MD5
80235525abe6edebc2d87b9c0edf9029

SHA1
ea3bdde51251fb4530cf479638da036e26c5d09a

SHA256
dc4bdff5a637b870313f1bd8ccc89beac689fd1450fe3e49bc4e45b347e93d41

SHA512
739993bd641d041f9c8a2018920337b93f1d4b5b8e63ed14f6e60eaae081bef8704fb984b9caeab321dbc299018d2c8d9f3e93f5a7be316f94d2db00b50769e1

Download Submit
C:\Windows\{225B1A34-56F0-4e75-8429-85BBA59ECAD3}.exe

Filesize
204KB

MD5
d36c0a268a29632434f0960974ffb760

SHA1
6f0b5b0efc25bae8f2b8de7b90ce1211edd2965e

SHA256
0683f71d3e8082392e5fb2cd939eb7fc59f9c5f8751adbdfdd3cdbf45e7b910f

SHA512
af87eae6db19169a6d036e84f66bf0f45fe4af12ecd16cdb697c27e66f4dc5455101025ca7e5b798a2806d7bf3f1ff2bcddf773c4fa9b3f802a490b03a86bd2e

Download Submit
C:\Windows\{3D24431E-0AC7-42f6-A894-B2487A32F6AE}.exe

Filesize
204KB

MD5
5a05078fbcd10a397a6f2f999b0764e5

SHA1
c26677a54d4ccac945dc3a0695cd3d84f8d35b65

SHA256
720fb2deb5ee3e380f450a6470f0ac6a566e4522c48045bfb5a93f9049cbcfcc

SHA512
16e0c38d7e922c6257cab923beafa93648c12f32db0ab6966aec098467966f9fca53b30663c5482de54cfd5d66c0b6cd49500f93e716fb6008359445e46e7529

Download Submit
C:\Windows\{4B9DEC0C-6794-4a21-88FF-D0A32C49FD89}.exe

Filesize
204KB

MD5
8f32b76e25d540683dd7c359b77ea963

SHA1
ba8670b0dfca40b0505b9d53034d29c1b10564d9

SHA256
a9f311431e375b3c183cd99169b4fe3ad90e90794f405393a2cca4d1ef282d46

SHA512
773a12707730811ae9518b8bc6452df341a7a51e3d31d7d3936f73781bf3272cad876310ed1ebe6c45897fe525618ed34f73e79cae494f9bbcc3bc1a6fca7977

Download Submit
C:\Windows\{60B2984E-436A-49f3-B956-5C8D60009B62}.exe

Filesize
204KB

MD5
8557f6a1f42bf1f56e2139261e75483a

SHA1
ccc3730345dfe797f77dd7d5aba476f6bb0b36dd

SHA256
8fc93f239199d41011b632a168570b1c5c97a61925698458f8a61b50201ac987

SHA512
60deb2ec12f9df1aacf2d78c42bff5426b5543d742bfce22376d224acb6493194a46c7eccd807f742b8e76954cafa333f6acbad7f19c2e2b325b65aa010eaa0f

Download Submit
C:\Windows\{9D7840F4-71BD-4eb1-8544-594BCF61973A}.exe

Filesize
204KB

MD5
bfdc6231ca3b5abb80b5ef912d711798

SHA1
911b363da30d0a66caa21b8a645411c605678998

SHA256
b49eb8b10fe0ef0bb9d38ac3a76c35fa64dde886e6a845ef191429eef3419614

SHA512
9d51a549a73b1571f715f7248a493c68d21016e6dbe0f697298328e049cc9012fc6edc88e8a829e2c9b07659fbb88509e41ef0707f6c8d8ad1b0f666d02094b2

Download Submit
C:\Windows\{9E846B28-1BAB-4bcb-8F44-47343F8B5A25}.exe

Filesize
204KB

MD5
b87b2a150a063c0645b3cda8b093c506

SHA1
8bbeb6c11041147d6b872c783b20fb1ce2526eee

SHA256
82c410d230565328373bfb700f32e0150e5936acda0304c050f2d0240a83a892

SHA512
418e2bc6264dfafd3026f427dcc082da298994089829b58c2ae590b5b8e0aabdb3ed2508faf306f8f37fa555b628d6e4f42667fc04052068405dd2a83538639d

Download Submit
C:\Windows\{C1DDDD6D-8918-490d-A190-6A46FD1EC7B5}.exe

Filesize
204KB

MD5
37c3fcab6c10a48de166e51163b7df1b

SHA1
3797cb09cb664984061fc763f289907ff36bf251

SHA256
ed6c343262caedba6496253fc4339075966e803452ade248aad540bd92484420

SHA512
37eaa5fc31768aac064b2b0f06a0526de69353d1b114c050dcf98fbfcd5d74ec76d2f3785bc7204e0f029505949ee26c5beeef2e76f01b0b12ac594e22931681

Download Submit
C:\Windows\{C632FD44-0156-4e50-A492-D4B8571C72A3}.exe

Filesize
204KB

MD5
dcbba0d95095e78876093a135d3b74e2

SHA1
cd88548d1341ee03ad1c5dbe0c216bd0de3ebda2

SHA256
469849fde84f05053e251e47ca6ff99f1de4399463d29726ad4b5cc4ee7bec9d

SHA512
79f4c8bd42765cea6df87f11db77be2f644997e2a8ea8dfff3aa7abc613305d57434d989b0db55eb364adae760a1a216ee1595970de1be65ff5dddf4adc1a65d

Download Submit
C:\Windows\{DB3B3CE5-7E77-42ba-9FF3-0DDF0F54B8A7}.exe

Filesize
204KB

MD5
334431c0c65547e8f8ac9c9b693e90d4

SHA1
6e49e5ea53c13afd5b53678ec7b096b01d8e03cf

SHA256
65b3cb6e7f737a11078e1ee0c59fa554e24be4247b76a529fae01517565e700a

SHA512
178cae9601165b8655ddcb3fed6d269006d9819ec7d6c512580842761af6a165725d842c2829387699fc77fef345fcf62af22e2a4b40c4e117a8a7c999a44b12

Download Submit
C:\Windows\{F3B51CB2-10CE-4e15-B753-9EBAC59D715C}.exe

Filesize
204KB

MD5
7921161de19f2edc82dfb563076d7a53

SHA1
235ed4b431772c01c23c082cc673b3733798e2e4

SHA256
d7aafd640c50b59a672a4782f9de399d8b5c9ca84007dd0cddfd37699d4ce585

SHA512
30dd989c0e7eb33814ed8478af8fbb1c71932cbadba77ad5def6810982bca542a1d9ae9656d6ba90366f42c022f35b6f7c75157c1cf7edf2a6325fc23ecc13f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads