3b694036b578d458eb44b6b947ecaee72c16cb58c72c55548b94c992acb1f8df

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
Size

408KB
MD5

7340473cb93c7d3e50d14541991ac612
SHA1

5560bb75aed08a1bd574df7807da65d9f12b240c
SHA256

3b694036b578d458eb44b6b947ecaee72c16cb58c72c55548b94c992acb1f8df
SHA512

ca0731c360e3d66e7d355f60318a370f63fcf33dc2b6d92aaf0548fc083182492d38408b758e3bbd1d42e54d05c7dea3df7746ae2113bf5583e6e16c6abcf871
SSDEEP

3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGAldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023391-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023422-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023422-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023422-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002342b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023387-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002342b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023387-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023427-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023387-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}\stubpath = "C:\\Windows\\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe"	{5F641204-729C-4c47-B847-104E19E7901B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B156A3-2D87-435d-9679-C780D5EF45F5}	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}\stubpath = "C:\\Windows\\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe"	{81B6B454-6657-419d-9556-49E127732077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F641204-729C-4c47-B847-104E19E7901B}\stubpath = "C:\\Windows\\{5F641204-729C-4c47-B847-104E19E7901B}.exe"	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B6B454-6657-419d-9556-49E127732077}\stubpath = "C:\\Windows\\{81B6B454-6657-419d-9556-49E127732077}.exe"	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F641204-729C-4c47-B847-104E19E7901B}	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}	{5F641204-729C-4c47-B847-104E19E7901B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}	{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{029C2C54-A364-4003-A408-C9EA6B0313B6}\stubpath = "C:\\Windows\\{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe"	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}\stubpath = "C:\\Windows\\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe"	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}\stubpath = "C:\\Windows\\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe"	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B6B454-6657-419d-9556-49E127732077}	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}	{81B6B454-6657-419d-9556-49E127732077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}\stubpath = "C:\\Windows\\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe"	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}\stubpath = "C:\\Windows\\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe"	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{029C2C54-A364-4003-A408-C9EA6B0313B6}	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}\stubpath = "C:\\Windows\\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe"	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B156A3-2D87-435d-9679-C780D5EF45F5}\stubpath = "C:\\Windows\\{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe"	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}\stubpath = "C:\\Windows\\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe"	{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
4296	{81B6B454-6657-419d-9556-49E127732077}.exe
4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe
232	{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe
2292	{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
File created	C:\Windows\{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
File created	C:\Windows\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	{81B6B454-6657-419d-9556-49E127732077}.exe
File created	C:\Windows\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe	{5F641204-729C-4c47-B847-104E19E7901B}.exe
File created	C:\Windows\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe	{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe
File created	C:\Windows\{5F641204-729C-4c47-B847-104E19E7901B}.exe	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
File created	C:\Windows\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
File created	C:\Windows\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
File created	C:\Windows\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
File created	C:\Windows\{81B6B454-6657-419d-9556-49E127732077}.exe	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
File created	C:\Windows\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
File created	C:\Windows\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
Token: SeIncBasePriorityPrivilege	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
Token: SeIncBasePriorityPrivilege	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
Token: SeIncBasePriorityPrivilege	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
Token: SeIncBasePriorityPrivilege	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
Token: SeIncBasePriorityPrivilege	4296	{81B6B454-6657-419d-9556-49E127732077}.exe
Token: SeIncBasePriorityPrivilege	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
Token: SeIncBasePriorityPrivilege	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
Token: SeIncBasePriorityPrivilege	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
Token: SeIncBasePriorityPrivilege	4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe
Token: SeIncBasePriorityPrivilege	232	{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4568	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	92
PID 2700 wrote to memory of 4568	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	92
PID 2700 wrote to memory of 4568	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	92
PID 2700 wrote to memory of 1364	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	93
PID 2700 wrote to memory of 1364	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	93
PID 2700 wrote to memory of 1364	2700	2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe	93
PID 4568 wrote to memory of 1416	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	94
PID 4568 wrote to memory of 1416	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	94
PID 4568 wrote to memory of 1416	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	94
PID 4568 wrote to memory of 528	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	95
PID 4568 wrote to memory of 528	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	95
PID 4568 wrote to memory of 528	4568	{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe	95
PID 1416 wrote to memory of 4996	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	99
PID 1416 wrote to memory of 4996	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	99
PID 1416 wrote to memory of 4996	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	99
PID 1416 wrote to memory of 4392	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	100
PID 1416 wrote to memory of 4392	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	100
PID 1416 wrote to memory of 4392	1416	{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe	100
PID 4996 wrote to memory of 4088	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	101
PID 4996 wrote to memory of 4088	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	101
PID 4996 wrote to memory of 4088	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	101
PID 4996 wrote to memory of 4932	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	102
PID 4996 wrote to memory of 4932	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	102
PID 4996 wrote to memory of 4932	4996	{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe	102
PID 4088 wrote to memory of 220	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	103
PID 4088 wrote to memory of 220	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	103
PID 4088 wrote to memory of 220	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	103
PID 4088 wrote to memory of 4340	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	104
PID 4088 wrote to memory of 4340	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	104
PID 4088 wrote to memory of 4340	4088	{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe	104
PID 220 wrote to memory of 4296	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	105
PID 220 wrote to memory of 4296	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	105
PID 220 wrote to memory of 4296	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	105
PID 220 wrote to memory of 3068	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	106
PID 220 wrote to memory of 3068	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	106
PID 220 wrote to memory of 3068	220	{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe	106
PID 4296 wrote to memory of 4488	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	107
PID 4296 wrote to memory of 4488	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	107
PID 4296 wrote to memory of 4488	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	107
PID 4296 wrote to memory of 764	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	108
PID 4296 wrote to memory of 764	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	108
PID 4296 wrote to memory of 764	4296	{81B6B454-6657-419d-9556-49E127732077}.exe	108
PID 4488 wrote to memory of 4728	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	110
PID 4488 wrote to memory of 4728	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	110
PID 4488 wrote to memory of 4728	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	110
PID 4488 wrote to memory of 644	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	111
PID 4488 wrote to memory of 644	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	111
PID 4488 wrote to memory of 644	4488	{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe	111
PID 4728 wrote to memory of 4992	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	112
PID 4728 wrote to memory of 4992	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	112
PID 4728 wrote to memory of 4992	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	112
PID 4728 wrote to memory of 4500	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	113
PID 4728 wrote to memory of 4500	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	113
PID 4728 wrote to memory of 4500	4728	{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe	113
PID 4992 wrote to memory of 4700	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	114
PID 4992 wrote to memory of 4700	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	114
PID 4992 wrote to memory of 4700	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	114
PID 4992 wrote to memory of 3648	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	115
PID 4992 wrote to memory of 3648	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	115
PID 4992 wrote to memory of 3648	4992	{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe	115
PID 4700 wrote to memory of 232	4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe	116
PID 4700 wrote to memory of 232	4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe	116
PID 4700 wrote to memory of 232	4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe	116
PID 4700 wrote to memory of 4080	4700	{5F641204-729C-4c47-B847-104E19E7901B}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_7340473cb93c7d3e50d14541991ac612_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
  C:\Windows\{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
    C:\Windows\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
      C:\Windows\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
        
        C:\Windows\{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
        
        C:\Windows\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{81B6B454-6657-419d-9556-49E127732077}.exe
        
        C:\Windows\{81B6B454-6657-419d-9556-49E127732077}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
        
        C:\Windows\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
        
        C:\Windows\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
        
        C:\Windows\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{5F641204-729C-4c47-B847-104E19E7901B}.exe
        
        C:\Windows\{5F641204-729C-4c47-B847-104E19E7901B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe
        
        C:\Windows\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Windows\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe
        
        C:\Windows\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe
        13⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59787~1.EXE > nul
        13⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F641~1.EXE > nul
        12⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB46F~1.EXE > nul
        11⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4913A~1.EXE > nul
        10⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B19B5~1.EXE > nul
        9⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B6B~1.EXE > nul
        8⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6C4F~1.EXE > nul
        7⤵
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21B15~1.EXE > nul
        6⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B848~1.EXE > nul
        5⤵
        
        PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3F4~1.EXE > nul
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{029C2~1.EXE > nul
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{029C2C54-A364-4003-A408-C9EA6B0313B6}.exe

Filesize
408KB

MD5
51681388d8fa57645c044dbc07a81bd2

SHA1
455724ad1a14064ba4f3f3eceba0e913bcffef31

SHA256
6711c3563c5e9246782d3ff472eb2750b0555a8ad4e855a92b47defd4e9d29eb

SHA512
905e03969564bd29b96feb35364915c23c4123eae02077aaea7a0fa65e64a6f5c755c7d953ef17c8396d91f08b5f2d47c6f60464231be8ee3c8054d8cac44ad8

Download Submit
C:\Windows\{1B8489F6-216C-4fa5-8024-3DFD97AAB48C}.exe

Filesize
408KB

MD5
988a44ccd4e950c16b33fc8d1914eaad

SHA1
cdcc8eaacbedb2c7e68d8b977aadc01052cdd731

SHA256
258b35b79071cc395d32ab1c93570a0597d3bc1ede20cf4bba4e67c9f35b1c76

SHA512
557dbc8aee61323f137020105e8b6f7fa5c3ee9ca457ca294fbc5c78c8bd68c127fe0dc5b7197161c30f815228a0f9450d56d6bcecf8446271a460731351b8e3

Download Submit
C:\Windows\{21B156A3-2D87-435d-9679-C780D5EF45F5}.exe

Filesize
408KB

MD5
28ab58315842c517bd0c821c3eefc7e5

SHA1
a3c90b44fd05c5e14264bb4c4a6a4e42c705d86b

SHA256
4e32197eeeebed27f7767037cb9f90f9aa1132fb11a2e91547a6446d4be993ad

SHA512
996aae021daaaf1bdb7ed53aaffa96aa2581d82d33dfb8cab36d65280afb6dd8ce90506e1b03d01299c949d59110f4e95457b922f520ac1a08137e2546d5cf97

Download Submit
C:\Windows\{4913AF99-C5E0-4d7c-BC9E-B0F529643FEB}.exe

Filesize
408KB

MD5
957d950d31f894901dfe1b29de7df345

SHA1
e199896daf8c40a3b7280ae73b66c780205d5b82

SHA256
dadc84f6e587605e60edfc8548f1f5e0b17e0e5ba1ec202db896bf13238a2367

SHA512
3bd853f1f9b6f9ebe6d5fc81b6ec9c2a81bc299d6d9ebf9e8e4fdd8d10cb4f4825e96af7b390c9ded5bfc399a18e2a024711af26b7a4a401c7b6a1aaa8645fa5

Download Submit
C:\Windows\{59787396-A79C-4bb5-82D3-E51B01B3BF3E}.exe

Filesize
408KB

MD5
9e71d62e272d47319919c963b10f8947

SHA1
e3d46e418f095b3a2ffda01ee2684381f419f37f

SHA256
1e9aeae9dc63e685f029e0b16d317d8590405612603048bb5f32dcd905374ac0

SHA512
1f245c15d861aabf13e186ef291b58d896c897213ce56db92e9e0cedf70842b1cc665432cf8d7ec478be08b47e8997d39638e5e6c7e8bb8950f5f8bacf894233

Download Submit
C:\Windows\{5F641204-729C-4c47-B847-104E19E7901B}.exe

Filesize
408KB

MD5
30ff47101b6d90d80f15e2717583f9a7

SHA1
8c9a515df92e85a7a5e03c64a340298ec37d485f

SHA256
f8ed348a5188abfb4b6869caf8c3913aa75523ef9d4ed6145500dca5b2e3bc23

SHA512
356268f52ca11aeeaa6b9df381e207cd639fc3183e6f4f8104a869ca04f4964ba4efd8243875d35c372ee0f38073561c2c51163084af5056ee03582f0957412d

Download Submit
C:\Windows\{6E3F4774-0D8C-4a0e-A7BA-8CFEEFC2E1B1}.exe

Filesize
408KB

MD5
e0ca171b813b72379413397463cc26b8

SHA1
26bf66719bf6991d9afbbcb544d0ba9a72caaeca

SHA256
3a6fc305f5c3194043beae9a273c5bd3289ca84645c864e62af2bfd7ba54b381

SHA512
3c62dce71f90e3823e46a2fde77d328f1609284817c7b7cb1c1862459d74eb592c9b199bb02a41732ab8e2509e9ed1f4aa556059f728f1031addb3b4c5770722

Download Submit
C:\Windows\{81B6B454-6657-419d-9556-49E127732077}.exe

Filesize
408KB

MD5
cb458b477be1689f9931fff3c6f4b1c2

SHA1
fc8bddce23569aa82bf1e1628d747cb5922f1b0d

SHA256
f8a4717d073f638dc482265c2f8686ec5ca390af0621f820b5bb5a7b5b5c1cfa

SHA512
d8a590ceb37522c12bda31f89b796d4df5105662416999c9b9e8c730ee8dd3508f88fef867e2c5967ad77517b9b955fc4263e7304046d76df9e01f401aa14d8b

Download Submit
C:\Windows\{B19B5A57-65BC-4c5d-9EFA-FF9C5FC16B01}.exe

Filesize
408KB

MD5
95de32c6b0ff437f6401f2b3f6e0c0d7

SHA1
045c20b5b9318d462b4fff1127f783d119071a16

SHA256
39e4e087bb5de54952d700b331a30411ad7f9d54d8bc42caa68c563ce869abe6

SHA512
b548ff89c579dad0b1c9e2edc7ca1bb4e26ba0df4f71b388c8705f9768bce03a1d552733bb44e5079eab41f1b1072569f065c164cad8bb21b9c784710ccc6a90

Download Submit
C:\Windows\{BB46F2A6-F0C8-48f1-BCEC-32C52A4E24F6}.exe

Filesize
408KB

MD5
8ed525b29d7ebf897295a05f31685acb

SHA1
4e2fd255d16fde38f3ffba4b59c7f6141aafc885

SHA256
23bf5392d028a0345cf6fd5b1c109dbf5aa5d35018df271e12ec486eef29cf6e

SHA512
6efe081b4307376722e7fef59257a5a64a35e3317932f584b8c1c857f0e0cae4f5697d8cd805de129d2e51c03af7bc199a42fea0b0c67535c0e103b04d341b39

Download Submit
C:\Windows\{C7DDBA64-9D72-474a-B3F4-DD1B6AE07BBB}.exe

Filesize
408KB

MD5
cf9c8b464e22433f6001bf15354aa5f1

SHA1
a8831e4cfea19e4f7e632b3a9ad3b9f94b87d7ba

SHA256
84e262924f8a8525f8116c30ade9f564da073796b8c5e71561c9a1bc1dd06031

SHA512
a79bf808651dac859677a467bbe2a891cdd9ce86d47ec93d2bf0f8891a17b57caaa709457cb0be087ba69b588e480d445c32450a7725f7c4c5fada937be05b64

Download Submit
C:\Windows\{D6C4FE39-CBF3-4d4b-B5F5-990B97AE3D70}.exe

Filesize
408KB

MD5
dadc038bad3632d2dce337f69d073b74

SHA1
91fbdee177f7b17391392c8c36e0da9dac70464d

SHA256
5dcc4c30929ba0fcf188595caefb22ffcaf70d2952044860743219b6a067ccc9

SHA512
6113d1e5586611aba6c53bf08b00d6906b74d6496a92ea60617805eb4a85f14688f9742c636517942c6ae46076ebfc761289032a8f79ef36a2aec5e34fe2c9be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads