e1fd56e2825528027be02822f8ebd9dc74065ed1481dbf3e8c3b83752f335dc7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
Size

168KB
MD5

022425b51b363f0c438c21a16d6ba13e
SHA1

902caa059c4f890b2281257fe1c71bc9806ec3b9
SHA256

e1fd56e2825528027be02822f8ebd9dc74065ed1481dbf3e8c3b83752f335dc7
SHA512

545e6ccf147a4919d3ca33bfaa9083e4ac0489a5d387c4d759d5c9cf32c0721c79721676ebdaf0ef1e3cd458468bf4ae363a4aa18eeb4adcd35c1429335e1219
SSDEEP

1536:1EGh0oklq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oklqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002338f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023391-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023420-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023420-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023420-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023420-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e752-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023423-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7A564D0-3E61-4199-B27E-C50F458F5297}	{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E50CA60-A643-429b-ADE5-7335A7C7811F}\stubpath = "C:\\Windows\\{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe"	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}\stubpath = "C:\\Windows\\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe"	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}\stubpath = "C:\\Windows\\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe"	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE60A15D-8680-45f4-9BE7-27788233DE8A}\stubpath = "C:\\Windows\\{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe"	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CCF748-8681-4d19-8719-A1E0421DB4D4}	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}\stubpath = "C:\\Windows\\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe"	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{525D5631-E1B1-4245-B3CB-833576DC72FF}	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E50CA60-A643-429b-ADE5-7335A7C7811F}	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}\stubpath = "C:\\Windows\\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe"	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}\stubpath = "C:\\Windows\\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe"	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CCF748-8681-4d19-8719-A1E0421DB4D4}\stubpath = "C:\\Windows\\{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe"	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7A564D0-3E61-4199-B27E-C50F458F5297}\stubpath = "C:\\Windows\\{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe"	{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE60A15D-8680-45f4-9BE7-27788233DE8A}	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}\stubpath = "C:\\Windows\\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe"	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}\stubpath = "C:\\Windows\\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe"	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{525D5631-E1B1-4245-B3CB-833576DC72FF}\stubpath = "C:\\Windows\\{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe"	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe

Executes dropped EXE 12 IoCs

pid	Process
700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
4684	{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
3832	{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
File created	C:\Windows\{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
File created	C:\Windows\{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe	{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
File created	C:\Windows\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
File created	C:\Windows\{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
File created	C:\Windows\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
File created	C:\Windows\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
File created	C:\Windows\{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
File created	C:\Windows\{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
File created	C:\Windows\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
File created	C:\Windows\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
File created	C:\Windows\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
Token: SeIncBasePriorityPrivilege	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
Token: SeIncBasePriorityPrivilege	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
Token: SeIncBasePriorityPrivilege	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
Token: SeIncBasePriorityPrivilege	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
Token: SeIncBasePriorityPrivilege	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
Token: SeIncBasePriorityPrivilege	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
Token: SeIncBasePriorityPrivilege	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
Token: SeIncBasePriorityPrivilege	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
Token: SeIncBasePriorityPrivilege	2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
Token: SeIncBasePriorityPrivilege	4684	{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 700	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	92
PID 3040 wrote to memory of 700	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	92
PID 3040 wrote to memory of 700	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	92
PID 3040 wrote to memory of 4964	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	93
PID 3040 wrote to memory of 4964	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	93
PID 3040 wrote to memory of 4964	3040	2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe	93
PID 700 wrote to memory of 1688	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	94
PID 700 wrote to memory of 1688	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	94
PID 700 wrote to memory of 1688	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	94
PID 700 wrote to memory of 4144	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	95
PID 700 wrote to memory of 4144	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	95
PID 700 wrote to memory of 4144	700	{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe	95
PID 1688 wrote to memory of 2856	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	98
PID 1688 wrote to memory of 2856	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	98
PID 1688 wrote to memory of 2856	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	98
PID 1688 wrote to memory of 3168	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	99
PID 1688 wrote to memory of 3168	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	99
PID 1688 wrote to memory of 3168	1688	{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe	99
PID 2856 wrote to memory of 628	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	101
PID 2856 wrote to memory of 628	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	101
PID 2856 wrote to memory of 628	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	101
PID 2856 wrote to memory of 4104	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	102
PID 2856 wrote to memory of 4104	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	102
PID 2856 wrote to memory of 4104	2856	{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe	102
PID 628 wrote to memory of 3484	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	103
PID 628 wrote to memory of 3484	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	103
PID 628 wrote to memory of 3484	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	103
PID 628 wrote to memory of 2804	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	104
PID 628 wrote to memory of 2804	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	104
PID 628 wrote to memory of 2804	628	{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe	104
PID 3484 wrote to memory of 2516	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	105
PID 3484 wrote to memory of 2516	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	105
PID 3484 wrote to memory of 2516	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	105
PID 3484 wrote to memory of 1316	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	106
PID 3484 wrote to memory of 1316	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	106
PID 3484 wrote to memory of 1316	3484	{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe	106
PID 2516 wrote to memory of 3512	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	107
PID 2516 wrote to memory of 3512	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	107
PID 2516 wrote to memory of 3512	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	107
PID 2516 wrote to memory of 1108	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	108
PID 2516 wrote to memory of 1108	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	108
PID 2516 wrote to memory of 1108	2516	{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe	108
PID 3512 wrote to memory of 4732	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	109
PID 3512 wrote to memory of 4732	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	109
PID 3512 wrote to memory of 4732	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	109
PID 3512 wrote to memory of 3388	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	110
PID 3512 wrote to memory of 3388	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	110
PID 3512 wrote to memory of 3388	3512	{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe	110
PID 4732 wrote to memory of 4560	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	111
PID 4732 wrote to memory of 4560	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	111
PID 4732 wrote to memory of 4560	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	111
PID 4732 wrote to memory of 4472	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	112
PID 4732 wrote to memory of 4472	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	112
PID 4732 wrote to memory of 4472	4732	{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe	112
PID 4560 wrote to memory of 2764	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	113
PID 4560 wrote to memory of 2764	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	113
PID 4560 wrote to memory of 2764	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	113
PID 4560 wrote to memory of 2620	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	114
PID 4560 wrote to memory of 2620	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	114
PID 4560 wrote to memory of 2620	4560	{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe	114
PID 2764 wrote to memory of 4684	2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe	115
PID 2764 wrote to memory of 4684	2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe	115
PID 2764 wrote to memory of 4684	2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe	115
PID 2764 wrote to memory of 4600	2764	{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_022425b51b363f0c438c21a16d6ba13e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
  C:\Windows\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
    C:\Windows\{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
      C:\Windows\{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
        
        C:\Windows\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
        
        C:\Windows\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
        
        C:\Windows\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
        
        C:\Windows\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
        
        C:\Windows\{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
        
        C:\Windows\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
        
        C:\Windows\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
        
        C:\Windows\{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe
        
        C:\Windows\{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe
        13⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{525D5~1.EXE > nul
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57D15~1.EXE > nul
        12⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E435~1.EXE > nul
        11⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86CCF~1.EXE > nul
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDBC~1.EXE > nul
        9⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDBF~1.EXE > nul
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A523~1.EXE > nul
        7⤵
        
        PID:1316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89EBD~1.EXE > nul
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E50C~1.EXE > nul
        5⤵
        
        PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CE60A~1.EXE > nul
      4⤵
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA12~1.EXE > nul
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BDBCAE3-BE8A-4752-B58E-01929F489B23}.exe

Filesize
168KB

MD5
3ca9007a8a6b27e5c7ea314c4145d695

SHA1
dc698033c20e4217481f0b7e6463a73ed83dc765

SHA256
df140175ebcfd66bcb30288cf8927ca272cfb81902648f3756ca2a897a119b38

SHA512
0baf5569f88df02d1a22c410271143ad915791faf2a47ea6e869a01d4d46b3bcf9bc1e42194f5fb8e728a11f655939a661d8ecdd8cf8011c7afa6cb52adb2b89

Download Submit
C:\Windows\{2E435F8A-4FFB-49f4-9405-DCB972CCD6E2}.exe

Filesize
168KB

MD5
bdaf5909fe53dba26003a18d9c6c0b41

SHA1
b177bc7958aaa1eaa004e67a3976bf571331aec8

SHA256
ebf5d7f68dcf23fb2046cde01be2536941228ae57666a2de2ef4be13da4ee12c

SHA512
593a8bc04d2b9eb3cfcd734d2e2d7dceee6f3e0c429402379c8d9e5a6d2fcd6df18f6b35174e7a1e7266aae4391d3833464d5b9c30e8e6ddd494381f9cc60464

Download Submit
C:\Windows\{525D5631-E1B1-4245-B3CB-833576DC72FF}.exe

Filesize
168KB

MD5
b1a3d22bab68e12b2457f1800ab4cf6d

SHA1
76c7e42acbd133a5edab3f2981e3930633624314

SHA256
8b8d27360dbd8af097d452eb1031bd332960377bb68fc917cf1211ab304fb164

SHA512
e1f2ba9e0b811eea3d8e7ba8a71225254afa71d738541237d44c472748bb43abf1c32c339a78d2528d15f309006e2dbe8826a02fbac569074eab7af775eb18a7

Download Submit
C:\Windows\{57D15117-4BD8-4b0f-9D34-5ED648D2B3FA}.exe

Filesize
168KB

MD5
fb58e97c854e16a8c9c6c77c3b5c6ce0

SHA1
18bc78c035fb098fcb9064df4942e172be0ed95c

SHA256
7fe2b1e0986d6af96a646e923bc441f784680c0c8d815889d541965391b02861

SHA512
5214093352ad81935e1821560769cd3cdf02156f463708d2457f3ca36735d2915d1876385f5b7627e8a1d63f65def2a751f19238cbcac347dc1b75c39e469235

Download Submit
C:\Windows\{6DA12B03-12E0-46ff-87AD-43B8A28FAD07}.exe

Filesize
168KB

MD5
e51b821756c4cae28eb0014a81e4ccd0

SHA1
50964c5b9f4d6ee31a91a9a3026847d8f2da75ea

SHA256
3db74b4cf1f5c2342a6b725a00951870765c999ed911f33f8aaf2ed0407c95e0

SHA512
2d5fad24f83096b16b868a02ecb51c777c05ee556a7df30730f53a1b9227cff48eed1cdaa5c026785e937b1c60c471998a24cdbc81c2a431c8927f6713ff5b3c

Download Submit
C:\Windows\{7A523AAC-EFDD-4dda-8CC9-7CC4F51AED11}.exe

Filesize
168KB

MD5
406e5db6b5d18c6e3e4a7f2aadd7ddfa

SHA1
eef7d83521053ec9639650149d7909954c6c7235

SHA256
abc42ead6f9841a81967eb2588c7c062f625e517a417725bdf2beb027b842787

SHA512
5bedfce5ca1db681984e14467e005aabea60b6f2aa757d186e8a972f3285f150d5a3470ed8d2ac586a8f59a4bb1b0d478d119473020b5646ccd28b6f3f7e057a

Download Submit
C:\Windows\{7E50CA60-A643-429b-ADE5-7335A7C7811F}.exe

Filesize
168KB

MD5
dd2a8edcfca06a2b00c99047daa8fad0

SHA1
5ced1ad348d5628602f32f341fc71bb7c1fa664e

SHA256
fb147f552b6edc5dcd97d324af537f0681790f7255ee35247042166df46e06b6

SHA512
c8d917b5e3c9b109d220a0b14c87b7f274113b7d9e252d58f5f3d1cb4d3167489520ae67ba7f123d45c73f8b3ba5d58a34ae5f372aa6e8fba71af292f518c292

Download Submit
C:\Windows\{86CCF748-8681-4d19-8719-A1E0421DB4D4}.exe

Filesize
168KB

MD5
04be53cbf6653c8f5d47526c80a83124

SHA1
ded04067d89f364e5df9e254446a4594c0d8ce68

SHA256
69325810b5441e2dd1b17b459fa2a55f19ba3d5b8c6e250d474a0a64481c79ca

SHA512
46b4da7bfad84fdf89a9ce6e52322302cc00b50587a99b643ae36bf32f5d6e5cc8f5374221b472067a3eb59866b72b6374c673d175b9c08fabc1f3dc5aa1af24

Download Submit
C:\Windows\{89EBD927-4B4F-4c8a-BEB0-3DCD20547AB3}.exe

Filesize
168KB

MD5
9d153c7f435817fd1134931b0cd3dd9e

SHA1
b053dadb614db5dea30e032f89b4c7a7292d8b17

SHA256
ec7ae3016763ede38bd2eb530fdc711909fc347e64288ae7568ce37986371ea1

SHA512
6cc30dc354a569fa1b7b11179eea58d556d13685ea0395c9047fb79f1d61fd8c54e86ec5d5b68bffc9bceb9bf033faa8e044da428399b36a7c1d0da7e35eb08e

Download Submit
C:\Windows\{BEDBFD41-2C29-49dc-890F-759944D6B6FE}.exe

Filesize
168KB

MD5
0ab3f69ef7d845d233337593aa6ed465

SHA1
3f8c4bc263750ded3d857da45e8022f6b57f35fc

SHA256
2d74bc9814995102e127614a401c61dbb62b929c76de39dff40c93ee6177ea46

SHA512
cdd54bca3a89522286f29fecc7538ee99f4b6b835fa6ac891bb0d51485f8e0b4a438f41d3bab5b21f63a14a20c416bde6439c3b3a2b3e5930d1c3d68470d18c1

Download Submit
C:\Windows\{CE60A15D-8680-45f4-9BE7-27788233DE8A}.exe

Filesize
168KB

MD5
a750f5ae3973c2cc5485a7d5c90609cd

SHA1
804a74d111c7d22ffce6046826b3f16abf30c3d9

SHA256
c5cd3c4f66bda3e34d7e5366afd591a010bae7fe9fff744d9cc4bdb3c68acaae

SHA512
56fab3df30343b5cf540a4b051c152aa33493a156b1ebb469bad6cd8ba100759b0cf7c37c842dfabd1c93ac15ef91645f25e5ceefc5315887515dd9721978cfb

Download Submit
C:\Windows\{D7A564D0-3E61-4199-B27E-C50F458F5297}.exe

Filesize
168KB

MD5
f8969ea3a6a4bc6fbbed1d77cc457846

SHA1
58a340e669803fdd9c484816abcb951dacdbb8e1

SHA256
fd7d83c554ca0e99434ce87118b9bde8f2e90b7710066d6ebaf420e42ac78f3e

SHA512
01a4601e033e7c81a19f58a74d79b32272b07579d0549da4c1efa85fdf611aeda30e9e6f75453ae46e7baf5778447499eb10a9fc39251d72ec41fcd76af59b17

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads