956a7a4acd43f7e390107bd102077f8238a0c85cd9472194fd4abf40142c9deb

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Size

372KB
MD5

4112befc0c0de62d228b31ada1e9f351
SHA1

a36333c468ea42fbfad7d97c67d88c2ad6b633ad
SHA256

956a7a4acd43f7e390107bd102077f8238a0c85cd9472194fd4abf40142c9deb
SHA512

9936aa44518a1dbc2dbc300a1c4159bff893b248f3fc9fdd650dc6f26da135cb79518a72e4c615e7479dbbbfc2ff3d8e07320ab81db54dc4cd1c2993cea62f5d
SSDEEP

3072:CEGh0o9lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGjlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f9e-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023402-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023410-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023402-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023410-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023402-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023410-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023402-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023410-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023402-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023402-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}	{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}\stubpath = "C:\\Windows\\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe"	{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EB017F-E399-4d1e-8637-3672F0D87E81}\stubpath = "C:\\Windows\\{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe"	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}\stubpath = "C:\\Windows\\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe"	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}\stubpath = "C:\\Windows\\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe"	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{340D1A27-62C2-42cd-8415-D3FFC0019D58}\stubpath = "C:\\Windows\\{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe"	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528A57F1-DF57-494a-AD82-FFA94124E569}	{2819B25C-8E08-4549-BD68-8E487571E621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528A57F1-DF57-494a-AD82-FFA94124E569}\stubpath = "C:\\Windows\\{528A57F1-DF57-494a-AD82-FFA94124E569}.exe"	{2819B25C-8E08-4549-BD68-8E487571E621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}\stubpath = "C:\\Windows\\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe"	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}\stubpath = "C:\\Windows\\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe"	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EB017F-E399-4d1e-8637-3672F0D87E81}	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2819B25C-8E08-4549-BD68-8E487571E621}	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2819B25C-8E08-4549-BD68-8E487571E621}\stubpath = "C:\\Windows\\{2819B25C-8E08-4549-BD68-8E487571E621}.exe"	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6656F040-9AE4-4031-AF85-3BB61E03C082}	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6656F040-9AE4-4031-AF85-3BB61E03C082}\stubpath = "C:\\Windows\\{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe"	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}\stubpath = "C:\\Windows\\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe"	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{340D1A27-62C2-42cd-8415-D3FFC0019D58}	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}\stubpath = "C:\\Windows\\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe"	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe

Executes dropped EXE 12 IoCs

pid	Process
4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe
1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
2128	{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
4804	{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
File created	C:\Windows\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
File created	C:\Windows\{528A57F1-DF57-494a-AD82-FFA94124E569}.exe	{2819B25C-8E08-4549-BD68-8E487571E621}.exe
File created	C:\Windows\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
File created	C:\Windows\{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
File created	C:\Windows\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
File created	C:\Windows\{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
File created	C:\Windows\{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
File created	C:\Windows\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
File created	C:\Windows\{2819B25C-8E08-4549-BD68-8E487571E621}.exe	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
File created	C:\Windows\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe	{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
File created	C:\Windows\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
Token: SeIncBasePriorityPrivilege	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
Token: SeIncBasePriorityPrivilege	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
Token: SeIncBasePriorityPrivilege	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
Token: SeIncBasePriorityPrivilege	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
Token: SeIncBasePriorityPrivilege	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
Token: SeIncBasePriorityPrivilege	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
Token: SeIncBasePriorityPrivilege	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
Token: SeIncBasePriorityPrivilege	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe
Token: SeIncBasePriorityPrivilege	1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
Token: SeIncBasePriorityPrivilege	2128	{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 4816	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	93
PID 1244 wrote to memory of 4816	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	93
PID 1244 wrote to memory of 4816	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	93
PID 1244 wrote to memory of 2504	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	94
PID 1244 wrote to memory of 2504	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	94
PID 1244 wrote to memory of 2504	1244	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	94
PID 4816 wrote to memory of 3532	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	95
PID 4816 wrote to memory of 3532	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	95
PID 4816 wrote to memory of 3532	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	95
PID 4816 wrote to memory of 868	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	96
PID 4816 wrote to memory of 868	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	96
PID 4816 wrote to memory of 868	4816	{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe	96
PID 3532 wrote to memory of 3504	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	100
PID 3532 wrote to memory of 3504	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	100
PID 3532 wrote to memory of 3504	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	100
PID 3532 wrote to memory of 4152	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	101
PID 3532 wrote to memory of 4152	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	101
PID 3532 wrote to memory of 4152	3532	{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe	101
PID 3504 wrote to memory of 2964	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	102
PID 3504 wrote to memory of 2964	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	102
PID 3504 wrote to memory of 2964	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	102
PID 3504 wrote to memory of 2696	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	103
PID 3504 wrote to memory of 2696	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	103
PID 3504 wrote to memory of 2696	3504	{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe	103
PID 2964 wrote to memory of 3540	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	104
PID 2964 wrote to memory of 3540	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	104
PID 2964 wrote to memory of 3540	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	104
PID 2964 wrote to memory of 2192	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	105
PID 2964 wrote to memory of 2192	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	105
PID 2964 wrote to memory of 2192	2964	{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe	105
PID 3540 wrote to memory of 3788	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	106
PID 3540 wrote to memory of 3788	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	106
PID 3540 wrote to memory of 3788	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	106
PID 3540 wrote to memory of 2268	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	107
PID 3540 wrote to memory of 2268	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	107
PID 3540 wrote to memory of 2268	3540	{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe	107
PID 3788 wrote to memory of 4392	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	108
PID 3788 wrote to memory of 4392	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	108
PID 3788 wrote to memory of 4392	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	108
PID 3788 wrote to memory of 4468	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	109
PID 3788 wrote to memory of 4468	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	109
PID 3788 wrote to memory of 4468	3788	{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe	109
PID 4392 wrote to memory of 4744	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	110
PID 4392 wrote to memory of 4744	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	110
PID 4392 wrote to memory of 4744	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	110
PID 4392 wrote to memory of 5040	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	111
PID 4392 wrote to memory of 5040	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	111
PID 4392 wrote to memory of 5040	4392	{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe	111
PID 4744 wrote to memory of 1628	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	112
PID 4744 wrote to memory of 1628	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	112
PID 4744 wrote to memory of 1628	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	112
PID 4744 wrote to memory of 512	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	113
PID 4744 wrote to memory of 512	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	113
PID 4744 wrote to memory of 512	4744	{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe	113
PID 1628 wrote to memory of 1868	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	114
PID 1628 wrote to memory of 1868	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	114
PID 1628 wrote to memory of 1868	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	114
PID 1628 wrote to memory of 3568	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	115
PID 1628 wrote to memory of 3568	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	115
PID 1628 wrote to memory of 3568	1628	{2819B25C-8E08-4549-BD68-8E487571E621}.exe	115
PID 1868 wrote to memory of 2128	1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe	116
PID 1868 wrote to memory of 2128	1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe	116
PID 1868 wrote to memory of 2128	1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe	116
PID 1868 wrote to memory of 4628	1868	{528A57F1-DF57-494a-AD82-FFA94124E569}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
  C:\Windows\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
    C:\Windows\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
      C:\Windows\{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
        
        C:\Windows\{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
        
        C:\Windows\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
        
        C:\Windows\{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
        
        C:\Windows\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
        
        C:\Windows\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{2819B25C-8E08-4549-BD68-8E487571E621}.exe
        
        C:\Windows\{2819B25C-8E08-4549-BD68-8E487571E621}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
        
        C:\Windows\{528A57F1-DF57-494a-AD82-FFA94124E569}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
        
        C:\Windows\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe
        
        C:\Windows\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe
        13⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A0CE~1.EXE > nul
        13⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{528A5~1.EXE > nul
        12⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2819B~1.EXE > nul
        11⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{651BD~1.EXE > nul
        10⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6EA6~1.EXE > nul
        9⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{340D1~1.EXE > nul
        8⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4959E~1.EXE > nul
        7⤵
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41EB0~1.EXE > nul
        6⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6656F~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02F97~1.EXE > nul
      4⤵
      PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7066~1.EXE > nul
    3⤵
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02F97D4D-8A5A-4ceb-8744-8B793A60619C}.exe

Filesize
372KB

MD5
80ec545f8e4314a1c488eaf9af5d12a5

SHA1
f3cb15632413d04fc3c262b963672f3922feb202

SHA256
6befa34d111dc448e91382d9e02cfb92ed2051c91fbc64d072e4b06833aeb359

SHA512
d6dac4a5cd19533f97aac7f5d0a91ac01ec9350f3b2cb74880c2051ac78298b809e4f3157f299a439dcae57d9b26508b15ab57db58d3a084164d5d22109d93b4

Download Submit
C:\Windows\{1ACB06E1-A752-4c45-B6ED-0C0A1EB7FF36}.exe

Filesize
372KB

MD5
6d24bdb28013a1cb0d98fd6bbc1a52e2

SHA1
8c061cb02e8c816c2c0898b5f7a2521cc65e68c4

SHA256
13ed5645b7f6536a7415dd1f6f2ad00b5d32e06f8504b51d564fd5b749b29961

SHA512
40bbc52cd45ba30844abb806c722c0feb67409fd08163e898f78c423de345787e66ec079157687007f7e03f933c9f7c11114f39fe7d2054f86770b46b58b7fd0

Download Submit
C:\Windows\{2819B25C-8E08-4549-BD68-8E487571E621}.exe

Filesize
372KB

MD5
7d6f1975c98689eda36c66c2a40d73f4

SHA1
0472c2a369aa0b2c11cae220e05dec636c770163

SHA256
7ce79df0edcc993dfdb03204a7aefbbb9434ee8a7e0c0897d79f7bffd08e4be2

SHA512
b12cc258a24202a47073904ce4d7752ce1e1b9150ddd29ea8cc0c691d1f640e5ebc31e7661af89b79c42e57754de72b376d533d214dea4f58c09a775ab3ec503

Download Submit
C:\Windows\{2A0CE600-8AC1-49d1-93EE-3F40007AE4D3}.exe

Filesize
372KB

MD5
315c0de62147f0e7c59b698f351d621f

SHA1
dbd4c2aea72a5598a3e3ef669f3b2b4cb610cc12

SHA256
32835fec1f5964011e6566fed44a89d4ba687c9ae890c1562579ab718556a967

SHA512
0133ad7a2cf046a0949797ff3681338ac9d850dac8b0fbfbc3f7709a1c86bf3e3587469b4e0dac04257acbef820dc72a253e610af83c4807b5fcacb7392dffcc

Download Submit
C:\Windows\{340D1A27-62C2-42cd-8415-D3FFC0019D58}.exe

Filesize
372KB

MD5
341ba8123483a7de25bcb974a66bcb80

SHA1
503fedc24a5b7472caaaaab573faf7f780e31860

SHA256
225c920b6f9aa028f510184c172dab10bfc22cb54c58408e4f40d4e5ef24fc25

SHA512
01a48b1cc9e710b38452c4f9ea414953f39ece4c529c9eeab0a79a2198e4551371ebee7f6094352f131d15b801ae29329f933265367fdcf9796e91922f147aaf

Download Submit
C:\Windows\{41EB017F-E399-4d1e-8637-3672F0D87E81}.exe

Filesize
372KB

MD5
14990c6db74e677eb28d070ab76dbf69

SHA1
8db2b3658aa69684895898270523ffb424113608

SHA256
1ad37df8d1ea5a2ff04f021a8edd931022c7f31c12b68597409e491ee7cd795c

SHA512
5d866ab4534d1e983999a3694632b4530044b4ab62f8cd06264c8133a09d45a0523496f2867b681dec3a493ac69f8af46e67957dac7717c62c76e912dafb27f2

Download Submit
C:\Windows\{4959EEA7-F5DB-4020-BF6C-8904F14F8009}.exe

Filesize
372KB

MD5
e684b6dab6f9245e75455efba4cd3d82

SHA1
0587893cad95376448405c9b636fa5bfa31a1320

SHA256
499886c6d2f70ad9947a21ee050f0020a5650900fd4cd4ae5acfd7b224f0d42b

SHA512
ce25bf347883200b3187b501613fb47a272a7619aeeea111c431933a3424efb6f8ebb506ae4f794547aead9e7acfb9fc34000c246554cf7189be6211d7ca8680

Download Submit
C:\Windows\{528A57F1-DF57-494a-AD82-FFA94124E569}.exe

Filesize
372KB

MD5
74a2662a126e6409919099db1313e85b

SHA1
5160c186d4011ea705866338c82a885adb05ac87

SHA256
78dfe44deba194b10514cd84c3dd4db2777be2bef19f1a616b8e745cca612cc8

SHA512
279763e303c1648c40a5b1c770e127a53dc773b3a9511f12159adb86baa25407058a6a8f1e78e0a0468ea9ccdba67c90a99fc981f75d71073a6739128e4ee920

Download Submit
C:\Windows\{651BDDAC-3884-4d4e-A8DB-8AEACD05C6D4}.exe

Filesize
372KB

MD5
33a0122a7f327fd2f10bd3a0db9b39d8

SHA1
0cf4a5a76197fd5206b028dac3f43d2a0b8102fb

SHA256
69fc58a92d24f5be88fab5bc9bbab95d427c0f10b59a05a424c99bf7995b4244

SHA512
eacd6261925ff304160d4baf78e4b5a3b2a01950dbf8d79605e325fd2cc168124994fd4e839b14d32f684c79316bc4958278cacb7a5e25374145aad5e8fbe4c7

Download Submit
C:\Windows\{6656F040-9AE4-4031-AF85-3BB61E03C082}.exe

Filesize
372KB

MD5
dc32e12656fed3acdddf7543b2c21aa6

SHA1
6af821f7e92e77dccfae658f59796b84eac1954e

SHA256
05b332b30c388305a357d6b286528a340142e14795c1c01d412024a2b7687125

SHA512
ba682c441c33530b707a4f4afb14b36c358f86c033824ab8b9dd029fa0c365f78478de99ce2e505cbee722c5744c5d1712e792cb582d0103066520c7a1366f19

Download Submit
C:\Windows\{C6EA6FA1-3CA1-4ed4-9516-51276A6DCEA5}.exe

Filesize
372KB

MD5
66a26a234c9ef9e06faf2d6248114f8d

SHA1
15fb4ca68946d9c1439c5f947d2aba876df83b3f

SHA256
ff1cfab924a5051020b2b054de4f41a5bc89317b18ad2e49c73970ae16c26d67

SHA512
048a45a6fd30425a25c665a25dc758f7b67966666db2d352035c0590790805d7eb950f0d297bacba370063566995ecc1c975375077b6891e5837e14255f48036

Download Submit
C:\Windows\{F7066E1A-F89D-4faf-822E-EFC28AE08CA5}.exe

Filesize
372KB

MD5
65c1dcceb7b34613935221c350e9db57

SHA1
3f446774fe95090d6d1c502f2a822c180c44e2b7

SHA256
bc83275019bafadb22dc41bf850ae50dc36dac156a736cb3a62fc5699563c242

SHA512
7e59ee7b2ee114923644ed77afb8f114536bcbe50e50d20881236882092ee75d5b3e06a69ed9c154a72e0a97fa4dd4c43fdb6f0661499328e767a7bc4749f622

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads