683f242b916e993663df32eb6c0dd5d850c7c11285d64641cb3742d26a17c639

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 01:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
Size

408KB
MD5

37b2d54bcb4bdb258a2625134838c375
SHA1

2fddbde4245f85b1e85a50e2323fc06a701b8e84
SHA256

683f242b916e993663df32eb6c0dd5d850c7c11285d64641cb3742d26a17c639
SHA512

95f9def1097f96b5754f5cf1aa567222abedb4db189789ae4245e60efae77c286409a6e668f19a059952f55698cf95ace1c6266b18c9e138ebf52390f49084a9
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGnldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023427-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023426-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023426-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023426-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002342f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002335a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002335e-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002335a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002335e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002335a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}\stubpath = "C:\\Windows\\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe"	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}\stubpath = "C:\\Windows\\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe"	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}\stubpath = "C:\\Windows\\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe"	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}\stubpath = "C:\\Windows\\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe"	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}\stubpath = "C:\\Windows\\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe"	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}\stubpath = "C:\\Windows\\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe"	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}\stubpath = "C:\\Windows\\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe"	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}\stubpath = "C:\\Windows\\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe"	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949F9171-1B23-4ab5-BA97-4252E4367FB6}\stubpath = "C:\\Windows\\{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe"	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}\stubpath = "C:\\Windows\\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe"	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}\stubpath = "C:\\Windows\\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe"	{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}\stubpath = "C:\\Windows\\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe"	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949F9171-1B23-4ab5-BA97-4252E4367FB6}	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}	{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe

Executes dropped EXE 12 IoCs

pid	Process
5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
4568	{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe
2976	{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
File created	C:\Windows\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
File created	C:\Windows\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
File created	C:\Windows\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
File created	C:\Windows\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
File created	C:\Windows\{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
File created	C:\Windows\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
File created	C:\Windows\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe	{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe
File created	C:\Windows\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
File created	C:\Windows\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
File created	C:\Windows\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
File created	C:\Windows\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
Token: SeIncBasePriorityPrivilege	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
Token: SeIncBasePriorityPrivilege	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
Token: SeIncBasePriorityPrivilege	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
Token: SeIncBasePriorityPrivilege	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
Token: SeIncBasePriorityPrivilege	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
Token: SeIncBasePriorityPrivilege	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
Token: SeIncBasePriorityPrivilege	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
Token: SeIncBasePriorityPrivilege	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
Token: SeIncBasePriorityPrivilege	860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
Token: SeIncBasePriorityPrivilege	4568	{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 5096	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	92
PID 4604 wrote to memory of 5096	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	92
PID 4604 wrote to memory of 5096	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	92
PID 4604 wrote to memory of 1920	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	93
PID 4604 wrote to memory of 1920	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	93
PID 4604 wrote to memory of 1920	4604	2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe	93
PID 5096 wrote to memory of 1488	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	94
PID 5096 wrote to memory of 1488	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	94
PID 5096 wrote to memory of 1488	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	94
PID 5096 wrote to memory of 1360	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	95
PID 5096 wrote to memory of 1360	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	95
PID 5096 wrote to memory of 1360	5096	{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe	95
PID 1488 wrote to memory of 4888	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	99
PID 1488 wrote to memory of 4888	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	99
PID 1488 wrote to memory of 4888	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	99
PID 1488 wrote to memory of 4960	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	100
PID 1488 wrote to memory of 4960	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	100
PID 1488 wrote to memory of 4960	1488	{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe	100
PID 4888 wrote to memory of 4400	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	101
PID 4888 wrote to memory of 4400	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	101
PID 4888 wrote to memory of 4400	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	101
PID 4888 wrote to memory of 1588	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	102
PID 4888 wrote to memory of 1588	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	102
PID 4888 wrote to memory of 1588	4888	{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe	102
PID 4400 wrote to memory of 3056	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	103
PID 4400 wrote to memory of 3056	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	103
PID 4400 wrote to memory of 3056	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	103
PID 4400 wrote to memory of 4328	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	104
PID 4400 wrote to memory of 4328	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	104
PID 4400 wrote to memory of 4328	4400	{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe	104
PID 3056 wrote to memory of 4352	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	105
PID 3056 wrote to memory of 4352	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	105
PID 3056 wrote to memory of 4352	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	105
PID 3056 wrote to memory of 2664	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	106
PID 3056 wrote to memory of 2664	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	106
PID 3056 wrote to memory of 2664	3056	{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe	106
PID 4352 wrote to memory of 4108	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	107
PID 4352 wrote to memory of 4108	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	107
PID 4352 wrote to memory of 4108	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	107
PID 4352 wrote to memory of 1636	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	108
PID 4352 wrote to memory of 1636	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	108
PID 4352 wrote to memory of 1636	4352	{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe	108
PID 4108 wrote to memory of 2412	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	111
PID 4108 wrote to memory of 2412	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	111
PID 4108 wrote to memory of 2412	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	111
PID 4108 wrote to memory of 3760	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	112
PID 4108 wrote to memory of 3760	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	112
PID 4108 wrote to memory of 3760	4108	{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe	112
PID 2412 wrote to memory of 5092	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	113
PID 2412 wrote to memory of 5092	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	113
PID 2412 wrote to memory of 5092	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	113
PID 2412 wrote to memory of 2200	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	114
PID 2412 wrote to memory of 2200	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	114
PID 2412 wrote to memory of 2200	2412	{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe	114
PID 5092 wrote to memory of 860	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	115
PID 5092 wrote to memory of 860	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	115
PID 5092 wrote to memory of 860	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	115
PID 5092 wrote to memory of 4500	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	116
PID 5092 wrote to memory of 4500	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	116
PID 5092 wrote to memory of 4500	5092	{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe	116
PID 860 wrote to memory of 4568	860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe	117
PID 860 wrote to memory of 4568	860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe	117
PID 860 wrote to memory of 4568	860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe	117
PID 860 wrote to memory of 4816	860	{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_37b2d54bcb4bdb258a2625134838c375_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
  C:\Windows\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
    C:\Windows\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
      C:\Windows\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
        
        C:\Windows\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
        
        C:\Windows\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
        
        C:\Windows\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
        
        C:\Windows\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
        
        C:\Windows\{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
        
        C:\Windows\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
        
        C:\Windows\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe
        
        C:\Windows\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe
        
        C:\Windows\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe
        13⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8388~1.EXE > nul
        13⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2991C~1.EXE > nul
        12⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5457~1.EXE > nul
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{949F9~1.EXE > nul
        10⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C112~1.EXE > nul
        9⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F96~1.EXE > nul
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6397C~1.EXE > nul
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F89~1.EXE > nul
        6⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C6C~1.EXE > nul
        5⤵
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B003~1.EXE > nul
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E18DB~1.EXE > nul
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2991CDE3-7B96-47d7-BF91-B294EFFA26CC}.exe

Filesize
408KB

MD5
529bc322205eea3a6e5d4d7246aeee8c

SHA1
8b528d7dd773785f832c30daca7620db41fa5bea

SHA256
9b5a80fbaa9b3715e4b30e086be62ad4878682862b11aaa9139e7a8f84423da4

SHA512
2818ce86f7a17377de7eb17c82dac9581b4e38c18edbd4103fedf9e56afc4f61a5674cd9debc8de8075503861d553d39e3c0e59dff0af7adce6476813da2028e

Download Submit
C:\Windows\{5C11257C-E3B3-4187-9BEE-818BC3BB636A}.exe

Filesize
408KB

MD5
dcaee4c2f19cfcb66906ffc7d86f6e33

SHA1
209472871b42990967801735e8f2b6791c616bc5

SHA256
3f582e8085b32f78fd8eee61ded2e630f4f5489b8aae015efb7b8cb5eb05382d

SHA512
4fb0dcd2ac7f6e1861a69d1aab083b552ef02e29fb616468d5df9325ce8b08dce1e822195be61db4bc2f6e07aff895d4953f80432f4972d63d4635ba998ecdad

Download Submit
C:\Windows\{6397C8B9-9981-4905-8AFE-52004B7DA5C4}.exe

Filesize
408KB

MD5
d089df0c6bcd12e202669720328779cc

SHA1
d069af0c2f042a2ce0406751ef7d2c5cf2c821c5

SHA256
eb0412dc845ce29349a8f594cdbbffb9d373ba7ea18ecc99fbb875d18ebe0bb2

SHA512
f9c7cec5750986537d3d4f8a7129a4833b12cc3cbf1683f71f5b482fa59e3e42299b5b5d36ada5c2033954d2b15859969aa6158a3b52b8efa898aad6d7108402

Download Submit
C:\Windows\{6B003FC0-CE24-42bd-85CD-D386A75DCEAA}.exe

Filesize
408KB

MD5
2da58e34a9538a6e1de3d94a4325358c

SHA1
d767faec58f2ebe72a39a96bc2042daa1bea84db

SHA256
252d9821487a89b8c27c0649fd734b520349fc74f8464a64a1197d085b199e46

SHA512
c97cb698fa60b59db1e484d94f59062056d55581e2a7b65ffa2d3f5a6cd4456d3b78006c3b5af7b67dc96fe4e5b359aaecb6e2a560668c73b63557e406f45bbe

Download Submit
C:\Windows\{6E441C6B-C518-4be7-A367-6FB3E73D8F01}.exe

Filesize
408KB

MD5
330c5142f9e17a8408d19ef2f6e9bb8a

SHA1
43f777cb4923c886af80ccf152940f7ec8ef8d23

SHA256
fe552951bffce465c2b690990d6672649f0e3c91a2c15beb7db683595a64e388

SHA512
8f4864c8592947e129bd2a29455a99fbf862105eaab9b47d3fc4245b3ce99fc18d0dccfe118f83fe1054d001a1ce08fd240de40dd0b398d6623c040943df9d02

Download Submit
C:\Windows\{88F963CF-1842-4c70-AEE6-C36E8EFB5CD8}.exe

Filesize
408KB

MD5
5d7c035107f989295fccc3c11ecb230c

SHA1
5675ebc974e3ecb4027f49d2c1cbb055d8bc7421

SHA256
6b96d6e1135dc3ea9fc113b6488a340a3b7c20309e290bf514252ed78f5dd8c0

SHA512
8a63005453e48a825b0e31f0d61b9a72826db46c56d7445f7338789a6c5105350d6f265fd933f35163f63930ad625ae257b48226e3f1ac702b0b1bc05b480521

Download Submit
C:\Windows\{949F9171-1B23-4ab5-BA97-4252E4367FB6}.exe

Filesize
408KB

MD5
17a30bb84c170dbd9b7a7af4da706829

SHA1
8dfb22f560f68a732a61888dd0626d55d2d97227

SHA256
94a8fa382bf60c045d5e515a45915d3d99372c6e31818b90fc5d260fb7e53fe9

SHA512
f0b9540681eebca40702709c6bce8b2b7e033dd974e3baa224ee99b2edc64ab47f7947607974ad408329182a4406880dd0244cf70773f7433e1cd7e81c97d390

Download Submit
C:\Windows\{B7C6CFAB-6E11-4f1e-8C5D-C56BF6B611F8}.exe

Filesize
408KB

MD5
b76090254a12f18f6aacb3a78a03a87c

SHA1
2da8f1fc0fad3d7c09cb4ab8d11a2adac19c9272

SHA256
b34cd510f5fd6038108cd44205f77a6db11dc326c438dcd95cbea423cc6c4265

SHA512
54a2ce94c6f45d56a762c295c412e845b3bd327997e9953750c5068e8f41669063f7fd64a9dcfe4f8c32156a73191b77ac561a5f0800557ccf4f0b8a495ccdf8

Download Submit
C:\Windows\{B7F89137-B9BA-4e00-BB28-66B8E9403D40}.exe

Filesize
408KB

MD5
b9382d563ca7cfc87813b6ada800b743

SHA1
be1e1efc800848701d716c502c9ccbb80b4dc848

SHA256
dd5672dc7b660db939e6b10bb5a4df842d66807c76905a6e75b9f4e0b9f6739e

SHA512
6c36028b0e23bfa9cc19d119d43425f93c2ccfefebe35fa7b420f2b591d4925345a9c502eb4e4804fcd4fefe53109164fe98bfaa11b04791282b7f0732dc87d6

Download Submit
C:\Windows\{C5457CE9-3A1C-4041-B1F3-80327B53A2AC}.exe

Filesize
408KB

MD5
cd7f62fb2abcd387976a6528fe97c1c0

SHA1
f05f5c1d41929969565e3a328c868762501b2898

SHA256
9163a80348262902820ca33ebf69f87ab440a81c1edb4286d5fa60294c395ca4

SHA512
9c0dd15024e2b3cb8947ecdbfea8f029e91cf9c4bf13491ac16fcfb93934176904010c8e3ec1c82b5b2837da6a5f05b37a8f23ef9d91aab4a57dcc2cd83282c3

Download Submit
C:\Windows\{C8388B5D-24EB-47a7-AC1E-FA9A44B36BB1}.exe

Filesize
408KB

MD5
d4d8292e9ec882b1cab778f3977a810c

SHA1
c7de78f44083264b6aea155b53eda734b61d20a9

SHA256
5d95d1763a4155176d33bbd6290285a8b379548f7f09f1f2e677f6a1b3bc6d22

SHA512
a7a1780cec770c0b3b000c089369156a01e11b937e8b5c420939a52eba9080543bac51aa887525324fb11ab5f2726cd1f22ce47a367f1c2e714172f5db0bde06

Download Submit
C:\Windows\{E18DB88F-7EF4-4c99-8F54-0E18CE606200}.exe

Filesize
408KB

MD5
5f6a71c1f5b2d4474d5e6a82860ec4c2

SHA1
5e16317f9c6c4b301f2a4c783d4af05bdfd9b403

SHA256
2e64d150dc2b79414c25ed287f27349447b5b9f213d95e50bae6ff7abe1cc246

SHA512
c0f1d02fdd45540eac92cb334ce6474710d90e8c65dcfc75ad4ec8c15a5c897f17f54e62d6f2d7a5f87a9003687872afcd00dba6c5ca52aa8a75b90839b9ff12

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads