6128e1a8cec6e72b229e3e5ef9f441c5765747d9e97bb577871c6db2294b9c80

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Size

344KB
MD5

1c6a7b50e32bef06f3e0cfe8b42d1e92
SHA1

7e8a071709f314e1005582e100d4dfd4869b3131
SHA256

6128e1a8cec6e72b229e3e5ef9f441c5765747d9e97bb577871c6db2294b9c80
SHA512

769a39e900936f6c2c4f17f0866189c7ee84f89fad68d24a01e4065bbc4a23ca63224437455c0c40fb04f9d36d6cabe653bd0a3c436a4b75298e7b9bf5310ebb
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023418-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023413-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023420-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e743-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023420-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e743-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023420-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e743-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023420-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e743-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e743-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}\stubpath = "C:\\Windows\\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe"	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}\stubpath = "C:\\Windows\\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe"	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}\stubpath = "C:\\Windows\\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe"	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}\stubpath = "C:\\Windows\\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe"	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5262C12B-C77F-460f-BA3D-13980C7D92F8}	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}\stubpath = "C:\\Windows\\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe"	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7474995E-F86D-4379-B8AE-C10299679FDE}\stubpath = "C:\\Windows\\{7474995E-F86D-4379-B8AE-C10299679FDE}.exe"	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED810E6-71B9-43b4-A2E1-B58C074C7339}	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD773D1-800D-41cd-ACF9-21C733FC857B}	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B38919B8-1643-41b8-B252-468C67261C05}	{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B38919B8-1643-41b8-B252-468C67261C05}\stubpath = "C:\\Windows\\{B38919B8-1643-41b8-B252-468C67261C05}.exe"	{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD773D1-800D-41cd-ACF9-21C733FC857B}\stubpath = "C:\\Windows\\{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe"	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}\stubpath = "C:\\Windows\\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe"	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5262C12B-C77F-460f-BA3D-13980C7D92F8}\stubpath = "C:\\Windows\\{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe"	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED810E6-71B9-43b4-A2E1-B58C074C7339}\stubpath = "C:\\Windows\\{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe"	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}\stubpath = "C:\\Windows\\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe"	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7474995E-F86D-4379-B8AE-C10299679FDE}	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
4776	{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
3972	{B38919B8-1643-41b8-B252-468C67261C05}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
File created	C:\Windows\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
File created	C:\Windows\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
File created	C:\Windows\{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
File created	C:\Windows\{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
File created	C:\Windows\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
File created	C:\Windows\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
File created	C:\Windows\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
File created	C:\Windows\{B38919B8-1643-41b8-B252-468C67261C05}.exe	{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
File created	C:\Windows\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
File created	C:\Windows\{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
File created	C:\Windows\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
Token: SeIncBasePriorityPrivilege	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
Token: SeIncBasePriorityPrivilege	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
Token: SeIncBasePriorityPrivilege	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
Token: SeIncBasePriorityPrivilege	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
Token: SeIncBasePriorityPrivilege	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
Token: SeIncBasePriorityPrivilege	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
Token: SeIncBasePriorityPrivilege	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
Token: SeIncBasePriorityPrivilege	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
Token: SeIncBasePriorityPrivilege	4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
Token: SeIncBasePriorityPrivilege	4776	{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4084	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	89
PID 1988 wrote to memory of 4084	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	89
PID 1988 wrote to memory of 4084	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	89
PID 1988 wrote to memory of 1228	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	90
PID 1988 wrote to memory of 1228	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	90
PID 1988 wrote to memory of 1228	1988	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	90
PID 4084 wrote to memory of 868	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	91
PID 4084 wrote to memory of 868	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	91
PID 4084 wrote to memory of 868	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	91
PID 4084 wrote to memory of 1824	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	92
PID 4084 wrote to memory of 1824	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	92
PID 4084 wrote to memory of 1824	4084	{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe	92
PID 868 wrote to memory of 2300	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	95
PID 868 wrote to memory of 2300	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	95
PID 868 wrote to memory of 2300	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	95
PID 868 wrote to memory of 2972	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	96
PID 868 wrote to memory of 2972	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	96
PID 868 wrote to memory of 2972	868	{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe	96
PID 2300 wrote to memory of 5088	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	98
PID 2300 wrote to memory of 5088	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	98
PID 2300 wrote to memory of 5088	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	98
PID 2300 wrote to memory of 1412	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	99
PID 2300 wrote to memory of 1412	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	99
PID 2300 wrote to memory of 1412	2300	{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe	99
PID 5088 wrote to memory of 1136	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	100
PID 5088 wrote to memory of 1136	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	100
PID 5088 wrote to memory of 1136	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	100
PID 5088 wrote to memory of 556	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	101
PID 5088 wrote to memory of 556	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	101
PID 5088 wrote to memory of 556	5088	{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe	101
PID 1136 wrote to memory of 2156	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	102
PID 1136 wrote to memory of 2156	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	102
PID 1136 wrote to memory of 2156	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	102
PID 1136 wrote to memory of 4020	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	103
PID 1136 wrote to memory of 4020	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	103
PID 1136 wrote to memory of 4020	1136	{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe	103
PID 2156 wrote to memory of 3132	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	104
PID 2156 wrote to memory of 3132	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	104
PID 2156 wrote to memory of 3132	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	104
PID 2156 wrote to memory of 4100	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	105
PID 2156 wrote to memory of 4100	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	105
PID 2156 wrote to memory of 4100	2156	{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe	105
PID 3132 wrote to memory of 4608	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	106
PID 3132 wrote to memory of 4608	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	106
PID 3132 wrote to memory of 4608	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	106
PID 3132 wrote to memory of 968	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	107
PID 3132 wrote to memory of 968	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	107
PID 3132 wrote to memory of 968	3132	{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe	107
PID 4608 wrote to memory of 4200	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	108
PID 4608 wrote to memory of 4200	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	108
PID 4608 wrote to memory of 4200	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	108
PID 4608 wrote to memory of 4236	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	109
PID 4608 wrote to memory of 4236	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	109
PID 4608 wrote to memory of 4236	4608	{7474995E-F86D-4379-B8AE-C10299679FDE}.exe	109
PID 4200 wrote to memory of 4360	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	110
PID 4200 wrote to memory of 4360	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	110
PID 4200 wrote to memory of 4360	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	110
PID 4200 wrote to memory of 4092	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	111
PID 4200 wrote to memory of 4092	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	111
PID 4200 wrote to memory of 4092	4200	{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe	111
PID 4360 wrote to memory of 4776	4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe	112
PID 4360 wrote to memory of 4776	4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe	112
PID 4360 wrote to memory of 4776	4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe	112
PID 4360 wrote to memory of 684	4360	{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
  C:\Windows\{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
    C:\Windows\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
      C:\Windows\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
        
        C:\Windows\{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
        
        C:\Windows\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
        
        C:\Windows\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
        
        C:\Windows\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
        
        C:\Windows\{7474995E-F86D-4379-B8AE-C10299679FDE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
        
        C:\Windows\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
        
        C:\Windows\{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
        
        C:\Windows\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\{B38919B8-1643-41b8-B252-468C67261C05}.exe
        
        C:\Windows\{B38919B8-1643-41b8-B252-468C67261C05}.exe
        13⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DAC5~1.EXE > nul
        13⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AED81~1.EXE > nul
        12⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{908A6~1.EXE > nul
        11⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74749~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AD85~1.EXE > nul
        9⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA479~1.EXE > nul
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F6F~1.EXE > nul
        7⤵
        
        PID:4020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5262C~1.EXE > nul
        6⤵
        
        PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BFF~1.EXE > nul
        5⤵
        
        PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D40~1.EXE > nul
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BAD77~1.EXE > nul
    3⤵
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DAC5DC4-9FD4-4927-B16A-43A7086BF93E}.exe

Filesize
344KB

MD5
a00847fa782fdfab397d74b7886b4287

SHA1
033b415d1faf47a4ce2ff0ff85e16cb7db04e88f

SHA256
cce20cce0cf36f6821428b2e98ed3b1f3370795426f0e6d213f35e6953886605

SHA512
51592c5437896844cfe4044c7a61482b0d9e8cafaa7069609327c3f6d984e450c97fc95b4d72144cb18b60b87dba86d59050708b76060fe68c9993d30e03c28f

Download Submit
C:\Windows\{45F6FE07-BD63-4520-B08E-BAD0BE5875C7}.exe

Filesize
344KB

MD5
ee32892e0cc9c3b36c8ba359176b9f85

SHA1
517e33d85e13950a65aeab3f417e54518286c2ac

SHA256
27f090a733ec51fe37f5389ad8ebadb7c90fde5c1aa68aaa8d18d506261b747a

SHA512
7da6a26ffff495b4f205370158c34c9e2025c8baf86b92e8fb2fb003bd01cd45034c51bc58cd90b4d5b8cc077ca13e28b190b6bed59d07024e24ff7d9df89fbe

Download Submit
C:\Windows\{5262C12B-C77F-460f-BA3D-13980C7D92F8}.exe

Filesize
344KB

MD5
ad78ba1612a410b1c1e5d4f58c54e771

SHA1
b52db3d6f2ad1ffae6e1c119851346ec102ba381

SHA256
3c22866740d661ec388ddac87dee5b1636733fb6aa238d6a6856d47333ba5f2c

SHA512
aa69b778b5827a3c57e5f92d26493d6b41eaadc8697a22f5dfd66360bf3952ab948c30f72f30b0a3d93153cc8dcc7fd8e71b82a2474d54d098888cc3e308705e

Download Submit
C:\Windows\{7474995E-F86D-4379-B8AE-C10299679FDE}.exe

Filesize
344KB

MD5
0183995e094c737d8cf552659ea5edcf

SHA1
c96fe34d3d0c9c65ea8cf1fcf239dc854647d5ed

SHA256
30d6ecc85c763f8f5a4b742fb19395586cc0ac0b3668f5614256393516ff0467

SHA512
fb34fbb8305ac4de9d4619b3904067d4c39078e7be53ad0c73cac0cd68de7e5a583859f73ab8821db6982a09e1cb624efecaec35445d36a11dc0ae1f89203d26

Download Submit
C:\Windows\{7AD85DBA-46F7-4ca6-AB04-5BCFAAC46EC0}.exe

Filesize
344KB

MD5
5bdf3b297568e78159fc9b0a0a7408ac

SHA1
528e8f7f01b38d7db8b48123ca6d705b99b0722f

SHA256
5e63e6774a7372731a38e5df4e3a665f3b9d263291fe86374f74922b3d0f5ca5

SHA512
f4d88a75a51cd75cf554b533f9f100f740a828019dd526043c29d8247d281e1611d379233f57fefe08a9909c24529513202727e8629c58c7756ca24821a997c1

Download Submit
C:\Windows\{81BFF7AC-2F57-48b7-A4C0-2EE962CA1907}.exe

Filesize
344KB

MD5
6c26fdf24f9198b9f690c8b34199983d

SHA1
41ce12dccb636316d3050d95942a67ebc82f868d

SHA256
5a9d5e0956dcb33745feaa3e5cfbb0537ecf7aa3b17a2e2ccc4df3a19b7272f6

SHA512
f6370fefa92125e2273062c7077a0d7cd7cb660ad27320ec8e1dd00dbe0a4ed2adea4d42208a7df8ed9bd24dde71f151cf2b89651353bc33b65a32bc1395484f

Download Submit
C:\Windows\{908A679D-9F82-4ee2-B680-F09D08CA8AD1}.exe

Filesize
344KB

MD5
1a4bd2dc740524481c2cdf4202881648

SHA1
c25f8b46fb2e7c2a70994c880d4ef09261e6ddab

SHA256
e7a1a27f83b4fb6ed278b44bd0f9c808ccedec555ecdc1257d0eba677cfaf290

SHA512
3329c4f0bcc06b395cc94dc8d2d2f11b8c27993f6663c66f739d9765cd80d1a6f2d0f481d833293b8c4e698a0e03ba37b9bf6246b6ad0d8fee7e56fa3302aeb7

Download Submit
C:\Windows\{AED810E6-71B9-43b4-A2E1-B58C074C7339}.exe

Filesize
344KB

MD5
2073011a514e012f5eecdfae94cf251a

SHA1
921703c8b58409292be6b81598c8f2a5a44edffa

SHA256
8142843576a36068ddb8197907665035ebfc9f0f48e44f608822d4068effda97

SHA512
76ab456270d318dcd1af01e9092f2d2fc16d0dd38f63da17fce0ed854c7359b122c6e751ba4e6d1a2826283357ff6d8a9d9bee5167611cb8a81e14f752fd1c2e

Download Submit
C:\Windows\{B38919B8-1643-41b8-B252-468C67261C05}.exe

Filesize
344KB

MD5
f4997092d125e2ed60f1de29a3c41cf4

SHA1
4db303177fbd5a6f5c51d514fa0644fcb78ac697

SHA256
b167427eb40c6416135b434e6a93618da00eeb3abaa43829926dfced9c899b44

SHA512
97db39510f01308ca2db5d01df198cd5be987a2f8a3d7ee3716d6400ae33228a9da7adee35d82ccb2dd304d0e7d76295e919c8c6edecf60ff55e7368340dc0e0

Download Submit
C:\Windows\{B3D4072D-65F5-42a6-AA5F-BEC7B81C0910}.exe

Filesize
344KB

MD5
bcb1f3c3b16329ed8da2caf23ce74eb3

SHA1
69b7ea250aed308b8c1901e3af29bbda0aac1425

SHA256
42a69576cf7b337a3e4a25e2a0f5f9247dffbee729b931deb4251cb5f6a4e2f6

SHA512
de1d861cbb0c9124ca402568deaf64fc4ba76bd90716e6247a4af6d66e7c3d21f4606191cc6106a21df4a3f8c908ee1b8e35e5bcc0ccbbc15922881df8389f27

Download Submit
C:\Windows\{BAD773D1-800D-41cd-ACF9-21C733FC857B}.exe

Filesize
344KB

MD5
e592495baa978769877dac8abc4edebb

SHA1
11826b5866c9ff5012cef24df70564e9cb52370d

SHA256
952ba55d19b2de554d6db881c3e690fc255429d2926cd4327659ecaf32dfdffe

SHA512
c0e6478b6c167c5df5b2b884e2bd9ce3fd846c3da5f7c9c3cd7b8ef9cc624d65dfa1d305e30996d61d53e83bfd4d7adf3b673b25a43a4518ced6667e351b85fd

Download Submit
C:\Windows\{FA4799B5-701A-48ac-AE98-C5A21CD976C2}.exe

Filesize
344KB

MD5
04f13501a7c8ccc947a5e57f94b5fcf0

SHA1
3f0a63921b4f9f2188613670435cb2ed1dc60c84

SHA256
abcffb7aafeec40a9037bdb116e47ce1bae607b994d09767b3895378661c2cf1

SHA512
8449bc9e5cfe84a7862cfab7fbd540a5ba9547154e81dbaf1c0cc8904a0534ccc709374dcd50028532d43b5ab69b4cc2680ab15c5214d97b4b7b1632892e8b21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads