166af6e6befcaf6399193884dc0bd421a88dc7af7fb7f6c1a43237027be9498c

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Size

168KB
MD5

f4963d3d17f87bee3664ebfb6e388992
SHA1

9ae4a4d340f2921f8885c1f6afe3114885b54457
SHA256

166af6e6befcaf6399193884dc0bd421a88dc7af7fb7f6c1a43237027be9498c
SHA512

fbc04c28d872a1f2010f01a42c81dceeae73d35bc40622e01e8ef453fef7ee11cf5a919042663f8cf1c917c5dfa7d24efffbde5e2bdd96d00aeb8e060dd43ef6
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023440-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002343b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023448-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e743-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023448-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e743-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023448-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e743-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023448-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e743-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023445-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e743-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4373B05D-04DD-4959-882E-14D19F1FCD3A}	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}\stubpath = "C:\\Windows\\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe"	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}\stubpath = "C:\\Windows\\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe"	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}	{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4373B05D-04DD-4959-882E-14D19F1FCD3A}\stubpath = "C:\\Windows\\{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe"	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD110247-2E2B-4be5-8D7B-20752D974EE5}\stubpath = "C:\\Windows\\{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe"	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E53531B9-9D00-488f-A782-3F97A3281982}\stubpath = "C:\\Windows\\{E53531B9-9D00-488f-A782-3F97A3281982}.exe"	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}\stubpath = "C:\\Windows\\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe"	{E53531B9-9D00-488f-A782-3F97A3281982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}\stubpath = "C:\\Windows\\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe"	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}\stubpath = "C:\\Windows\\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe"	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}\stubpath = "C:\\Windows\\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe"	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}	{E53531B9-9D00-488f-A782-3F97A3281982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}\stubpath = "C:\\Windows\\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe"	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}\stubpath = "C:\\Windows\\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe"	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD110247-2E2B-4be5-8D7B-20752D974EE5}	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E53531B9-9D00-488f-A782-3F97A3281982}	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}\stubpath = "C:\\Windows\\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe"	{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe

Executes dropped EXE 12 IoCs

pid	Process
2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe
2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
2500	{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe
1988	{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
File created	C:\Windows\{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
File created	C:\Windows\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
File created	C:\Windows\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
File created	C:\Windows\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe	{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe
File created	C:\Windows\{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
File created	C:\Windows\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
File created	C:\Windows\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
File created	C:\Windows\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
File created	C:\Windows\{E53531B9-9D00-488f-A782-3F97A3281982}.exe	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
File created	C:\Windows\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	{E53531B9-9D00-488f-A782-3F97A3281982}.exe
File created	C:\Windows\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
Token: SeIncBasePriorityPrivilege	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
Token: SeIncBasePriorityPrivilege	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
Token: SeIncBasePriorityPrivilege	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
Token: SeIncBasePriorityPrivilege	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
Token: SeIncBasePriorityPrivilege	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
Token: SeIncBasePriorityPrivilege	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
Token: SeIncBasePriorityPrivilege	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe
Token: SeIncBasePriorityPrivilege	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
Token: SeIncBasePriorityPrivilege	4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
Token: SeIncBasePriorityPrivilege	2500	{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 2924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	94
PID 3548 wrote to memory of 2924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	94
PID 3548 wrote to memory of 2924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	94
PID 3548 wrote to memory of 4924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	95
PID 3548 wrote to memory of 4924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	95
PID 3548 wrote to memory of 4924	3548	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	95
PID 2924 wrote to memory of 984	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	96
PID 2924 wrote to memory of 984	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	96
PID 2924 wrote to memory of 984	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	96
PID 2924 wrote to memory of 2064	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	97
PID 2924 wrote to memory of 2064	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	97
PID 2924 wrote to memory of 2064	2924	{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe	97
PID 984 wrote to memory of 1512	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	100
PID 984 wrote to memory of 1512	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	100
PID 984 wrote to memory of 1512	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	100
PID 984 wrote to memory of 4780	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	101
PID 984 wrote to memory of 4780	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	101
PID 984 wrote to memory of 4780	984	{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe	101
PID 1512 wrote to memory of 1488	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	103
PID 1512 wrote to memory of 1488	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	103
PID 1512 wrote to memory of 1488	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	103
PID 1512 wrote to memory of 3476	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	104
PID 1512 wrote to memory of 3476	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	104
PID 1512 wrote to memory of 3476	1512	{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe	104
PID 1488 wrote to memory of 3260	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	105
PID 1488 wrote to memory of 3260	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	105
PID 1488 wrote to memory of 3260	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	105
PID 1488 wrote to memory of 4124	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	106
PID 1488 wrote to memory of 4124	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	106
PID 1488 wrote to memory of 4124	1488	{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe	106
PID 3260 wrote to memory of 3916	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	107
PID 3260 wrote to memory of 3916	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	107
PID 3260 wrote to memory of 3916	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	107
PID 3260 wrote to memory of 1828	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	108
PID 3260 wrote to memory of 1828	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	108
PID 3260 wrote to memory of 1828	3260	{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe	108
PID 3916 wrote to memory of 4368	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	109
PID 3916 wrote to memory of 4368	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	109
PID 3916 wrote to memory of 4368	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	109
PID 3916 wrote to memory of 4392	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	110
PID 3916 wrote to memory of 4392	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	110
PID 3916 wrote to memory of 4392	3916	{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe	110
PID 4368 wrote to memory of 3484	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	111
PID 4368 wrote to memory of 3484	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	111
PID 4368 wrote to memory of 3484	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	111
PID 4368 wrote to memory of 2636	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	112
PID 4368 wrote to memory of 2636	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	112
PID 4368 wrote to memory of 2636	4368	{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe	112
PID 3484 wrote to memory of 2596	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	113
PID 3484 wrote to memory of 2596	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	113
PID 3484 wrote to memory of 2596	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	113
PID 3484 wrote to memory of 1912	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	114
PID 3484 wrote to memory of 1912	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	114
PID 3484 wrote to memory of 1912	3484	{E53531B9-9D00-488f-A782-3F97A3281982}.exe	114
PID 2596 wrote to memory of 4496	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	115
PID 2596 wrote to memory of 4496	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	115
PID 2596 wrote to memory of 4496	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	115
PID 2596 wrote to memory of 3172	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	116
PID 2596 wrote to memory of 3172	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	116
PID 2596 wrote to memory of 3172	2596	{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe	116
PID 4496 wrote to memory of 2500	4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe	117
PID 4496 wrote to memory of 2500	4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe	117
PID 4496 wrote to memory of 2500	4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe	117
PID 4496 wrote to memory of 4348	4496	{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
  C:\Windows\{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
    C:\Windows\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
      C:\Windows\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
        
        C:\Windows\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
        
        C:\Windows\{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
        
        C:\Windows\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
        
        C:\Windows\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{E53531B9-9D00-488f-A782-3F97A3281982}.exe
        
        C:\Windows\{E53531B9-9D00-488f-A782-3F97A3281982}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
        
        C:\Windows\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
        
        C:\Windows\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe
        
        C:\Windows\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe
        
        C:\Windows\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D829D~1.EXE > nul
        13⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F23C0~1.EXE > nul
        12⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E073~1.EXE > nul
        11⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5353~1.EXE > nul
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB07E~1.EXE > nul
        9⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F57~1.EXE > nul
        8⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD110~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{895D9~1.EXE > nul
        6⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A7A~1.EXE > nul
        5⤵
        
        PID:3476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E06D~1.EXE > nul
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4373B~1.EXE > nul
    3⤵
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18F57BF3-4B64-46a6-8CF2-F5C42B42A415}.exe

Filesize
168KB

MD5
cdd855573ce957a227f16c3678964002

SHA1
172972fe7ea5e49f165620078851637d870dc5bf

SHA256
dfe76f617bc9466e89759aab5d1ff4c2be40a3bc5659a8089a712ede6e04c05d

SHA512
b0453579ff8c35bd4010953ba5bcb67fb43d64bb91b3e18688aa6eb043743d1e84c9d7c37d755f3f772858d76aabb5dbff90ba96ac44c854ac75e85cfe9cd999

Download Submit
C:\Windows\{28A7A033-1CE4-4f6c-A681-A3DC4D2C865B}.exe

Filesize
168KB

MD5
923bab3eee8d1f7510e575aab4aa6f0e

SHA1
12997a506a3b1593f8c6287c434cac788afe527a

SHA256
54fbab52ce8048aaa51dc4ee9ca2cd6babaa9ebb74c7815ec8c1b06c6181d345

SHA512
2b9de8bfd7bf1010df041f82b0bbd1f72c8e4a256c1f6cb6babbec495b8ddc26d72e515ae964eb576537c3dac66e40e25d00c5237438e71eb17aa6dbcacf8be8

Download Submit
C:\Windows\{4373B05D-04DD-4959-882E-14D19F1FCD3A}.exe

Filesize
168KB

MD5
23955c3f55ae2cd8315def2cdb14c0d5

SHA1
d5c91e7fd6e80bde1717ec398226770a05e9568a

SHA256
ead3e555abf01669d759414017271db51e6edaa8a6c29b9eec497813c2ec67a7

SHA512
cb16ad932834af991a069565f94073d10328da306d0c03278460f2e9b0d1636d949ed65884b0fb319bd82d08b5bbc9b51a8f5214b6243e2eb290f6f1d5eaa74a

Download Submit
C:\Windows\{6E073BFC-7E2F-4b4a-B918-E6360620C9CE}.exe

Filesize
168KB

MD5
27e2b188dd52955617d3c2d051840cbc

SHA1
17c570e109b5ed0913b9844c8d861fe2b1af8a45

SHA256
f41232b4f7af158163c4429d83d5fe45f4a8d5ba37ce56226e0051cacf21398f

SHA512
630c30db8c23120d8e91cc312513289b21bca354c3583d7997f93e0cb71a5b118b76fd55b9b774e110b80ef70195cc6537ea29987348be5da04f606c38da4255

Download Submit
C:\Windows\{7E06D6DE-F190-41fa-9B2F-4D1B8E71220E}.exe

Filesize
168KB

MD5
f80480fc7b46afa95cc733799465cc67

SHA1
777d7d12a3b2e3aa3a3e9e0c999fcf7594861fd6

SHA256
5c3acce191478679d27ae569b589464fa6679e0790c6f05a40c99b37465fb961

SHA512
fd46f6368f2f9abb230bf07a853d294dba894e39424fd18cf957e880e206b39c3105ac5fe3da9a39b4738946688a0b8ab9966f6cef23648de2d107341277e285

Download Submit
C:\Windows\{895D958B-08DF-41b8-9C9E-214B5AD8BEE5}.exe

Filesize
168KB

MD5
5d0720f67b9edda62d4acbb3c33605db

SHA1
612b30118dc47f5956dbaec50ec517b0da15566c

SHA256
96e0b3327f7d5e061d9dbf722cbe77e019a622de7b94967595c6c4e7d1699bcd

SHA512
c83a464b45e815990c575becda915ee7afa958e3f194afd08a39475f77558d6a8557a2950312830eb39679430019d967618bc694fe3f3a8e9c5c3e43472d5944

Download Submit
C:\Windows\{8F5E0E90-B21F-4c3d-A2E7-926D31166C6C}.exe

Filesize
168KB

MD5
cca22e5a544bd5ee5a01adab3c45740f

SHA1
b451b64b896567c769856d22ce671218389158b7

SHA256
fe167c5b841f57234b167436dae52dc859c76120e60a2155cc5fbc872ec1d03d

SHA512
4edb8e0ca29514dc892b157aa64497e7a916f5af43c936bd7299bf48a178868c1d3b902e36b93402529ee41a41e89d4454deec725d70db6342e714757c340cbb

Download Submit
C:\Windows\{BD110247-2E2B-4be5-8D7B-20752D974EE5}.exe

Filesize
168KB

MD5
127b0e6a7fce30893531b1c0f73f0ccf

SHA1
702aa0a0211e828a25a9f3b4f0fa32ac89164559

SHA256
3b96773f63f9430f129fadc14ed6e1fff81c6755d78933fe52e9b8ad799f0b61

SHA512
4b38fa8a762dc9e9e62805b816072a6a77097e0c15f7dca1164b32bebff26ab3fb00143935de2e81e77955385ec44e234dc3cdd0134a80654f0657c8f333f87d

Download Submit
C:\Windows\{D829D0BD-07FD-4e7e-93F3-7E8EF6AB3B95}.exe

Filesize
168KB

MD5
0a2877bf938c35776def4ad90de9918f

SHA1
1c01b6c9a277304af18124b95d192a5ea8530284

SHA256
0102f41f0d775379dadb15000ffe202fb21544368e0d20f10a2c42a649b9f45b

SHA512
193172e1afd7c634414bdcbae45735907ed3c85f726fdd375292ed1079eb1fd92d64603db56932174d9e9e18a4f34de1cd5460846aedc28226240cd4d084cdc5

Download Submit
C:\Windows\{E53531B9-9D00-488f-A782-3F97A3281982}.exe

Filesize
168KB

MD5
9fd2faa6316485e66035dd1cabce5e81

SHA1
ec84e71b4058b13c7e64d2abb9080d9b00f43d49

SHA256
b24c1cd0f7c2923541a369a86f5445c6c44c7bc29bc626578e4654162fac5fd5

SHA512
46a1b3e49b2838cc73a1d3ce980650a61558f13ba016b761f0ce7790d92ed3efa00dba67b2713748617e78eec2783fe82548ead1395f600c971b52213ea148c3

Download Submit
C:\Windows\{EB07E803-0606-4ed9-AF37-C7AFF279AFC0}.exe

Filesize
168KB

MD5
216afe88c4a3b6fac86c8931c7686dcb

SHA1
b48f0887aad35fddaa8c68fc648780f51c6ea81b

SHA256
1eddaea88d00f0e598e22a6fdf078cb25752ae63dff23269a54ac728cb1f031b

SHA512
579f04166de48823e6c12f34ac0c03e8601822b028f0f47f938abf44231bd7578408ef596a49fadb5eca23aa0c368e2f2f446e4a40f582d3778fc866a1b13704

Download Submit
C:\Windows\{F23C06BD-D847-43d7-BC52-05CC20E32CBA}.exe

Filesize
168KB

MD5
5ce547aeedab3f336706260550227ed0

SHA1
b22809633b79f79a79b84a1d118dbb120c444f6b

SHA256
c834146f31a46bfa54d52893c58b61c59ab2dc3fd657bb9fb7e56cb165004931

SHA512
8dae9ffce2d31500efb9aefbbc7ef83c61cad906534fc5283c15fc8185dba7e6411814b734e5dcf1b4b7b67ad549360855e8837ccefbea27cdc96bf9054522e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads