01b0953a3d74e4cf8d5358e1c39fab23c5d8f3b112b877475204da3583032c75

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
Size

204KB
MD5

5babb5c0e8b72556b760ef6a09ebc9b7
SHA1

0e7a7f38f834b69df7ccd0cd1f47e31211a8b670
SHA256

01b0953a3d74e4cf8d5358e1c39fab23c5d8f3b112b877475204da3583032c75
SHA512

c1eb9b4f70584fe2f95059683f1b054f33a9a3498fa5ef2221a2f08578f9dfdbfc3940c6c6797b7f968fd45c792430306f7c5014400b723d2c73ff238fc9274b
SSDEEP

1536:1EGh0onLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023422-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023423-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023423-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232b9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023423-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000232b9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023423-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000232b9-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023423-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000232b9-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023423-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90ACA87-4E1D-4404-94AC-A771580B1F53}\stubpath = "C:\\Windows\\{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe"	{95DED560-6B81-455e-B05E-6F405E017092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F779122-B1D7-4377-B445-A942C81F603C}	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}	{8F779122-B1D7-4377-B445-A942C81F603C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}\stubpath = "C:\\Windows\\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe"	{8F779122-B1D7-4377-B445-A942C81F603C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2091848B-C717-42a6-860B-897C78BF5580}	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2091848B-C717-42a6-860B-897C78BF5580}\stubpath = "C:\\Windows\\{2091848B-C717-42a6-860B-897C78BF5580}.exe"	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C563282-8AEA-4eb9-92E2-529F79037691}\stubpath = "C:\\Windows\\{0C563282-8AEA-4eb9-92E2-529F79037691}.exe"	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}	{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DED560-6B81-455e-B05E-6F405E017092}\stubpath = "C:\\Windows\\{95DED560-6B81-455e-B05E-6F405E017092}.exe"	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F779122-B1D7-4377-B445-A942C81F603C}\stubpath = "C:\\Windows\\{8F779122-B1D7-4377-B445-A942C81F603C}.exe"	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}\stubpath = "C:\\Windows\\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe"	{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}	{2091848B-C717-42a6-860B-897C78BF5580}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}\stubpath = "C:\\Windows\\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe"	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}\stubpath = "C:\\Windows\\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe"	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DED560-6B81-455e-B05E-6F405E017092}	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}\stubpath = "C:\\Windows\\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe"	{2091848B-C717-42a6-860B-897C78BF5580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C563282-8AEA-4eb9-92E2-529F79037691}	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90ACA87-4E1D-4404-94AC-A771580B1F53}	{95DED560-6B81-455e-B05E-6F405E017092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}\stubpath = "C:\\Windows\\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe"	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}\stubpath = "C:\\Windows\\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe"	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe
936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe
4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe
4628	{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
4208	{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
File created	C:\Windows\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
File created	C:\Windows\{95DED560-6B81-455e-B05E-6F405E017092}.exe	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
File created	C:\Windows\{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	{95DED560-6B81-455e-B05E-6F405E017092}.exe
File created	C:\Windows\{8F779122-B1D7-4377-B445-A942C81F603C}.exe	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
File created	C:\Windows\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe	{8F779122-B1D7-4377-B445-A942C81F603C}.exe
File created	C:\Windows\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe	{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
File created	C:\Windows\{2091848B-C717-42a6-860B-897C78BF5580}.exe	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
File created	C:\Windows\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	{2091848B-C717-42a6-860B-897C78BF5580}.exe
File created	C:\Windows\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
File created	C:\Windows\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
File created	C:\Windows\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe
Token: SeIncBasePriorityPrivilege	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
Token: SeIncBasePriorityPrivilege	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
Token: SeIncBasePriorityPrivilege	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
Token: SeIncBasePriorityPrivilege	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
Token: SeIncBasePriorityPrivilege	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
Token: SeIncBasePriorityPrivilege	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
Token: SeIncBasePriorityPrivilege	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe
Token: SeIncBasePriorityPrivilege	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
Token: SeIncBasePriorityPrivilege	4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe
Token: SeIncBasePriorityPrivilege	4628	{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4140	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	91
PID 1964 wrote to memory of 4140	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	91
PID 1964 wrote to memory of 4140	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	91
PID 1964 wrote to memory of 4628	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	92
PID 1964 wrote to memory of 4628	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	92
PID 1964 wrote to memory of 4628	1964	2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe	92
PID 4140 wrote to memory of 936	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	93
PID 4140 wrote to memory of 936	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	93
PID 4140 wrote to memory of 936	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	93
PID 4140 wrote to memory of 5028	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	94
PID 4140 wrote to memory of 5028	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	94
PID 4140 wrote to memory of 5028	4140	{2091848B-C717-42a6-860B-897C78BF5580}.exe	94
PID 936 wrote to memory of 2804	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	98
PID 936 wrote to memory of 2804	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	98
PID 936 wrote to memory of 2804	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	98
PID 936 wrote to memory of 4848	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	99
PID 936 wrote to memory of 4848	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	99
PID 936 wrote to memory of 4848	936	{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe	99
PID 2804 wrote to memory of 3304	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	100
PID 2804 wrote to memory of 3304	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	100
PID 2804 wrote to memory of 3304	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	100
PID 2804 wrote to memory of 2040	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	101
PID 2804 wrote to memory of 2040	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	101
PID 2804 wrote to memory of 2040	2804	{0C563282-8AEA-4eb9-92E2-529F79037691}.exe	101
PID 3304 wrote to memory of 3552	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	102
PID 3304 wrote to memory of 3552	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	102
PID 3304 wrote to memory of 3552	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	102
PID 3304 wrote to memory of 2676	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	103
PID 3304 wrote to memory of 2676	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	103
PID 3304 wrote to memory of 2676	3304	{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe	103
PID 3552 wrote to memory of 4036	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	104
PID 3552 wrote to memory of 4036	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	104
PID 3552 wrote to memory of 4036	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	104
PID 3552 wrote to memory of 2540	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	105
PID 3552 wrote to memory of 2540	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	105
PID 3552 wrote to memory of 2540	3552	{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe	105
PID 4036 wrote to memory of 1328	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	106
PID 4036 wrote to memory of 1328	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	106
PID 4036 wrote to memory of 1328	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	106
PID 4036 wrote to memory of 1916	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	107
PID 4036 wrote to memory of 1916	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	107
PID 4036 wrote to memory of 1916	4036	{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe	107
PID 1328 wrote to memory of 2772	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	108
PID 1328 wrote to memory of 2772	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	108
PID 1328 wrote to memory of 2772	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	108
PID 1328 wrote to memory of 2564	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	109
PID 1328 wrote to memory of 2564	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	109
PID 1328 wrote to memory of 2564	1328	{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe	109
PID 2772 wrote to memory of 4652	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	110
PID 2772 wrote to memory of 4652	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	110
PID 2772 wrote to memory of 4652	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	110
PID 2772 wrote to memory of 5040	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	111
PID 2772 wrote to memory of 5040	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	111
PID 2772 wrote to memory of 5040	2772	{95DED560-6B81-455e-B05E-6F405E017092}.exe	111
PID 4652 wrote to memory of 4436	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	112
PID 4652 wrote to memory of 4436	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	112
PID 4652 wrote to memory of 4436	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	112
PID 4652 wrote to memory of 3248	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	113
PID 4652 wrote to memory of 3248	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	113
PID 4652 wrote to memory of 3248	4652	{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe	113
PID 4436 wrote to memory of 4628	4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe	114
PID 4436 wrote to memory of 4628	4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe	114
PID 4436 wrote to memory of 4628	4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe	114
PID 4436 wrote to memory of 1604	4436	{8F779122-B1D7-4377-B445-A942C81F603C}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_5babb5c0e8b72556b760ef6a09ebc9b7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{2091848B-C717-42a6-860B-897C78BF5580}.exe
  C:\Windows\{2091848B-C717-42a6-860B-897C78BF5580}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
    C:\Windows\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
      C:\Windows\{0C563282-8AEA-4eb9-92E2-529F79037691}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
        
        C:\Windows\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
        
        C:\Windows\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
        
        C:\Windows\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
        
        C:\Windows\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{95DED560-6B81-455e-B05E-6F405E017092}.exe
        
        C:\Windows\{95DED560-6B81-455e-B05E-6F405E017092}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
        
        C:\Windows\{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{8F779122-B1D7-4377-B445-A942C81F603C}.exe
        
        C:\Windows\{8F779122-B1D7-4377-B445-A942C81F603C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
        
        C:\Windows\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Windows\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe
        
        C:\Windows\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe
        13⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE40B~1.EXE > nul
        13⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F779~1.EXE > nul
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F90AC~1.EXE > nul
        11⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95DED~1.EXE > nul
        10⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F9DB~1.EXE > nul
        9⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{313A4~1.EXE > nul
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{605DD~1.EXE > nul
        7⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB492~1.EXE > nul
        6⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C563~1.EXE > nul
        5⤵
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7554E~1.EXE > nul
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20918~1.EXE > nul
    3⤵
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C563282-8AEA-4eb9-92E2-529F79037691}.exe

Filesize
204KB

MD5
dc437c9bf58d2ed61b5aea915310f12b

SHA1
55c17b17da0650be9a75186ee4701faf60864368

SHA256
8fa650d1054169d412ea9f265add9f48ef7168e946f6e1e8a6cfd84c7e8e5ba6

SHA512
b582ffaa96e3836819b96a493a9dea1604ad6fa90ec633d8e566389b4ae893871f6022299dc18707589b69db52d3d23499c0cd7ab4a2eaf75b7fb10f2c2e9805

Download Submit
C:\Windows\{1F9DBDD8-C5DB-4b7f-8CCD-6153F87B0DA2}.exe

Filesize
204KB

MD5
fcd50bbfe75ea0d9bcc74fc8f4bfc4f7

SHA1
815c4b0ea079b2df4e835c95539bd950209a4cb3

SHA256
3341180fe57563080c87b3168f8b1e50b83463543543a638b92bc5ad731871e5

SHA512
389fbd9c9bb86ab3719ae17b3deac141eeb149c49a2a6d8d981446e6518b41f4832c7a865a847615f3affc7c74a1193008fa4611a06588681e83798d69af239c

Download Submit
C:\Windows\{2091848B-C717-42a6-860B-897C78BF5580}.exe

Filesize
204KB

MD5
cb5bd2e8280fced044dffd4600ba8bf0

SHA1
bc10f4e33c64ffaf6dca29375de199ea38a8c1a1

SHA256
71b520ea2e3cc724baa711d17a1c3682b2148722d4e92142d0352744560410ee

SHA512
5bf00361024e2858e36f9f8ab157f24a76c6e8769e747d2162cd68f3b402245a678b1af2b661309faf052442595b4d8a789a704c1fb0c3c47d4b0169ba0fbe21

Download Submit
C:\Windows\{288FB68B-32F9-4b0b-AF87-7AF5440148F4}.exe

Filesize
204KB

MD5
68ac9ac2237dc66744ca749e26c16e31

SHA1
098b0886909fae6b726456fa1b22d1043d0ffe26

SHA256
a2db3b6ff953dc6fa2703559ae457d3946931c0ec15d89ae39e18f118f26311c

SHA512
9910a2024d3d9920e1279482d4ac272a7a1bb5af1cd07dbc0d86c30b42bd65cd42f73b6e9815bcde1c4c610ddcc2edd8369f4de3e1a21ee9e786792b83bf6452

Download Submit
C:\Windows\{313A463B-07D6-4c99-8E73-DD44E3A67B2E}.exe

Filesize
204KB

MD5
af76a97460f06f11dcd739f403ae635b

SHA1
61f6fd5d21ff0ad2b5588d9f16f2e4c5b312e5bc

SHA256
03e56fa3f05aca0ced42e62233656792ab668b4fd65fdd113106a4165e2229b1

SHA512
f50c2bbcfc8f1e8e03bbf426777eda9fed103489b2b089b817b935305de257a91e7e6f99604fc9c84df249946a278163f341be87cab2c6806352629d80106e8d

Download Submit
C:\Windows\{605DDF0B-C2E2-4e12-8A3D-D0F4A21F236B}.exe

Filesize
204KB

MD5
44521dd20b08a4fd0a4a0afdbfe3aa98

SHA1
8431301b02453e7ce0490787a2fa09fbc9c73c21

SHA256
52dd75382de18aba20ac0bca09aa5667046c63a071dbb36a8deb7b6cedf962b8

SHA512
64c0ce2e5c13b181c63e240d28e0fc334f268f0c182bdaa68c77a77fe8a014f725461e27445a0755d4ca4e4f2bb6c7f3df8da03dee6c42a99a22f55878c354e3

Download Submit
C:\Windows\{7554E774-DB37-4ed6-90B7-72D1ACCE74DD}.exe

Filesize
204KB

MD5
4a6c7b8d12e13ac97b16ba131aa654e5

SHA1
0983835af98eece7fdfc2036b6cd0b2b648102c2

SHA256
bf1df30f94a4be182b00705a07bbde4163304ee6837720c77642cf17bb8ed5be

SHA512
f668c83817ff80268a43568fd3aad398157580fcb45f8818bfa22315c14c2ddb938e3c344d23cb6bce9fd3577707dcf05e43238e0f8a2317815f1c73048aa349

Download Submit
C:\Windows\{8F779122-B1D7-4377-B445-A942C81F603C}.exe

Filesize
204KB

MD5
0808a33099558f995f2ca2aefe86e603

SHA1
b2739e58cf51c6fccee8cd1cba9dd3fc1547247f

SHA256
1c8b84d2725947b7fdfae23ca5eab9b625152443a322f7f0b1c911b0cf1f03f4

SHA512
4ae03ce853eff05fcb9687d1b74f3b4f36dd98d7d95749aad3738eb0aea1f0a1727e7a6cfae4ffa52e718442a93b4230aca031ed9f8ec8d830cccda4f4e2927b

Download Submit
C:\Windows\{95DED560-6B81-455e-B05E-6F405E017092}.exe

Filesize
204KB

MD5
fae46db14b44f7a2e1d9aa42810e5a50

SHA1
8b0eab8f50ec1d451d8c0ac35b79ee01cddad039

SHA256
226bd16f814c10efacdaf535396c5e1dbf630e30dda6649a28185616044a03f9

SHA512
2a814de78841746c184acd8ccd6fd97463fe90d88a0bda01b18efc30137b60f30f15014a4302ec4d81a047b5259b26c4d419253e49db93cd2019cb858cc98af8

Download Submit
C:\Windows\{AE40BC17-F4AE-49fc-AA52-E9781D9FBCF0}.exe

Filesize
204KB

MD5
ad94261da743f48112f923ec7ea07fc2

SHA1
818990420f310de2419111acb5ce26320bb53c5a

SHA256
87a638d8540e522d98585e9a0258f0d5854750b1976aedb5704003c6cb593bfb

SHA512
7a4bc18a421a554e17c2f0db6de443f6f6abeadadabb9b54887c9a8ecaa686ec356e5a5d5e3b0ce1eae16144dcaa19beed1a11de767860c06d14c28e4e1425df

Download Submit
C:\Windows\{CB4926FE-8CF8-42b2-A17E-4834CC2AD2A7}.exe

Filesize
204KB

MD5
3a3c364ec5aec39e257f8a9debf1db22

SHA1
f4682675161721790307f492f881aadafb01c671

SHA256
353bda788533cdb7087dafedf08442e9bcfa88cc0b1e00a35a17ef514f42d02c

SHA512
4f33e975b545a802dca881b9d39df6f6975c8b9865c92fcec72f5317af4783f5495f5dd904a4b90ead99973b5f2d7c03152f77e029974232c7305e5a67b8fc31

Download Submit
C:\Windows\{F90ACA87-4E1D-4404-94AC-A771580B1F53}.exe

Filesize
204KB

MD5
81d59a8957a88e6313a47cbf030a750f

SHA1
15584e6d93ea0bcab5ed4458f6fb99f25f2b196d

SHA256
c11792d64d194741c3f5f5c85d72ae48b1215c14794cc1f36bec652afca16703

SHA512
c8c6b47925a443804eb0524d302c7991f6f661716a171e94b52350779ba41b9b4e1f6c44594f1672d2d9081f6fc4c8dd717df4f096523c5b6e47ec1258345ff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads