b9756f84ba65344d4a26af620ff7cd3a2c364c3ed2ac563400b9f401301cd5e5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
Size

408KB
MD5

0136c362c1bd6420207220d33531d867
SHA1

21099ca86e3117a47289f2d6c9e8b47cbbbcbef2
SHA256

b9756f84ba65344d4a26af620ff7cd3a2c364c3ed2ac563400b9f401301cd5e5
SHA512

cac003f966fbe905fb74dc11916a01dbfb01eb9fe536341676cba439a41841cf2a8dbed972ab1aac40aab4159f407d42314ba322fab5c716ec627c776deb96d7
SSDEEP

3072:CEGh0okl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGeldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023372-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023412-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002341c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e4db-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023376-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e4db-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023376-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023534-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023376-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db5c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}\stubpath = "C:\\Windows\\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe"	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D126BB4F-98F5-489c-801E-991898EAF83D}\stubpath = "C:\\Windows\\{D126BB4F-98F5-489c-801E-991898EAF83D}.exe"	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC369FF-354F-4c84-9902-5DE3887DE312}\stubpath = "C:\\Windows\\{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe"	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0793F7E-5643-4227-BF3B-7EA91D87349F}	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}\stubpath = "C:\\Windows\\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe"	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF81028C-6F9D-4927-A384-F4C51956D129}	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0793F7E-5643-4227-BF3B-7EA91D87349F}\stubpath = "C:\\Windows\\{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe"	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}\stubpath = "C:\\Windows\\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe"	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D126BB4F-98F5-489c-801E-991898EAF83D}	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}\stubpath = "C:\\Windows\\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe"	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}\stubpath = "C:\\Windows\\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe"	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF81028C-6F9D-4927-A384-F4C51956D129}\stubpath = "C:\\Windows\\{EF81028C-6F9D-4927-A384-F4C51956D129}.exe"	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}\stubpath = "C:\\Windows\\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe"	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC369FF-354F-4c84-9902-5DE3887DE312}	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}\stubpath = "C:\\Windows\\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe"	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D32489-2497-45c6-9481-724A9424F99B}	{EF81028C-6F9D-4927-A384-F4C51956D129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D32489-2497-45c6-9481-724A9424F99B}\stubpath = "C:\\Windows\\{14D32489-2497-45c6-9481-724A9424F99B}.exe"	{EF81028C-6F9D-4927-A384-F4C51956D129}.exe

Executes dropped EXE 12 IoCs

pid	Process
1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
4412	{EF81028C-6F9D-4927-A384-F4C51956D129}.exe
2848	{14D32489-2497-45c6-9481-724A9424F99B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
File created	C:\Windows\{14D32489-2497-45c6-9481-724A9424F99B}.exe	{EF81028C-6F9D-4927-A384-F4C51956D129}.exe
File created	C:\Windows\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
File created	C:\Windows\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
File created	C:\Windows\{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
File created	C:\Windows\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
File created	C:\Windows\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
File created	C:\Windows\{EF81028C-6F9D-4927-A384-F4C51956D129}.exe	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
File created	C:\Windows\{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
File created	C:\Windows\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
File created	C:\Windows\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
File created	C:\Windows\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
Token: SeIncBasePriorityPrivilege	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
Token: SeIncBasePriorityPrivilege	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
Token: SeIncBasePriorityPrivilege	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
Token: SeIncBasePriorityPrivilege	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
Token: SeIncBasePriorityPrivilege	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
Token: SeIncBasePriorityPrivilege	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
Token: SeIncBasePriorityPrivilege	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
Token: SeIncBasePriorityPrivilege	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
Token: SeIncBasePriorityPrivilege	3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
Token: SeIncBasePriorityPrivilege	4412	{EF81028C-6F9D-4927-A384-F4C51956D129}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 1512	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	94
PID 3168 wrote to memory of 1512	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	94
PID 3168 wrote to memory of 1512	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	94
PID 3168 wrote to memory of 2976	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	95
PID 3168 wrote to memory of 2976	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	95
PID 3168 wrote to memory of 2976	3168	2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe	95
PID 1512 wrote to memory of 2236	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	101
PID 1512 wrote to memory of 2236	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	101
PID 1512 wrote to memory of 2236	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	101
PID 1512 wrote to memory of 3372	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	102
PID 1512 wrote to memory of 3372	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	102
PID 1512 wrote to memory of 3372	1512	{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe	102
PID 2236 wrote to memory of 616	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	104
PID 2236 wrote to memory of 616	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	104
PID 2236 wrote to memory of 616	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	104
PID 2236 wrote to memory of 4728	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	105
PID 2236 wrote to memory of 4728	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	105
PID 2236 wrote to memory of 4728	2236	{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe	105
PID 616 wrote to memory of 2540	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	108
PID 616 wrote to memory of 2540	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	108
PID 616 wrote to memory of 2540	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	108
PID 616 wrote to memory of 2400	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	109
PID 616 wrote to memory of 2400	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	109
PID 616 wrote to memory of 2400	616	{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe	109
PID 2540 wrote to memory of 4324	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	110
PID 2540 wrote to memory of 4324	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	110
PID 2540 wrote to memory of 4324	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	110
PID 2540 wrote to memory of 3080	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	111
PID 2540 wrote to memory of 3080	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	111
PID 2540 wrote to memory of 3080	2540	{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe	111
PID 4324 wrote to memory of 4580	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	117
PID 4324 wrote to memory of 4580	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	117
PID 4324 wrote to memory of 4580	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	117
PID 4324 wrote to memory of 3396	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	118
PID 4324 wrote to memory of 3396	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	118
PID 4324 wrote to memory of 3396	4324	{D126BB4F-98F5-489c-801E-991898EAF83D}.exe	118
PID 4580 wrote to memory of 404	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	119
PID 4580 wrote to memory of 404	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	119
PID 4580 wrote to memory of 404	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	119
PID 4580 wrote to memory of 1192	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	120
PID 4580 wrote to memory of 1192	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	120
PID 4580 wrote to memory of 1192	4580	{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe	120
PID 404 wrote to memory of 4732	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	121
PID 404 wrote to memory of 4732	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	121
PID 404 wrote to memory of 4732	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	121
PID 404 wrote to memory of 4592	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	122
PID 404 wrote to memory of 4592	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	122
PID 404 wrote to memory of 4592	404	{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe	122
PID 4732 wrote to memory of 1296	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	127
PID 4732 wrote to memory of 1296	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	127
PID 4732 wrote to memory of 1296	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	127
PID 4732 wrote to memory of 4952	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	128
PID 4732 wrote to memory of 4952	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	128
PID 4732 wrote to memory of 4952	4732	{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe	128
PID 1296 wrote to memory of 3280	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	129
PID 1296 wrote to memory of 3280	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	129
PID 1296 wrote to memory of 3280	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	129
PID 1296 wrote to memory of 4724	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	130
PID 1296 wrote to memory of 4724	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	130
PID 1296 wrote to memory of 4724	1296	{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe	130
PID 3280 wrote to memory of 4412	3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe	131
PID 3280 wrote to memory of 4412	3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe	131
PID 3280 wrote to memory of 4412	3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe	131
PID 3280 wrote to memory of 456	3280	{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_0136c362c1bd6420207220d33531d867_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
  C:\Windows\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
    C:\Windows\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
      C:\Windows\{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
        
        C:\Windows\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
        
        C:\Windows\{D126BB4F-98F5-489c-801E-991898EAF83D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
        
        C:\Windows\{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
        
        C:\Windows\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
        
        C:\Windows\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
        
        C:\Windows\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
        
        C:\Windows\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{EF81028C-6F9D-4927-A384-F4C51956D129}.exe
        
        C:\Windows\{EF81028C-6F9D-4927-A384-F4C51956D129}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\{14D32489-2497-45c6-9481-724A9424F99B}.exe
        
        C:\Windows\{14D32489-2497-45c6-9481-724A9424F99B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF810~1.EXE > nul
        13⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD7CE~1.EXE > nul
        12⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9F4~1.EXE > nul
        11⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB58~1.EXE > nul
        10⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AEA6~1.EXE > nul
        9⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AC36~1.EXE > nul
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D126B~1.EXE > nul
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71B0B~1.EXE > nul
        6⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0793~1.EXE > nul
        5⤵
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B14EF~1.EXE > nul
      4⤵
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B3A~1.EXE > nul
    3⤵
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BB5870A-E263-45bc-A8FC-EEE9A9D04896}.exe

Filesize
408KB

MD5
0c46b4ed5419f9d610cc16f2e3be9ae8

SHA1
15273dc2001c99a0a933bad0e6fe16ee27a829ce

SHA256
269e3decb0a9f7bfaf6b30afd8085f2cbf5ca0ed8768e666164d0c9189b9a5e4

SHA512
371516e147266135da60b490c92bdd39aaeda7015d5055ebf1e9797d0bf746b20b0f10e53b9f2b434de8aebde6872498fea19074daccb0d568d0d7083dc515cf

Download Submit
C:\Windows\{14D32489-2497-45c6-9481-724A9424F99B}.exe

Filesize
408KB

MD5
79879d41c49107bf4f8ec997a6a5d1db

SHA1
32e43c2d554c5d22b2f4c7ec1da15b2d68d18add

SHA256
32c6add8c7099d1679a006266b4ae33db929c5a955ae95cfbe2c2087a2dda395

SHA512
b4b178590ea5715c41762d26d2d578b14fb59a61ae2f2d4f4f843fbf8977f5c9da58c771a45898559805265a7d3ae7494f7689f10c368495aed10b181f7d0041

Download Submit
C:\Windows\{3AC369FF-354F-4c84-9902-5DE3887DE312}.exe

Filesize
408KB

MD5
69784c124429a2fea2805c6a4e0f5512

SHA1
c8b9a748e7e946604cbdd9ef13e52af41ae0ec2d

SHA256
c8b05e0b8724c70cefe3b2ec10f157c1321d2c69a61d4ee4ee931643f0cb4c9e

SHA512
a8f0918880695a7a63f6bf582ac0db4dcda616d014b7076b09beb58ce9c13cee5ca51cdda171a3fd327f7a1fb5170c06e8548e8ca66561d4e9c65c443e3deb93

Download Submit
C:\Windows\{5AEA6BD1-F6FC-4354-A0D2-E7933B3CDB5B}.exe

Filesize
408KB

MD5
0d8457e2328c30f8faaba994a4c43613

SHA1
e56e01432b5b94f86bb1e61dba1050767f04ba25

SHA256
17634c6ef82dfc2a930e2eaf62863d29f85ad4480ad80062825bfedf70283074

SHA512
cd2a126ddb3b717faf7941bce83b13b34d54f463e92c55a772c89ca43ddb2fd818fdc84e14a7ca7fb59c31972440298e3e86527a826fb110f67f22029d9ca4c0

Download Submit
C:\Windows\{71B0B083-4015-4494-A0CC-4F9F8C4D3075}.exe

Filesize
408KB

MD5
952a1333af1863fe3646865d14d5d8c6

SHA1
ae4c2f026225e4c94c59b26c891023da8aabf4b7

SHA256
88a278a08b49a0913ceb8be187a07f99595e8edccddba8f59d992e371fc72e86

SHA512
8be4eb3776c035cb5d418e4a3f11371f5c85da54011e887c5a76b41f94a0fb7814f5871f255af51bf25022d076fecbedd611b76687c8441e4978847267ccebfb

Download Submit
C:\Windows\{B14EF294-14F8-4d53-99B4-A6BB55EB3464}.exe

Filesize
408KB

MD5
4ea60bf22c71c34036e7c53cce0d4433

SHA1
530df9c1f7e8fbd7481cb23b118be29142eede62

SHA256
0eb683e34a2882e92e80de72862dea6a6421c72cd9da2e6c5a8e7d168aea4a56

SHA512
9720999e4b93ce2ef636f7ee1ce59de09e135dbdb49419fd4945a1e13b21cbe7eae81fad2a7203ace61b5495f48e6358045d5706b820ed6e00ecca09e9efe436

Download Submit
C:\Windows\{B6B3AFEA-A4E2-4efd-8720-1C7FDC3EA373}.exe

Filesize
408KB

MD5
9720fce8bd820645471684f722169202

SHA1
fb2500841652250a4c4f74c341207caf13da04b9

SHA256
cb6bc33e16f8514d4a23ccd250327a2ba93e36bfd39790d9b8e2a3df241ccd7d

SHA512
8d3cb53bf4657367e336af232a19c23ad4fa751b3aaa969e53543b3186f9e92b9a3d70d4c4f80975948b5e79a8f9b824d6ec8742d47d83b0fef61c93e0ddbe54

Download Submit
C:\Windows\{BD7CEEE5-6057-4fc6-88D1-9F65D9F70791}.exe

Filesize
408KB

MD5
cc37fa46f78cffcd5d0a44cc918cab68

SHA1
ca502249a0f5a86436f5ffe1dc0b2fe5af93822a

SHA256
c98cb46a219257c513898419b55bd8126c1ec0a86d358a99e3742fe8ad98aeee

SHA512
03d28bc65fedde55f228d4f7795815ae47f9d131cad0196a33a6591284f57eaa9e9dbc137ac073e9b54b8751e42b82d26ad35ea3a48802ca445e121a2c1d8448

Download Submit
C:\Windows\{BE9F455E-35CC-40b2-A1EC-5751FE04AC2E}.exe

Filesize
408KB

MD5
14fcb5a525d07b1db329b1fad47cc106

SHA1
3ca77e6280c5544c54637fca9fd2d600a272601b

SHA256
5ba9c7159f0dc849cdb096a51a4a9ac1b322ccb437d951d139f22b8aaa5cfa99

SHA512
3ff74ae6eacabf099f672ca018fe911041d4e7c02db0b0e3db86721a932f2f4f4674c036284dd283b6acfa5bd474416156466d9e3c2d1b4a3159b589151e8fd1

Download Submit
C:\Windows\{C0793F7E-5643-4227-BF3B-7EA91D87349F}.exe

Filesize
408KB

MD5
46ac0a89a2e7ad1f1b827445cb089893

SHA1
e5daa2f7765b5e457dffd61c5b995a150d5ff9d3

SHA256
a395fad562c1ee14a38dfaa5fffcebdc9bc5612131d82c31a14fccaed906098b

SHA512
003bd8a234c5758f2c19f3ca52937212e543ec12d760acc340d68d6a041fbcebb8e318eb54b12e435456fb54f19e4de39d85d954c4cb92bd3e83226c6b633705

Download Submit
C:\Windows\{D126BB4F-98F5-489c-801E-991898EAF83D}.exe

Filesize
408KB

MD5
f76447e20ed31ebc4b7e510b9fc1b34c

SHA1
34794cb07066b25e8db38ab492505906be39ba9c

SHA256
19687df25855f77fd231f4d1c386a99190257a5e3ef059958a1b5243385935a5

SHA512
928d24896450e6279bb7a987b3c4c784b90ab5292d27a8a273c6be9bb038def638c9aaf1704a3805555352d9edfc31c5e74648e738781dd34a215fbbd10f92a6

Download Submit
C:\Windows\{EF81028C-6F9D-4927-A384-F4C51956D129}.exe

Filesize
408KB

MD5
ac1c46886de0665e83151bbb3419a9d9

SHA1
7a3681444d2736cd19b580485c32ae2a32e2bbc7

SHA256
d353a0f8c3e48c3850cb58f1a585943e10e20f807d9b7a060d01dcf4c1482d4a

SHA512
06939a58b55e60e7e936f3a609c7b310faf3d1cfad094ee037bcd6601f6e6ea7299350ea13535f3dafd180ee6082cd6d93429a95e4ae2d4859ca7570885ac68f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads