e7a5398dade3c1db8357828709cd901ac1ca45fd758efceef1b0c0bbda448965

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Size

344KB
MD5

c01132acadfc58190f4b725ec5e07193
SHA1

82fa244f8604425d5d8561046dee658120b2b3af
SHA256

e7a5398dade3c1db8357828709cd901ac1ca45fd758efceef1b0c0bbda448965
SHA512

d4f204d11865465697da6e5d6bcb0cf91ad042ab6a3898f8743a81ccd8904facc8b1b9e0fd2ba66fc676021a40f45e83f7c8275969137630cbc6c6f67ac32ae3
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e399-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023419-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002337d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002338b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002337d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002337d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002338b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002343b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023444-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023447-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002337c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA21980D-9E57-444c-8AF5-15086B53BDB8}	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}\stubpath = "C:\\Windows\\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe"	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}\stubpath = "C:\\Windows\\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe"	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}\stubpath = "C:\\Windows\\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe"	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}\stubpath = "C:\\Windows\\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe"	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}\stubpath = "C:\\Windows\\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe"	{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7EB955-8132-47fb-AF05-B24739D3B690}\stubpath = "C:\\Windows\\{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe"	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFF0133-6342-4192-AB48-8BF517684CF8}	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}	{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7EB955-8132-47fb-AF05-B24739D3B690}	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}\stubpath = "C:\\Windows\\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe"	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}\stubpath = "C:\\Windows\\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe"	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}\stubpath = "C:\\Windows\\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe"	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA21980D-9E57-444c-8AF5-15086B53BDB8}\stubpath = "C:\\Windows\\{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe"	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFF0133-6342-4192-AB48-8BF517684CF8}\stubpath = "C:\\Windows\\{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe"	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}\stubpath = "C:\\Windows\\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe"	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe

Executes dropped EXE 12 IoCs

pid	Process
1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
3400	{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
2384	{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
File created	C:\Windows\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
File created	C:\Windows\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
File created	C:\Windows\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
File created	C:\Windows\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
File created	C:\Windows\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
File created	C:\Windows\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
File created	C:\Windows\{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
File created	C:\Windows\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
File created	C:\Windows\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
File created	C:\Windows\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe	{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
File created	C:\Windows\{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
Token: SeIncBasePriorityPrivilege	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
Token: SeIncBasePriorityPrivilege	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
Token: SeIncBasePriorityPrivilege	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
Token: SeIncBasePriorityPrivilege	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
Token: SeIncBasePriorityPrivilege	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
Token: SeIncBasePriorityPrivilege	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
Token: SeIncBasePriorityPrivilege	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
Token: SeIncBasePriorityPrivilege	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
Token: SeIncBasePriorityPrivilege	2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
Token: SeIncBasePriorityPrivilege	3400	{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1140	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	95
PID 4060 wrote to memory of 1140	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	95
PID 4060 wrote to memory of 1140	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	95
PID 4060 wrote to memory of 1940	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	96
PID 4060 wrote to memory of 1940	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	96
PID 4060 wrote to memory of 1940	4060	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	96
PID 1140 wrote to memory of 2224	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	99
PID 1140 wrote to memory of 2224	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	99
PID 1140 wrote to memory of 2224	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	99
PID 1140 wrote to memory of 3800	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	100
PID 1140 wrote to memory of 3800	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	100
PID 1140 wrote to memory of 3800	1140	{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe	100
PID 2224 wrote to memory of 4304	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	104
PID 2224 wrote to memory of 4304	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	104
PID 2224 wrote to memory of 4304	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	104
PID 2224 wrote to memory of 4288	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	105
PID 2224 wrote to memory of 4288	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	105
PID 2224 wrote to memory of 4288	2224	{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe	105
PID 4304 wrote to memory of 1164	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	106
PID 4304 wrote to memory of 1164	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	106
PID 4304 wrote to memory of 1164	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	106
PID 4304 wrote to memory of 4964	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	107
PID 4304 wrote to memory of 4964	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	107
PID 4304 wrote to memory of 4964	4304	{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe	107
PID 1164 wrote to memory of 1752	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	109
PID 1164 wrote to memory of 1752	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	109
PID 1164 wrote to memory of 1752	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	109
PID 1164 wrote to memory of 3804	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	110
PID 1164 wrote to memory of 3804	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	110
PID 1164 wrote to memory of 3804	1164	{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe	110
PID 1752 wrote to memory of 2332	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	113
PID 1752 wrote to memory of 2332	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	113
PID 1752 wrote to memory of 2332	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	113
PID 1752 wrote to memory of 1444	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	114
PID 1752 wrote to memory of 1444	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	114
PID 1752 wrote to memory of 1444	1752	{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe	114
PID 2332 wrote to memory of 1140	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	115
PID 2332 wrote to memory of 1140	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	115
PID 2332 wrote to memory of 1140	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	115
PID 2332 wrote to memory of 4312	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	116
PID 2332 wrote to memory of 4312	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	116
PID 2332 wrote to memory of 4312	2332	{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe	116
PID 1140 wrote to memory of 544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	117
PID 1140 wrote to memory of 544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	117
PID 1140 wrote to memory of 544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	117
PID 1140 wrote to memory of 3544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	118
PID 1140 wrote to memory of 3544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	118
PID 1140 wrote to memory of 3544	1140	{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe	118
PID 544 wrote to memory of 2364	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	122
PID 544 wrote to memory of 2364	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	122
PID 544 wrote to memory of 2364	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	122
PID 544 wrote to memory of 4508	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	123
PID 544 wrote to memory of 4508	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	123
PID 544 wrote to memory of 4508	544	{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe	123
PID 2364 wrote to memory of 2124	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	124
PID 2364 wrote to memory of 2124	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	124
PID 2364 wrote to memory of 2124	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	124
PID 2364 wrote to memory of 3552	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	125
PID 2364 wrote to memory of 3552	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	125
PID 2364 wrote to memory of 3552	2364	{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe	125
PID 2124 wrote to memory of 3400	2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe	126
PID 2124 wrote to memory of 3400	2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe	126
PID 2124 wrote to memory of 3400	2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe	126
PID 2124 wrote to memory of 3108	2124	{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
  C:\Windows\{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
    C:\Windows\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
      C:\Windows\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
        
        C:\Windows\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
        
        C:\Windows\{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
        
        C:\Windows\{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
        
        C:\Windows\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
        
        C:\Windows\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
        
        C:\Windows\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
        
        C:\Windows\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
        
        C:\Windows\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe
        
        C:\Windows\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECC0~1.EXE > nul
        13⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18CFF~1.EXE > nul
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9831~1.EXE > nul
        11⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2BF0~1.EXE > nul
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A918A~1.EXE > nul
        9⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AFF0~1.EXE > nul
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA219~1.EXE > nul
        7⤵
        
        PID:1444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A43C~1.EXE > nul
        6⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32DA9~1.EXE > nul
        5⤵
        
        PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C66E6~1.EXE > nul
      4⤵
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D7EB~1.EXE > nul
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18CFFCD2-B3B1-4eb0-AE38-09109A31639B}.exe

Filesize
344KB

MD5
4b15bbc74b0f693519ce16ab0e5bd9ee

SHA1
0d341d750f010a11b98101131e71dd54a081739c

SHA256
355593161d6002691d1ba32889f78ebed0a1045b818c3ce4a634e3c068277d1c

SHA512
9cfac0c756305e43492d32bbf941f416594f2ace729e1b1c86684eabcaaa7d6381493655efd8ea2a6f125ee03ac56e570573d6cb07337cc057694df682bda9f9

Download Submit
C:\Windows\{32DA9B9D-0CAB-48f6-B85C-9FA9DBB6BFB9}.exe

Filesize
344KB

MD5
e0202ee180591acf840e72a5072d8672

SHA1
984b3e0d071ec72d068dbb8a5affc93cc6632dca

SHA256
5aa77fce7b38cb6a434af1f71b545fb96142f500658acd3a58b498f7b27a2f86

SHA512
4ea9cb430cb5df60a57363d3306e9dfa57f6a649de3e704dc4e3ded398f9c78c364775e4ec1dfb709006bfd9f4efd241d477067e13f5b7a7356e03f508b2d50c

Download Submit
C:\Windows\{4AFF0133-6342-4192-AB48-8BF517684CF8}.exe

Filesize
344KB

MD5
6809fcc03e26ac25d4f76d7a43eabe28

SHA1
18a2927b538cf072cd7d1be3742ed4c71e41b793

SHA256
c3b083e9fb8a24a1f0f65179184d92cd030ab2e355180891c9d1f9275ff99581

SHA512
fba3deed5708a9ccefa6e378f786a428ff0c826845ea500eaa3b5a3d6178f4e0ec1a3236f831fa189649499a15308e538e2df48c8ec1a975a94abc16d03d50ce

Download Submit
C:\Windows\{4D7EB955-8132-47fb-AF05-B24739D3B690}.exe

Filesize
344KB

MD5
2d231fe7a3d7cd9c216d758a35decd82

SHA1
978295edc6674c17666c6e6e0dde247a8eee228d

SHA256
fe920730a7344d982651cdccdaa366eb0ba1bb718c4c00c823aef7daea913258

SHA512
64a8373e1ebaecd2b56de6e436422b22cbdc1c6e61d9dfbb75a208f3c230b584f3632a799ba4548b840fe0c262c061c9c7189e8e28e63aced27a0bd0d7441fb7

Download Submit
C:\Windows\{7A43CAF7-00DC-47dc-8AEE-D6B24C8E17FB}.exe

Filesize
344KB

MD5
9d4eeffac1fee5fa3bc5eedeb34d0691

SHA1
80fcbc40e9ec120a6ffa22ad9ac29b0a8eef4a7d

SHA256
19431cd15684529f077bcb7ac03e19d878374d5afcd5c8f85056f0a4b33b5103

SHA512
f79e67f6e22553f2206fecc3d1eddb27a4e0728c20830fa4653f6883ef09ff1217243cf6821c3907ac7c8ef40b5992288a14e46c334dfa20de77365ba13818df

Download Submit
C:\Windows\{7ECC0B3D-1BA5-4ffb-86D4-D4DE4ECF6B35}.exe

Filesize
344KB

MD5
a422ec8cdf3749ce78a716b35bc3505c

SHA1
d38ecf5ae602a3a52df37b154c798058b280dbfa

SHA256
5ffca622b56887cac713fa752eefe98c1ad82d840dff79dcfd0a5170f0be5834

SHA512
9d77c309dee211afbc8853c9c6584fde7607272691a7cf56af99c45264437b6edd73d57543270e268788e57869815ea6710e18ad252cbed62d3eb2bf1d98256e

Download Submit
C:\Windows\{A2BF0CC6-01BA-4d2a-9FEC-506AF800D11D}.exe

Filesize
344KB

MD5
05dbd63a6b1675be3f6683de8b8bee59

SHA1
399d4bc319b53ccb95b0946c7698fd263b9ca520

SHA256
af6f9571de3adf25e30294e9b93ab841cfc477595ad2e56afde493306b8c34f0

SHA512
5378dfdb8b903e9614466ee5d2f95211647e26569efe84b8f99c166884fad2bc5396cae2f57825d96e430bebb4ab7d43456d7660257e7c68b1840a97fd9a882b

Download Submit
C:\Windows\{A918AF59-2D89-4c64-A0DC-1B2916B1E5D2}.exe

Filesize
344KB

MD5
b74278e287a44c0a05ffc18937861bcb

SHA1
829a64b210b60bfd5f68743c9822994094d62715

SHA256
0725c85599c21fd40539bc5c2256b5aa5d38bf2a0304c744c121891b609e6e28

SHA512
e61a1d0fdd5676eb1c2b38b250876adef040c2fe23306bd12bc860840ef40ccd88a42f1c58d7bea277a5cfcc4548a407ab6b8f151fb73a6b04af6687a72b8f20

Download Submit
C:\Windows\{BA21980D-9E57-444c-8AF5-15086B53BDB8}.exe

Filesize
344KB

MD5
2fb113734558b9ef0f65fa511beb33d6

SHA1
d2e6a2129f149a73cc1cff4dba90b6d499f9aa3f

SHA256
a30f8071e4e100960f4dba12dae987bc3633425534fd1031b4969191d5d2e29b

SHA512
cfb72a013f8b590905b1a4badbd39de7f7e794c6201fa1804a1b894bebc9c715d77d61f3a721932ecd4cdd07bf2e9bdee2165456b48345721afbe46a819a2b74

Download Submit
C:\Windows\{C66E6E38-F924-4b6a-AE69-C5724A8B23EC}.exe

Filesize
344KB

MD5
ba4f1a567e8cdb149805741b1911a6b5

SHA1
239ab4c980db350f5fa7789c44b1c54c88c46c8a

SHA256
cecd213778dd6e42020ced18d51f6cd4312cef45278b314acee6fe62fdfaa4dc

SHA512
376a46357e16b3beedf726d0d2be0b1e866d07946fcade48dc89ae21cb13f2beacd6de284b2d006208b3d2ebb8ab27c3eb3f7f871d480e154a11ea7f35e4714a

Download Submit
C:\Windows\{C983186A-2C26-44cd-A61E-ECC3DCBD2ED2}.exe

Filesize
344KB

MD5
26f1a961f2dec26ea992f944191b1353

SHA1
abd7a052630664d0f70f5890d0b28bfec88d851d

SHA256
7fbdf9cce7a5ea5da0a3655428a6bcdb7547b888a77a2dc8d305be5969be81f1

SHA512
5bd027b491c6fded23b31b1cd9696c0861c9534a740b93783537cc47374c8d04f0146ed58d831ad8b3e3224d437ccdbf0b354f80814898a19bf9fa72ed08cd17

Download Submit
C:\Windows\{EDF628B0-0910-4f48-9187-6633A0B6EAF0}.exe

Filesize
344KB

MD5
6300d9c417d5c8c78f8e0d90fcd70d94

SHA1
cdde3df849327ef61c3f8afb3627e42fe26a9ab4

SHA256
f14f183a722c784ed974530985ae5b1439e0e42a9c94d051f54cc0a4ed0613ce

SHA512
e61b066c3a093781e1d4214829ac3e62199706afa52aef2c37cc80b32f506b3eb819ccc3e1993e3a6bd49759e136a52cbe6cecef58bc2ddd2aa6eb7c1436f236

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads