b1200da047520f89c8a7329d769d455c3c5e30191d5ab3b63fd780395eed5c76

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Size

372KB
MD5

c6e7a3dd3d088b8f333aa3964a537761
SHA1

ac6cd55a7f34d5563385e11a8edf887e7ced9808
SHA256

b1200da047520f89c8a7329d769d455c3c5e30191d5ab3b63fd780395eed5c76
SHA512

7b56e5efeb4a336af2b7c0a09997be3cc7195fc8eed478f31daa7895a75e3981650c37afb05cb1b699464a6418379f37af665d5f3241abf8209e1877466cc592
SSDEEP

3072:CEGh0oDlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG5lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000900000002335d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023400-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023407-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023400-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023407-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023418-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002341b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002352d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023530-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023533-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022985-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023536-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}\stubpath = "C:\\Windows\\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe"	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB684653-8D62-42ee-A29E-B8F132CBA226}	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE6138-1375-4328-AA47-2132DDD2446D}	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2505F176-036A-4f65-BB85-2BC43E72C4E8}	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB684653-8D62-42ee-A29E-B8F132CBA226}\stubpath = "C:\\Windows\\{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe"	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE6138-1375-4328-AA47-2132DDD2446D}\stubpath = "C:\\Windows\\{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe"	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}\stubpath = "C:\\Windows\\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe"	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2505F176-036A-4f65-BB85-2BC43E72C4E8}\stubpath = "C:\\Windows\\{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe"	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}\stubpath = "C:\\Windows\\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe"	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}\stubpath = "C:\\Windows\\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe"	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1826B756-162A-44b4-9A4A-3DC76957B23A}	{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1826B756-162A-44b4-9A4A-3DC76957B23A}\stubpath = "C:\\Windows\\{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe"	{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}\stubpath = "C:\\Windows\\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe"	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}\stubpath = "C:\\Windows\\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe"	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}\stubpath = "C:\\Windows\\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe"	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}\stubpath = "C:\\Windows\\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe"	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
1828	{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
1252	{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
File created	C:\Windows\{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
File created	C:\Windows\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
File created	C:\Windows\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
File created	C:\Windows\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
File created	C:\Windows\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
File created	C:\Windows\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
File created	C:\Windows\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
File created	C:\Windows\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
File created	C:\Windows\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
File created	C:\Windows\{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe	{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
File created	C:\Windows\{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
Token: SeIncBasePriorityPrivilege	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
Token: SeIncBasePriorityPrivilege	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
Token: SeIncBasePriorityPrivilege	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
Token: SeIncBasePriorityPrivilege	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
Token: SeIncBasePriorityPrivilege	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
Token: SeIncBasePriorityPrivilege	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
Token: SeIncBasePriorityPrivilege	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
Token: SeIncBasePriorityPrivilege	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
Token: SeIncBasePriorityPrivilege	1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
Token: SeIncBasePriorityPrivilege	1828	{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4088	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	96
PID 5060 wrote to memory of 4088	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	96
PID 5060 wrote to memory of 4088	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	96
PID 5060 wrote to memory of 1632	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	97
PID 5060 wrote to memory of 1632	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	97
PID 5060 wrote to memory of 1632	5060	2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe	97
PID 4088 wrote to memory of 4028	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	100
PID 4088 wrote to memory of 4028	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	100
PID 4088 wrote to memory of 4028	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	100
PID 4088 wrote to memory of 3108	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	101
PID 4088 wrote to memory of 3108	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	101
PID 4088 wrote to memory of 3108	4088	{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe	101
PID 4028 wrote to memory of 2012	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	104
PID 4028 wrote to memory of 2012	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	104
PID 4028 wrote to memory of 2012	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	104
PID 4028 wrote to memory of 4880	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	105
PID 4028 wrote to memory of 4880	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	105
PID 4028 wrote to memory of 4880	4028	{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe	105
PID 2012 wrote to memory of 5064	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	106
PID 2012 wrote to memory of 5064	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	106
PID 2012 wrote to memory of 5064	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	106
PID 2012 wrote to memory of 3268	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	107
PID 2012 wrote to memory of 3268	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	107
PID 2012 wrote to memory of 3268	2012	{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe	107
PID 5064 wrote to memory of 808	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	109
PID 5064 wrote to memory of 808	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	109
PID 5064 wrote to memory of 808	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	109
PID 5064 wrote to memory of 3388	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	110
PID 5064 wrote to memory of 3388	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	110
PID 5064 wrote to memory of 3388	5064	{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe	110
PID 808 wrote to memory of 4164	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	115
PID 808 wrote to memory of 4164	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	115
PID 808 wrote to memory of 4164	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	115
PID 808 wrote to memory of 1280	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	116
PID 808 wrote to memory of 1280	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	116
PID 808 wrote to memory of 1280	808	{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe	116
PID 4164 wrote to memory of 4452	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	118
PID 4164 wrote to memory of 4452	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	118
PID 4164 wrote to memory of 4452	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	118
PID 4164 wrote to memory of 3392	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	119
PID 4164 wrote to memory of 3392	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	119
PID 4164 wrote to memory of 3392	4164	{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe	119
PID 4452 wrote to memory of 920	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	124
PID 4452 wrote to memory of 920	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	124
PID 4452 wrote to memory of 920	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	124
PID 4452 wrote to memory of 1428	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	125
PID 4452 wrote to memory of 1428	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	125
PID 4452 wrote to memory of 1428	4452	{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe	125
PID 920 wrote to memory of 640	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	126
PID 920 wrote to memory of 640	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	126
PID 920 wrote to memory of 640	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	126
PID 920 wrote to memory of 1576	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	127
PID 920 wrote to memory of 1576	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	127
PID 920 wrote to memory of 1576	920	{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe	127
PID 640 wrote to memory of 1504	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	128
PID 640 wrote to memory of 1504	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	128
PID 640 wrote to memory of 1504	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	128
PID 640 wrote to memory of 4444	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	129
PID 640 wrote to memory of 4444	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	129
PID 640 wrote to memory of 4444	640	{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe	129
PID 1504 wrote to memory of 1828	1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe	132
PID 1504 wrote to memory of 1828	1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe	132
PID 1504 wrote to memory of 1828	1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe	132
PID 1504 wrote to memory of 2512	1504	{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_c6e7a3dd3d088b8f333aa3964a537761_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
  C:\Windows\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
    C:\Windows\{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
      C:\Windows\{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
        
        C:\Windows\{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
        
        C:\Windows\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
        
        C:\Windows\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
        
        C:\Windows\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
        
        C:\Windows\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
        
        C:\Windows\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
        
        C:\Windows\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
        
        C:\Windows\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe
        
        C:\Windows\{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D1DC~1.EXE > nul
        13⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C19~1.EXE > nul
        12⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DFE~1.EXE > nul
        11⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96F33~1.EXE > nul
        10⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{154ED~1.EXE > nul
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C860~1.EXE > nul
        8⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C063~1.EXE > nul
        7⤵
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDE6~1.EXE > nul
        6⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB684~1.EXE > nul
        5⤵
        
        PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2505F~1.EXE > nul
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86CE1~1.EXE > nul
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{154ED684-4E1D-47ea-B1B0-4703BA4A4B06}.exe

Filesize
372KB

MD5
52dc180310335a46064cb9b054b26beb

SHA1
c4d9ed9524f5c9d0ec06a69ed30465c097fb79d4

SHA256
d862c510b98afa665f45af56f710fbfbc7c3f839eecf0f4ca312cba80fdbecaa

SHA512
135007a9333ed5733c10d3402967aa19e7cfca9bcfa329c560348760e3379e213121cb9abdc23174cf14da665948e13b2075961019d4da94a8402f153c0b098b

Download Submit
C:\Windows\{1826B756-162A-44b4-9A4A-3DC76957B23A}.exe

Filesize
372KB

MD5
7c5438e68d86a69b7de6e492767e098c

SHA1
3b38287b2caf530faeff2e6f3b5ef22c001df6be

SHA256
ea21950e8dabb5c2978d9eca3aafbd97cc8d4c142966f048de2bee6af49e6e9a

SHA512
5d3f7dfdcd324da86958818a9098240ec4855653c8481df13b4f01486bb266295ffce89ed4f4978926aac5c66f207bc0f6f6607a00d460a673ddb57f6e5e75f2

Download Submit
C:\Windows\{2505F176-036A-4f65-BB85-2BC43E72C4E8}.exe

Filesize
372KB

MD5
665f8e5ef8aadf8d8835d1883751a776

SHA1
215f1654ff935e2a91f5442eb29332be23998459

SHA256
ffb94090714fe0db569abebced0be532619fc7de0a58baaaf8ea1c1d01a2103d

SHA512
2bdb76747c3ba9be9ae86bffdf7099787d632a461b02dc978042dc1a684e319af911ef708df54fbe19b6b9e7de11ae40b831d5bf5878538b0bffe641af520e56

Download Submit
C:\Windows\{2D1DC65C-103C-4141-81A2-F8B7633A9C5D}.exe

Filesize
372KB

MD5
f471bef1b66cf28e657e6aefc96b0483

SHA1
56b74ed5e51f680862f56fe6c0632e409503d20d

SHA256
d14f29ce1883d04dffdc78f22a7b9bba8cdd8e376bfa03b4edbfc659c7040b9e

SHA512
078622ae6c0640ddb0bf44786f5ee8f692c73508012ee774bb961043ea22adc6310ad928772a96365c77898aab10e0cceff29a48ba64aba7ee6959c89b14120a

Download Submit
C:\Windows\{86CE1A2D-0ED5-4daf-89A0-F84DC816E217}.exe

Filesize
372KB

MD5
5ac70cfc199d72833f15e6095ac25e25

SHA1
088be4f2b0fe5a1cab414e60fbaeb3064a409dca

SHA256
2e9a8e091b8c8c3e2050a233dc189c3e62942cabbe9bccbf1c05596c7b043b6b

SHA512
a0f7fc39ca752d6d29c5ceb79a08ff244bb800a4bccdf8b6c8a887c956f063b0b12bce50d9bb910bbe3e5d098f5e2a91a375b592de5ed99860b36e6a525f77ea

Download Submit
C:\Windows\{8CDE6138-1375-4328-AA47-2132DDD2446D}.exe

Filesize
372KB

MD5
dae5f46665da2672e9421544d51cdda1

SHA1
cb449f2a810d0d617c013f645c67dedecf7a06fe

SHA256
3fdc31b53ad55cc7c76670ff01c10b803d47b5d46de6988b3a8fdd52c16737d8

SHA512
6e84e047018d0f1fded6a7ac9356532ec5792bf1333d8643ff4274cd509555b0cbfb356731ed8293582924507b19d44f3656b5f87fad005ebbd1a5a04b85a84d

Download Submit
C:\Windows\{96F336CE-4BDA-4dbb-9A50-395E01CDD66D}.exe

Filesize
372KB

MD5
2e24201d23999c50a4467d22b8d2a25b

SHA1
6a9b0f1ede6fb1fcd6be0f710735b892353bc9c6

SHA256
9904e2d66302e6515d21dce37d51d3783b95c90848a0653c00b69e1db7861c94

SHA512
ae6408ecd4a0458830f05cb78fa31545f3f4a51362a9c39971ba5aade5ee883cb918fa7406f1f7774a1a8550adef29bc2623164b96a6fc718a60c95dc422226e

Download Submit
C:\Windows\{9C063FA7-E50A-4afb-B5C0-67AB34D44D1F}.exe

Filesize
372KB

MD5
7ef7ce027292c01664f82bb951c2479d

SHA1
5c175df673b20a6bbafc8ef440d5c2e0e4228afd

SHA256
484ed3b8efd85029f7f1ea10ab27c01799bb28a652d9364f80ac794f580c8a43

SHA512
dbdcf476a596ecd448deab604a860b2836c1c66893d4c80adc281cc88835817d6a20e89bb428e0a4e3430c4ae6aac564d2bb649941e61e8dfd558f4c1fe33a73

Download Submit
C:\Windows\{9C860EDA-68E5-4c3e-B84D-939FA02257ED}.exe

Filesize
372KB

MD5
56163ce4394556af2d28e2abe02c9c47

SHA1
a66fa7c73731f3f1553c06f368c7cbb397faaaf0

SHA256
d29286d9c88be4ff41f6de598bda776cb8c438183b9783040746d5573d904430

SHA512
cc6cc86d646ee42b3abaa5d68fe3afaa341c074e8b37e42ead72b39c5335e821b846b52bf4e9f1e3982890412ed19b03593d2206055ed1f3e9a72ebd5b99db83

Download Submit
C:\Windows\{D9DFEB80-B8C0-4836-8A37-3C9D1407C1AA}.exe

Filesize
372KB

MD5
6e56b6743419f8009469ce34ca53300e

SHA1
0ac55692068581ae77f2340916a6d10bc7fde673

SHA256
fb0edef088898809ca9e291f505734c519c4bcc87e4bc9fa997aa403af373e45

SHA512
d396b00c04493d11424d2244dd6f6d7899c242209d7304a3af8132e885891ed4ab05d7680083c66b455514e204930b24ba5edb50be09a09b0b89ba30015790d7

Download Submit
C:\Windows\{E2C19811-0C02-4a86-AE77-FCF7D146AFDB}.exe

Filesize
372KB

MD5
96ae7fd1a5e7aa48701c35ec4541081e

SHA1
8fe8b1c836b3fe04b2c569eeac5ea80d9971850c

SHA256
0daa95ef533e1ec0f7c84af91dc87fea2c5067ee9921534a0b42f770a24774fc

SHA512
2ca8903961d4b07711e06fb8a33360cfe66ebe95ed497d6435785ebc94e3de67a7e89d72f168b80c69f14f973169c899f1a31d7a40b8350722da6d4c77d80f64

Download Submit
C:\Windows\{FB684653-8D62-42ee-A29E-B8F132CBA226}.exe

Filesize
372KB

MD5
0e838eb8af50c6a41078073352cf228d

SHA1
0825d3f599bc60a67031c25a710a405a5e58cdf9

SHA256
9368cdfaaf36bbefdfe2998dae0b5f04e02e55dc2cf280a3a799ea66a937942a

SHA512
a835e2bd92a03b38329edf7aa4cdc1906bd29d66cd442ca540e45f84535c1e37b6c5b1740abb3346577803dac5ffb18fbd2d36fa19a40f0d7286aa6a9a5c3fb0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads