03bd98861a08d2c47895820ef4d57c37ca6843e9c8c4fa97fc83f2e50100d462

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 10:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
Size

180KB
MD5

5c1a9cabc7ac73a303d8470a6bb3cfbe
SHA1

9197edd080a4b164632161e4f56a7cea2750376a
SHA256

03bd98861a08d2c47895820ef4d57c37ca6843e9c8c4fa97fc83f2e50100d462
SHA512

7ff23f89abd904ce3df519b085617ff6b13c3811b4f63b39f7c32209788f0745eb481f80b83def096f53e92c05948751929b9e916a6b4ef7b47d2ab0549eec5f
SSDEEP

3072:jEGh0oNlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG/l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233e9-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234ff-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e316-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002333d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e316-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001dadb-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023508-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002350b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001dadb-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023340-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527B3A64-ECD3-4e13-8A88-C7C845597B70}	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}	{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{232C7A3F-BADA-4564-BDAF-6CE330A60929}	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BD6349-057F-43bf-9C49-FB5F91657A30}	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{180576A9-F4A4-47b7-A8A3-29319437CA54}\stubpath = "C:\\Windows\\{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe"	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BD6349-057F-43bf-9C49-FB5F91657A30}\stubpath = "C:\\Windows\\{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe"	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{180576A9-F4A4-47b7-A8A3-29319437CA54}	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7ECE625-1D6E-486a-8193-65E54D31881B}	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}\stubpath = "C:\\Windows\\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe"	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}\stubpath = "C:\\Windows\\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe"	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7ECE625-1D6E-486a-8193-65E54D31881B}\stubpath = "C:\\Windows\\{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe"	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527B3A64-ECD3-4e13-8A88-C7C845597B70}\stubpath = "C:\\Windows\\{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe"	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{232C7A3F-BADA-4564-BDAF-6CE330A60929}\stubpath = "C:\\Windows\\{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe"	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}\stubpath = "C:\\Windows\\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe"	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}\stubpath = "C:\\Windows\\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe"	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}\stubpath = "C:\\Windows\\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe"	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}\stubpath = "C:\\Windows\\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe"	{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}\stubpath = "C:\\Windows\\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe"	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe

Executes dropped EXE 12 IoCs

pid	Process
1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
3740	{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
2468	{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
File created	C:\Windows\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
File created	C:\Windows\{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
File created	C:\Windows\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
File created	C:\Windows\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
File created	C:\Windows\{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
File created	C:\Windows\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
File created	C:\Windows\{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
File created	C:\Windows\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
File created	C:\Windows\{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
File created	C:\Windows\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe	{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
File created	C:\Windows\{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
Token: SeIncBasePriorityPrivilege	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
Token: SeIncBasePriorityPrivilege	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
Token: SeIncBasePriorityPrivilege	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
Token: SeIncBasePriorityPrivilege	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
Token: SeIncBasePriorityPrivilege	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
Token: SeIncBasePriorityPrivilege	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
Token: SeIncBasePriorityPrivilege	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
Token: SeIncBasePriorityPrivilege	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
Token: SeIncBasePriorityPrivilege	3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
Token: SeIncBasePriorityPrivilege	3740	{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1272	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	93
PID 3028 wrote to memory of 1272	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	93
PID 3028 wrote to memory of 1272	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	93
PID 3028 wrote to memory of 3808	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	94
PID 3028 wrote to memory of 3808	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	94
PID 3028 wrote to memory of 3808	3028	2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe	94
PID 1272 wrote to memory of 4956	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	97
PID 1272 wrote to memory of 4956	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	97
PID 1272 wrote to memory of 4956	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	97
PID 1272 wrote to memory of 3216	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	98
PID 1272 wrote to memory of 3216	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	98
PID 1272 wrote to memory of 3216	1272	{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe	98
PID 4956 wrote to memory of 3308	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	101
PID 4956 wrote to memory of 3308	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	101
PID 4956 wrote to memory of 3308	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	101
PID 4956 wrote to memory of 228	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	102
PID 4956 wrote to memory of 228	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	102
PID 4956 wrote to memory of 228	4956	{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe	102
PID 3308 wrote to memory of 4208	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	104
PID 3308 wrote to memory of 4208	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	104
PID 3308 wrote to memory of 4208	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	104
PID 3308 wrote to memory of 4452	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	105
PID 3308 wrote to memory of 4452	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	105
PID 3308 wrote to memory of 4452	3308	{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe	105
PID 4208 wrote to memory of 1272	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	106
PID 4208 wrote to memory of 1272	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	106
PID 4208 wrote to memory of 1272	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	106
PID 4208 wrote to memory of 4620	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	107
PID 4208 wrote to memory of 4620	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	107
PID 4208 wrote to memory of 4620	4208	{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe	107
PID 1272 wrote to memory of 3932	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	113
PID 1272 wrote to memory of 3932	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	113
PID 1272 wrote to memory of 3932	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	113
PID 1272 wrote to memory of 3696	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	114
PID 1272 wrote to memory of 3696	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	114
PID 1272 wrote to memory of 3696	1272	{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe	114
PID 3932 wrote to memory of 1012	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	115
PID 3932 wrote to memory of 1012	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	115
PID 3932 wrote to memory of 1012	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	115
PID 3932 wrote to memory of 2148	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	116
PID 3932 wrote to memory of 2148	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	116
PID 3932 wrote to memory of 2148	3932	{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe	116
PID 1012 wrote to memory of 3208	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	117
PID 1012 wrote to memory of 3208	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	117
PID 1012 wrote to memory of 3208	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	117
PID 1012 wrote to memory of 4620	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	118
PID 1012 wrote to memory of 4620	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	118
PID 1012 wrote to memory of 4620	1012	{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe	118
PID 3208 wrote to memory of 3576	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	123
PID 3208 wrote to memory of 3576	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	123
PID 3208 wrote to memory of 3576	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	123
PID 3208 wrote to memory of 944	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	124
PID 3208 wrote to memory of 944	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	124
PID 3208 wrote to memory of 944	3208	{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe	124
PID 3576 wrote to memory of 3980	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	125
PID 3576 wrote to memory of 3980	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	125
PID 3576 wrote to memory of 3980	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	125
PID 3576 wrote to memory of 3308	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	126
PID 3576 wrote to memory of 3308	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	126
PID 3576 wrote to memory of 3308	3576	{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe	126
PID 3980 wrote to memory of 3740	3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe	132
PID 3980 wrote to memory of 3740	3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe	132
PID 3980 wrote to memory of 3740	3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe	132
PID 3980 wrote to memory of 4620	3980	{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_5c1a9cabc7ac73a303d8470a6bb3cfbe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
  C:\Windows\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
    C:\Windows\{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
      C:\Windows\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
        
        C:\Windows\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
        
        C:\Windows\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
        
        C:\Windows\{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
        
        C:\Windows\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
        
        C:\Windows\{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
        
        C:\Windows\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
        
        C:\Windows\{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
        
        C:\Windows\{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe
        
        C:\Windows\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{527B3~1.EXE > nul
        13⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7ECE~1.EXE > nul
        12⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E27C5~1.EXE > nul
        11⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18057~1.EXE > nul
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6484E~1.EXE > nul
        9⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03BD6~1.EXE > nul
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C7F~1.EXE > nul
        7⤵
        
        PID:3696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C51~1.EXE > nul
        6⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D10E3~1.EXE > nul
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{232C7~1.EXE > nul
      4⤵
      PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B55~1.EXE > nul
    3⤵
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03BD6349-057F-43bf-9C49-FB5F91657A30}.exe

Filesize
180KB

MD5
b59f18d6539d5fa532d7aab557498d8b

SHA1
e1c0e3cfdd84334fb2f37c97c58acc6829bdcdf7

SHA256
d60da1674c0ab291bb3dd29adef83d2e774a30f88528ca50841fb656eafb7e63

SHA512
8f87ae48985c97d4dc383234d12d25c9b1f9503fdde9551260bd07898a49d7eb8b5d69429d63269be44211408268d43ef2884b90499de5489b17143df8ef3b8b

Download Submit
C:\Windows\{180576A9-F4A4-47b7-A8A3-29319437CA54}.exe

Filesize
180KB

MD5
45bab1b4f7f73d7032b7036d0e7fdd17

SHA1
9fad86e28443dbefaee8443d9eb2a58133512868

SHA256
188f461cb9c76ec1d99ffa285e69b7c347378e6444f18871e12ff557ed12bf4e

SHA512
f58ad2eece428bd4fca8a8a776cc72f2d560888e71b21b600db93175e76a2d211056238e1a64f4196c4cd4c1dd11c58efff6c28a073a232c1a535217aa641a10

Download Submit
C:\Windows\{22C7F34C-1E66-47a2-82CA-7D4A35CA8594}.exe

Filesize
180KB

MD5
ac3c11030807189e68cfaceaf9733a07

SHA1
97e443c8302c7f1b79cc09125426df0f2122b41e

SHA256
23b2a3aec2e470d9f56a3eb3e7647ed909f8ee15fc894468641fcb2aa3727b0a

SHA512
9ec57e5d328bcef573add7b794478f3ea13ebc50f791277d3d0e1b41dead4d8f9dd06c2b7864983f9da2d61effbc1f7780f0d2e30d02662f38cbe38011731a69

Download Submit
C:\Windows\{232C7A3F-BADA-4564-BDAF-6CE330A60929}.exe

Filesize
180KB

MD5
9fc5679c132051c44493d95657ec5e71

SHA1
58defcb57e70aa6a95d218f214047e9bc8a71ac7

SHA256
03bbf217ff998b073c19b3dd19fa5c8b26f41a2aa97b38a19b037476f4392fdb

SHA512
f53fb793f7d21e7abe5dd79f2b43a9b88ea564716e659abd4dd769b68bc1e100f5ac8b6bbf110b0546f2123998db2e7ffcd93a2713673f3fa3452d366b6ada9b

Download Submit
C:\Windows\{4D4AB2EB-77C4-42f0-A901-FF989DC194EC}.exe

Filesize
180KB

MD5
aa8eeeb3319b6a05ce3b38e4f8419280

SHA1
30f76a98b2fd34d49fff22878700f903bde28594

SHA256
b6bea2d86461336bd58ac940efa9452c869d79b04ac14eb47bbd4d99dba93e67

SHA512
7e94ae5420976c201ea99280eae8a5f5f0b258aa496b87aa771171cbcc23f9f79f0d6c2d989cf72a6a3c508421d683c750d3b9312993957286b62c79cfa9dc16

Download Submit
C:\Windows\{527B3A64-ECD3-4e13-8A88-C7C845597B70}.exe

Filesize
180KB

MD5
ffbd6586c85d0efec003837b0ddcaea0

SHA1
720a283e14497cad64ec2e653980f32cd22841a9

SHA256
adc29f2b7a50d925e06eb19bac64ef88e4ad209a3fbcccd03f16d443cfdf854e

SHA512
32c83cf0b8f0d813621b9c4f3920e67267b26740b6c21b72d99e0a34b4bd831d4b83047c6dda3611ed9e6bbdc8153b91a4aff38e6ba2784da452de15a9e9359a

Download Submit
C:\Windows\{6484E0A8-D5D3-488d-96A4-CB1FD1321516}.exe

Filesize
180KB

MD5
9b76a51fd44f40bf2ea449469f52535f

SHA1
d13312fcd1ee62c2ff804779999595e842ff2602

SHA256
b8035c0352dc436f01d9e23084e5fc2b01f951e9056edac2d3473865a4d0f724

SHA512
83e99705c9f8129f3f62b8f9ee3789ed6c8bc7a3d92862a210d6233845a218efcf6f8cd4be0b5e065fb37407c8be0bac2f5188788ef264df691be59c761e83aa

Download Submit
C:\Windows\{A1B5552A-018F-4dff-BAC1-E3EB7BEC7C5D}.exe

Filesize
180KB

MD5
79a91dc13ef0264cf1ea5d6323a915f2

SHA1
84ad7a90927f037bc5bd26117b6afd3a233c0f13

SHA256
1ef8bdf7b0f79f23747e4162d17d5a1f7189fe39737ec27718d9c0d76f9f3bf6

SHA512
26390b1c092cd37eac3c00177f0da4e14bca3085125130effcadaa9483c782d23f2d3b7ec7c7574ab735488f5f995556587d3d5b52e0744eabb11c1a7b08ce1e

Download Submit
C:\Windows\{A3C51CB0-6A42-4a4d-981A-50D3006BE462}.exe

Filesize
180KB

MD5
dcc7fe541bf6ff7b03591500959d16da

SHA1
5aa2f63f4f0552c246c209ffb9a7bbfd0b5944b3

SHA256
53106e2fe82ea50ce7a16c2583aef1c95759d3167cb9bf00bb67026952dee1be

SHA512
44380b1ed1f0d80beaa9109ff9c24f133e15ca13aefeecfbdde9dbc610cb4379b5404ecc26db87dfc4339217fed94188fc40bc02e58162dc7049683c790798bf

Download Submit
C:\Windows\{D10E36B6-884C-4fde-A7BB-C6BA9CE64C77}.exe

Filesize
180KB

MD5
6cf4baacbdedce856ddf789db9e4ec70

SHA1
da5bfc4397ca3c2d72ae36d0ea8556e093ef5ba3

SHA256
7938841328a7a15f86e02b9a6de08f3bffedffd4e8d7edd33651c571bb8a8e16

SHA512
0696f1c7d029a661e5e1cff1edf0b71b394eb2e84c0c6e87078264621513a029c06b7537066499d8a377a7818a1121745de4a3fa085adc9eeb8e6a5d1393f9bc

Download Submit
C:\Windows\{D7ECE625-1D6E-486a-8193-65E54D31881B}.exe

Filesize
180KB

MD5
af182d33c01a272685c1fb51f027764b

SHA1
1ec091bb5bf9a255c7b992e517c89e4d91c10eee

SHA256
bab2d648d8b1085dd5d06ce47be113086d005780c7adb6e9d677227e3fda989e

SHA512
a35d0049fa9519b3ca10e07caf2731b34ada14cb4673a2d393b69bdc2c422f940f2be480e41f6a9960e4eaae18dae7f5aa7e41c83a556500f18b431ece9f1428

Download Submit
C:\Windows\{E27C5FF5-3548-4f20-9F4D-3D786E8A1E3E}.exe

Filesize
180KB

MD5
e0653dbf3bb038bd144d531765113f51

SHA1
a0c6e84ac21e68efdb38849b73e18f6e7535d68d

SHA256
9f3db9e05c141bc372d31b59b2386b749e439c8c70d0f33274d7ee291320d697

SHA512
ebaee6cb2c1575218488a96607f0422b6a70fbd46924f45d3142c07300511ec5c5a6acae5167c8bbeee105fd4ffd75a6d14bf27bfff04f650628d8fb59aec034

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads