6fe40ad407fa1a10ffd59ad3d5c546ab8981b00ad90e74b01f30e6fba26b2a1c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Size

408KB
MD5

810074d7792fd317e3ca96f6eeebe3bc
SHA1

aec915f1c3b177aeb021b3e4ebac9879534e75f8
SHA256

6fe40ad407fa1a10ffd59ad3d5c546ab8981b00ad90e74b01f30e6fba26b2a1c
SHA512

40ec2064878db8515ce0cc2a7e677ede8b3e26bdb545f6116b2c61a19c5d418ed2fd4e66a74b1431ba074042fca97c4b9c4ba800a86f2883c5151d43e5e289b0
SSDEEP

3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db36-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023403-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002340f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234f8-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023357-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023361-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023357-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002351a-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023357-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023372-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}\stubpath = "C:\\Windows\\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe"	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}\stubpath = "C:\\Windows\\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe"	{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}\stubpath = "C:\\Windows\\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe"	{2F83538E-64CE-4286-97E3-E029614D231A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44816C64-5E28-49e1-8CC9-87803F98F05F}\stubpath = "C:\\Windows\\{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe"	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}\stubpath = "C:\\Windows\\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe"	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}\stubpath = "C:\\Windows\\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe"	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F83538E-64CE-4286-97E3-E029614D231A}	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F83538E-64CE-4286-97E3-E029614D231A}\stubpath = "C:\\Windows\\{2F83538E-64CE-4286-97E3-E029614D231A}.exe"	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}	{2F83538E-64CE-4286-97E3-E029614D231A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7E8944-06CE-481a-BA3C-5A5751270585}\stubpath = "C:\\Windows\\{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe"	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}\stubpath = "C:\\Windows\\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe"	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}\stubpath = "C:\\Windows\\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe"	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7E8944-06CE-481a-BA3C-5A5751270585}	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}	{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}\stubpath = "C:\\Windows\\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe"	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44816C64-5E28-49e1-8CC9-87803F98F05F}	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}\stubpath = "C:\\Windows\\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe"	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe

Executes dropped EXE 12 IoCs

pid	Process
1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe
4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
4228	{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
3228	{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
File created	C:\Windows\{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
File created	C:\Windows\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
File created	C:\Windows\{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
File created	C:\Windows\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
File created	C:\Windows\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe	{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
File created	C:\Windows\{2F83538E-64CE-4286-97E3-E029614D231A}.exe	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
File created	C:\Windows\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	{2F83538E-64CE-4286-97E3-E029614D231A}.exe
File created	C:\Windows\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
File created	C:\Windows\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
File created	C:\Windows\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
File created	C:\Windows\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
Token: SeIncBasePriorityPrivilege	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe
Token: SeIncBasePriorityPrivilege	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
Token: SeIncBasePriorityPrivilege	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
Token: SeIncBasePriorityPrivilege	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
Token: SeIncBasePriorityPrivilege	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
Token: SeIncBasePriorityPrivilege	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
Token: SeIncBasePriorityPrivilege	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
Token: SeIncBasePriorityPrivilege	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
Token: SeIncBasePriorityPrivilege	2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
Token: SeIncBasePriorityPrivilege	4228	{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 1864	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	95
PID 3808 wrote to memory of 1864	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	95
PID 3808 wrote to memory of 1864	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	95
PID 3808 wrote to memory of 892	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	96
PID 3808 wrote to memory of 892	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	96
PID 3808 wrote to memory of 892	3808	2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe	96
PID 1864 wrote to memory of 1988	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	98
PID 1864 wrote to memory of 1988	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	98
PID 1864 wrote to memory of 1988	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	98
PID 1864 wrote to memory of 1468	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	99
PID 1864 wrote to memory of 1468	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	99
PID 1864 wrote to memory of 1468	1864	{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe	99
PID 1988 wrote to memory of 4476	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	103
PID 1988 wrote to memory of 4476	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	103
PID 1988 wrote to memory of 4476	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	103
PID 1988 wrote to memory of 4948	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	104
PID 1988 wrote to memory of 4948	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	104
PID 1988 wrote to memory of 4948	1988	{2F83538E-64CE-4286-97E3-E029614D231A}.exe	104
PID 4476 wrote to memory of 3136	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	105
PID 4476 wrote to memory of 3136	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	105
PID 4476 wrote to memory of 3136	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	105
PID 4476 wrote to memory of 1812	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	106
PID 4476 wrote to memory of 1812	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	106
PID 4476 wrote to memory of 1812	4476	{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe	106
PID 3136 wrote to memory of 4220	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	107
PID 3136 wrote to memory of 4220	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	107
PID 3136 wrote to memory of 4220	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	107
PID 3136 wrote to memory of 4180	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	108
PID 3136 wrote to memory of 4180	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	108
PID 3136 wrote to memory of 4180	3136	{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe	108
PID 4220 wrote to memory of 1620	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	110
PID 4220 wrote to memory of 1620	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	110
PID 4220 wrote to memory of 1620	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	110
PID 4220 wrote to memory of 4880	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	111
PID 4220 wrote to memory of 4880	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	111
PID 4220 wrote to memory of 4880	4220	{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe	111
PID 1620 wrote to memory of 4728	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	114
PID 1620 wrote to memory of 4728	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	114
PID 1620 wrote to memory of 4728	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	114
PID 1620 wrote to memory of 1780	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	115
PID 1620 wrote to memory of 1780	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	115
PID 1620 wrote to memory of 1780	1620	{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe	115
PID 4728 wrote to memory of 1588	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	116
PID 4728 wrote to memory of 1588	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	116
PID 4728 wrote to memory of 1588	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	116
PID 4728 wrote to memory of 4484	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	117
PID 4728 wrote to memory of 4484	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	117
PID 4728 wrote to memory of 4484	4728	{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe	117
PID 1588 wrote to memory of 840	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	120
PID 1588 wrote to memory of 840	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	120
PID 1588 wrote to memory of 840	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	120
PID 1588 wrote to memory of 3476	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	121
PID 1588 wrote to memory of 3476	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	121
PID 1588 wrote to memory of 3476	1588	{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe	121
PID 840 wrote to memory of 2852	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	123
PID 840 wrote to memory of 2852	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	123
PID 840 wrote to memory of 2852	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	123
PID 840 wrote to memory of 5088	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	124
PID 840 wrote to memory of 5088	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	124
PID 840 wrote to memory of 5088	840	{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe	124
PID 2852 wrote to memory of 4228	2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe	130
PID 2852 wrote to memory of 4228	2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe	130
PID 2852 wrote to memory of 4228	2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe	130
PID 2852 wrote to memory of 2268	2852	{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
  C:\Windows\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\{2F83538E-64CE-4286-97E3-E029614D231A}.exe
    C:\Windows\{2F83538E-64CE-4286-97E3-E029614D231A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
      C:\Windows\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
        
        C:\Windows\{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Windows\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
        
        C:\Windows\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
        
        C:\Windows\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
        
        C:\Windows\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
        
        C:\Windows\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
        
        C:\Windows\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
        
        C:\Windows\{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
        
        C:\Windows\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe
        
        C:\Windows\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB88~1.EXE > nul
        13⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F7E8~1.EXE > nul
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1476A~1.EXE > nul
        11⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5D24~1.EXE > nul
        10⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF74~1.EXE > nul
        9⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{671CA~1.EXE > nul
        8⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AFEE~1.EXE > nul
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44816~1.EXE > nul
        6⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBC63~1.EXE > nul
        5⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F835~1.EXE > nul
      4⤵
      PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{763FD~1.EXE > nul
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1476ABF4-7B80-4c7e-8FB6-2C5A77A567DA}.exe

Filesize
408KB

MD5
9e579ffa290783a0f1283f0fac2655d4

SHA1
f8d7ae28419f64c7c853c9118b8f81751458fe0f

SHA256
7e3ea5511e61c9380535135bf2094278cb5d0cbf0599832f356815cc128b0079

SHA512
1dd423fcc02cec57c69a2cc5f72eafae17c150859c480c45fa2a03c7d493260797dd7065d370a179e6261cb4e54bcc1bc8ad5436c97cf529bb9af144700456f7

Download Submit
C:\Windows\{2F7E8944-06CE-481a-BA3C-5A5751270585}.exe

Filesize
408KB

MD5
aa18504afa12152177579f943f09fd49

SHA1
7028a0ef307a7fc25f183157bbeec57e732f1a09

SHA256
20263cac2435632c72cc5e0d44637f5618f5363b7e794d9177d205b6f8c7465d

SHA512
e216ef72a41d3ca4edbcbe161b417db5eed1631e4cff0898419f180017998f832f7445fc290b65a5d9fa0b75e90d55410154f74cdddf7088091eb34f1182d40f

Download Submit
C:\Windows\{2F83538E-64CE-4286-97E3-E029614D231A}.exe

Filesize
408KB

MD5
92d7e6335210a26017a21530284a8715

SHA1
a98d39e152e3b26aab638cbabe0a0cea6b651bfd

SHA256
3f682edd80af06ecd1139ec2056a3430118d56e9b4099f6f385ce9938eb2a76e

SHA512
51accc8eaee726a6c0c20b94b8cc420718648b0d289f287685c4b1431e8b1f070be4fda990a441e5bbe6d7ac852e3fd571a8a9b3115f19a8c2898d9b8a21e6fa

Download Submit
C:\Windows\{44816C64-5E28-49e1-8CC9-87803F98F05F}.exe

Filesize
408KB

MD5
96df89fc1272d6f365f7d445181afa73

SHA1
142c5c338fd7608ff57648704ef766678024b20a

SHA256
6a5be07ed16a253485adac4eb33f309b712a70ac63ff533d1b1c550ada490d29

SHA512
48a59e495615a20758f1f9ab7e7c4f53fc2d5c2d59d5818e4aada59ddef204d659cbc3323cc90451730fc01616caf571e02bb6f7d3c5ebdf7796a4902fe62204

Download Submit
C:\Windows\{4E31D87C-75E0-4d24-AD0B-8CC3CB1D68B0}.exe

Filesize
408KB

MD5
295ae2d67a34f71a1ecfc9bfd8b3ee19

SHA1
7f847e22ee8d318205ee7af3a92f5a1db9e3e821

SHA256
89c64413a2df1da19fcaa34a505f711b267007a8da8999a766cb01c33fdbcdfd

SHA512
12ff8a12562d30af1a2ca3bdda904c5b302aa51f9d0cf0fd60c6e7c285ce89acbb172a2e9f875dc14a524885980337a4e41adaec93ee5df8d4013b77dbe19a38

Download Submit
C:\Windows\{5AFEE36E-DA14-42bb-83CE-D88B9DAF6032}.exe

Filesize
408KB

MD5
52e81cdc861b7ba4d46a8b46b90f60de

SHA1
711667456b9db8dacaa3073eb2082bf21943fbe0

SHA256
00444fe7680637ebdc988d0e277595f723a0caed5c5e601d6c8f23e3fe30de10

SHA512
21bfd2a5c0a7a3d445abbe09f7936775adab81619b045236a8aa3cb60e33a0c95e0d1d4cdfc739415194581728ee15fbe127bf92b33a38594d47e0a6f1e6a0a2

Download Submit
C:\Windows\{671CA9CB-B5A5-43e1-9B1A-344E22F7B27E}.exe

Filesize
408KB

MD5
e2e34e5d3932c1ca3cd04bf6fc3ce91c

SHA1
cf972aa24a2e05783d3eeb9123e2749ccbdbb1b9

SHA256
ae120b9ea702bef1806c8dc79645c7597dcc176ac17daecce20dce1f40ff4dc0

SHA512
518c7caf615b590691a2996367d0c1bf3eb25ac377ec4181c925353bbb5e8792f93c7fef53cf5ad20a99f8328fc8a16ccf7e452c6a3e2e3a4355ea01041ad591

Download Submit
C:\Windows\{763FDA90-6228-45e8-BCF2-F2B65C261D8E}.exe

Filesize
408KB

MD5
7a7d36607af134301186c94ed9aabf5a

SHA1
08837961d0696fa121e75b05efb31788efe99078

SHA256
62ee33f6b4d39a2fa0d5552e72eed8901bce6cb2872701a579a2d0aedc65249f

SHA512
b672a7ad9f223d0219741dac7fa93bbe2c9ec13d274ad5c17f4fbd96f8033d7e7744a06de6e1653f5ca1c10398580f27de34ae58a7f72ebb6753d935d1a26bc1

Download Submit
C:\Windows\{9DF745A4-1E0B-45f1-9C81-C836BB8F04B2}.exe

Filesize
408KB

MD5
d729456db2953f6ccadbe61cd818e2a8

SHA1
537154ab8127c02ed0db260c25044a188176bb40

SHA256
4e10d78407154a2873b44563b447025a88726160bcb0f357adc50531059dd462

SHA512
9e2d762422a168dfee9ee8ee19c61863821ea31c583be2043627971a8eddc4908a854f15431e381d9f487ba5071f9d5b13dd2661d248e13a54b92f6ccc3c7e2b

Download Submit
C:\Windows\{BBB88F25-5B48-400e-9E78-8D65EA653BFE}.exe

Filesize
408KB

MD5
8bf92e35d406ca4fa9b7b5b99a4ef5de

SHA1
64645f8cd4ab240768bb9e0931d229d5bd44b5cc

SHA256
83672832f66a14d1391e30dfd11430cfa3cb1f66fd63e1b5863229cf70eb5a4f

SHA512
1ebd2a4864e9440111f6321c5d8c224fac982734d9802c8e8893bb37130102e23da85f0184a2f5434ff67f451ceba3dcefb6c6ceff3375923a6414a150adb2a7

Download Submit
C:\Windows\{BBC63F85-5DEC-4f6b-8291-D6690E70EC16}.exe

Filesize
408KB

MD5
e36a069d19e27a2f7a84967d986d4663

SHA1
78fd8414fbbed9754b88c620eb1ffe96b62ce0e6

SHA256
b2d24031e67163db509abb5f8160465392b0fca826a3647a6e000b86ade3fc58

SHA512
afc81c75569e44f6a83682f2073c4976f1315113d3a6119b4a832a7eb4b68c10c50e243868db6aac394be6e1ceaefe4c0686d1cb3014e5400c032e3fb4f84e00

Download Submit
C:\Windows\{D5D249F7-7D15-4eb8-AFDB-2AC7A2E49CA3}.exe

Filesize
408KB

MD5
215e556c96811267bca56c731ecbb76e

SHA1
83d104ec891031e80fd74b5704c6823af68732a3

SHA256
98c9677f37f675cbb00e7f8f5a54ed5a7cc1a8db85ff5f2ac85215a16a017d75

SHA512
5cd2abbd011c8023db7bca451af0ed28e0c19fa6c4df3ff81bfea6070023624a1815ea2678819bc55da2d6fd1dbabf80828d3bff021ce126a86a97ef8646690a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads