85191e34335b692c38d5fc04abeaca72356354ed7a5f400decefad04dd2a897f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Size

204KB
MD5

e7c8f53262da78b713698ed11e4403c6
SHA1

89c4322d4d592e303243c0ceca1861c5aa8d2376
SHA256

85191e34335b692c38d5fc04abeaca72356354ed7a5f400decefad04dd2a897f
SHA512

754d9a72967b5ee9af16c103fe23f700d3098f772adef9e1f7dd1dd6be89e55ab92996f3e37a4a8a5ba98f6c2e87e4d137aee64db9e659ae86c5da0e50ecb2a9
SSDEEP

1536:1EGh0o0l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o0l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002336c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023428-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023437-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023440-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000229d6-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002337f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000229d6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002354d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023550-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002354d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022983-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}\stubpath = "C:\\Windows\\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe"	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}\stubpath = "C:\\Windows\\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe"	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}\stubpath = "C:\\Windows\\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe"	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860816EC-F298-474b-AEC9-8C665BFA2C9F}	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860816EC-F298-474b-AEC9-8C665BFA2C9F}\stubpath = "C:\\Windows\\{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe"	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C29AE142-BFA6-4dc7-8872-B29F64F42672}	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C29AE142-BFA6-4dc7-8872-B29F64F42672}\stubpath = "C:\\Windows\\{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe"	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}\stubpath = "C:\\Windows\\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe"	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEF4180-5402-484c-9601-BB7B69AF4889}\stubpath = "C:\\Windows\\{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe"	{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F22360F-035E-4d6f-9AA9-6F0250128647}\stubpath = "C:\\Windows\\{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe"	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEF4180-5402-484c-9601-BB7B69AF4889}	{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54470464-BA24-4ecd-A19E-5D06EF759EBF}	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}\stubpath = "C:\\Windows\\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe"	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE66556-E940-49f2-9713-4B714DFBC3B1}\stubpath = "C:\\Windows\\{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe"	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}\stubpath = "C:\\Windows\\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe"	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54470464-BA24-4ecd-A19E-5D06EF759EBF}\stubpath = "C:\\Windows\\{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe"	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F22360F-035E-4d6f-9AA9-6F0250128647}	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE66556-E940-49f2-9713-4B714DFBC3B1}	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe

Executes dropped EXE 12 IoCs

pid	Process
4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
964	{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe
3800	{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
File created	C:\Windows\{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
File created	C:\Windows\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
File created	C:\Windows\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
File created	C:\Windows\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
File created	C:\Windows\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
File created	C:\Windows\{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
File created	C:\Windows\{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
File created	C:\Windows\{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
File created	C:\Windows\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
File created	C:\Windows\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
File created	C:\Windows\{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe	{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
Token: SeIncBasePriorityPrivilege	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
Token: SeIncBasePriorityPrivilege	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
Token: SeIncBasePriorityPrivilege	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
Token: SeIncBasePriorityPrivilege	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
Token: SeIncBasePriorityPrivilege	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
Token: SeIncBasePriorityPrivilege	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
Token: SeIncBasePriorityPrivilege	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
Token: SeIncBasePriorityPrivilege	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
Token: SeIncBasePriorityPrivilege	4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
Token: SeIncBasePriorityPrivilege	964	{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4092	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	96
PID 3036 wrote to memory of 4092	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	96
PID 3036 wrote to memory of 4092	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	96
PID 3036 wrote to memory of 3076	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	97
PID 3036 wrote to memory of 3076	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	97
PID 3036 wrote to memory of 3076	3036	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	97
PID 4092 wrote to memory of 1772	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	102
PID 4092 wrote to memory of 1772	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	102
PID 4092 wrote to memory of 1772	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	102
PID 4092 wrote to memory of 1396	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	103
PID 4092 wrote to memory of 1396	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	103
PID 4092 wrote to memory of 1396	4092	{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe	103
PID 1772 wrote to memory of 3152	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	105
PID 1772 wrote to memory of 3152	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	105
PID 1772 wrote to memory of 3152	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	105
PID 1772 wrote to memory of 2932	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	106
PID 1772 wrote to memory of 2932	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	106
PID 1772 wrote to memory of 2932	1772	{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe	106
PID 3152 wrote to memory of 1612	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	109
PID 3152 wrote to memory of 1612	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	109
PID 3152 wrote to memory of 1612	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	109
PID 3152 wrote to memory of 2332	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	110
PID 3152 wrote to memory of 2332	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	110
PID 3152 wrote to memory of 2332	3152	{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe	110
PID 1612 wrote to memory of 5088	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	111
PID 1612 wrote to memory of 5088	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	111
PID 1612 wrote to memory of 5088	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	111
PID 1612 wrote to memory of 2384	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	112
PID 1612 wrote to memory of 2384	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	112
PID 1612 wrote to memory of 2384	1612	{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe	112
PID 5088 wrote to memory of 4352	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	115
PID 5088 wrote to memory of 4352	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	115
PID 5088 wrote to memory of 4352	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	115
PID 5088 wrote to memory of 4980	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	116
PID 5088 wrote to memory of 4980	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	116
PID 5088 wrote to memory of 4980	5088	{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe	116
PID 4352 wrote to memory of 1584	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	120
PID 4352 wrote to memory of 1584	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	120
PID 4352 wrote to memory of 1584	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	120
PID 4352 wrote to memory of 2072	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	121
PID 4352 wrote to memory of 2072	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	121
PID 4352 wrote to memory of 2072	4352	{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe	121
PID 1584 wrote to memory of 1672	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	122
PID 1584 wrote to memory of 1672	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	122
PID 1584 wrote to memory of 1672	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	122
PID 1584 wrote to memory of 1448	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	123
PID 1584 wrote to memory of 1448	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	123
PID 1584 wrote to memory of 1448	1584	{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe	123
PID 1672 wrote to memory of 2116	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	128
PID 1672 wrote to memory of 2116	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	128
PID 1672 wrote to memory of 2116	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	128
PID 1672 wrote to memory of 4800	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	129
PID 1672 wrote to memory of 4800	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	129
PID 1672 wrote to memory of 4800	1672	{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe	129
PID 2116 wrote to memory of 4908	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	130
PID 2116 wrote to memory of 4908	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	130
PID 2116 wrote to memory of 4908	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	130
PID 2116 wrote to memory of 4852	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	131
PID 2116 wrote to memory of 4852	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	131
PID 2116 wrote to memory of 4852	2116	{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe	131
PID 4908 wrote to memory of 964	4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe	132
PID 4908 wrote to memory of 964	4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe	132
PID 4908 wrote to memory of 964	4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe	132
PID 4908 wrote to memory of 1592	4908	{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
  C:\Windows\{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
    C:\Windows\{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
      C:\Windows\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
        
        C:\Windows\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
        
        C:\Windows\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
        
        C:\Windows\{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
        
        C:\Windows\{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
        
        C:\Windows\{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
        
        C:\Windows\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
        
        C:\Windows\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe
        
        C:\Windows\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe
        
        C:\Windows\{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe
        13⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE55~1.EXE > nul
        13⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C308~1.EXE > nul
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B41FE~1.EXE > nul
        11⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE66~1.EXE > nul
        10⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F223~1.EXE > nul
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54470~1.EXE > nul
        8⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8041~1.EXE > nul
        7⤵
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28068~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BD4~1.EXE > nul
        5⤵
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C29AE~1.EXE > nul
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86081~1.EXE > nul
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{280684AD-ACEC-46c1-AE5A-346B43DD73FA}.exe

Filesize
204KB

MD5
68cbf112dc336368e848f2107c23bd94

SHA1
e5677354792825b7c174476f9cab34b40045f831

SHA256
f30939170f053aaf6ee9f2f77f8f566a83e9575e7e3396c1fdadef0bb26f4860

SHA512
f05cf788481125d21649a140c1e85bad0b9449a93166ae4f03e2593c9fa751fe8141e676cb3e8a30a01868c1224b451b9dbcd2acfff6b24321b3df1fbc6ab995

Download Submit
C:\Windows\{3C3082F9-1D10-4175-A662-04DA69A5BFDF}.exe

Filesize
204KB

MD5
311be7b447b33b697f5df318eaccf26f

SHA1
e469cd894a52b0d9ac1419b56848a0f99ddbfe06

SHA256
fdba99055dea6c2cbad86396b1027bdfde38cc2470dd7f10d1eae2fdf8692e7a

SHA512
91177bd3e7940023d915d305c7367cc8fc65070b3446a6a99b90d9a40b973d05756820854d456e71d3d386e113c0d985e0ab3221729e2bcbb6b5474fa43c1283

Download Submit
C:\Windows\{54470464-BA24-4ecd-A19E-5D06EF759EBF}.exe

Filesize
204KB

MD5
52afcc22bac243d0b1fc581bdfd79d28

SHA1
a47ce6d998287d91e7fe07a0d16c145155ea711c

SHA256
667de0743d9cd1bb0e0d50b83932cf2d55772cddd35efaf3232db8278c7f6d1e

SHA512
90932cfb3ea5d0b30554348a9007e0d14108adbbfca4d876af3fced6c5197d41e56bcffad4d359c8938b41990bb475a315807bca675b57477b91d0ae284f6120

Download Submit
C:\Windows\{5AE552D1-DCCB-4bb0-B7B9-18E2DECA9C02}.exe

Filesize
204KB

MD5
0877b03ef150e486c9805bd7a4293da4

SHA1
daab2f9c68d5ed113556216fdf716d301718ebea

SHA256
62a67e9204bd597998b1864ac42d27ddeeed41f4c104b76d01191292070da34b

SHA512
fece33a80b4357c91dd8f2d477352a666a06435f0d27142e65ceba75a871f78a104bf36f9075e6918d818f6f3d54efd4d8868420cd5fd6dce655548ae5166890

Download Submit
C:\Windows\{860816EC-F298-474b-AEC9-8C665BFA2C9F}.exe

Filesize
204KB

MD5
c0d8fb1857a06da960892134c246707c

SHA1
9761904632354e9120f672bab873c236ca483086

SHA256
6968b66274b636953e297d92fa79f7e1f47c91fd91dea8eb14ec617501e9ae9a

SHA512
1720d0f347d2eaa78edec5f517e5dba8458e08830f9fcfe97a0f4bad5ded98aaab0030f1d3dd8ddb49403419d2986c647e7b57b9c959049fe1686326a581d9b5

Download Submit
C:\Windows\{9F22360F-035E-4d6f-9AA9-6F0250128647}.exe

Filesize
204KB

MD5
fb8eee6f9cd914873551b743dc4aeccb

SHA1
0a3b2ff901f78f434ad593ba80cad57069c28bbf

SHA256
3c4900925022691a55ba23b511240d16277d8e9ff37150eab7784de4d105bbc8

SHA512
9ac9c127479ab43027b08dca3ed00dd25e2d6809266216e2f02b1855a16ab5de2212980726c927bd40aedd5fb52faec07b0c8f9a6f3311ef4a0587b09abe066d

Download Submit
C:\Windows\{AFE66556-E940-49f2-9713-4B714DFBC3B1}.exe

Filesize
204KB

MD5
992f30cedc75cf3b5854cd35b70d2aa0

SHA1
8b8c689daef15dd07eef20fc56213133815edc78

SHA256
c2835b611ab37ee39a093d458e7aa324eb96dfc015ad979b14ebd25b80151c65

SHA512
6d154bfe181406fc8f583c244b6797b48968ee85ebe3d1bd737ab7542d9a13dcd6a0bc88fc03c0c5f6272de0cb8f9df16c1db46e1ca6bd9cb3688a95770ba17a

Download Submit
C:\Windows\{B41FE9D4-121C-46ea-8F06-BA32CE1265AC}.exe

Filesize
204KB

MD5
8b51194f274f797a1d15aa42528a537f

SHA1
f96e29f8ece6e72eed1b230f7276fb49f583b4b3

SHA256
fd5c36fe5cfe507533603afded90881e5868e7c4f590de6637434f17ac255f48

SHA512
bc682cb73ef7a80b5c492d6e9c581a3c7f9805dde5fed2689752f5a5e9669d84fcf272ab7c05cd87e8fdc467366a8644b4689afba2a3ec43ddf3b818f5a42408

Download Submit
C:\Windows\{C29AE142-BFA6-4dc7-8872-B29F64F42672}.exe

Filesize
204KB

MD5
0da7ade653958533be162bf91e7affb6

SHA1
1e99678a2664e93c4ab6e01f6aaa0ea4cb2b226d

SHA256
8ae004e5767fa69c5681682cc543a4efc35057fbf5a981665402a438b141c974

SHA512
b7bb6435eb2df0ec85a11198464652b8566f451cf456cac106227b39b7241760fb742d9bc03cb4bda6d2ab62c7c41415228f48196b2a2fe12b508dfee6b8fc0d

Download Submit
C:\Windows\{D2BD4E71-A5D4-4e27-BC90-CC4F9A15C88B}.exe

Filesize
204KB

MD5
39862924ab3ece2769cc61ec59586bd1

SHA1
9bc6f99fbabe17251cbb78a407088e73ee538205

SHA256
6660dd15ea77aa3bdf235c2b3b8cf100ee29347c4ef6e35eed80bedc624e35f7

SHA512
ea10105054496a88f6c40d9ef752f95c57c036e533fb0e9a3e025bde03627c649964f6701a24d2f90300fd7133f1338bf31bd265bed2cd0d315cfac50aa9e3df

Download Submit
C:\Windows\{EBEF4180-5402-484c-9601-BB7B69AF4889}.exe

Filesize
204KB

MD5
e5e0b16fd768d996594a32e9637f146a

SHA1
e2c38c84b05d12448790fcc9aefd677f54e5d455

SHA256
d8af870612ee48f115aea8d8899c1125645d0d701cb0446f0108629f16bebc0d

SHA512
2c45b9359ca27ce2b5afe9f91fe2208d34bbc442266594d6e40ebe709496c296ff7d4b086eda592260b1369a506ef2d354d8f743cee9828d6d8e89c15bf963e8

Download Submit
C:\Windows\{F804196B-CFA2-43e8-A83B-DE81C4EBA559}.exe

Filesize
204KB

MD5
a2f00d4352a5c96ce9683faed74d8250

SHA1
061024e5f3c593c2868655350875892596eb9eb7

SHA256
b6449da0e0baf7e82575779e316ac105ae7277724abcd38d12f10e09ce07c3d8

SHA512
2470c2e88b6d3ab15fb3fe00a50d605478cf097e7097013ad5fac9552c83c2057d8be4352487288fb1db45060292cc7c0a90e267a9dce4486207f106a9cd0adc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads