9c0bf83edb844377a2c1eda25465ce64d59f9ee4b40a0875d9299264a5b069f3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
Size

204KB
MD5

256ccc7157cdafe8a695d2330dfec592
SHA1

34c9b9abeeca8bd5c320a468798461d02bc09dc8
SHA256

9c0bf83edb844377a2c1eda25465ce64d59f9ee4b40a0875d9299264a5b069f3
SHA512

a54c3dc1af1e2a78e91f78c8535efb82ba45b875e9368ccc0fd56e8bc2b852f4403e4164cb58184bf68bcfcefe6a5d422f07143b3304dd67a2ce3bdecc1f7def
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023411-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023418-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023422-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023431-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e316-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023402-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e316-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023402-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023545-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db62-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db64-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023354-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55CD1F3-EA03-4787-98C8-21BB80535842}\stubpath = "C:\\Windows\\{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe"	{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BD75D3-B3A0-4165-B378-5678FDD40821}\stubpath = "C:\\Windows\\{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe"	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}\stubpath = "C:\\Windows\\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe"	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C87DA574-BA4D-4147-8DEF-D33008AA7011}	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C87DA574-BA4D-4147-8DEF-D33008AA7011}\stubpath = "C:\\Windows\\{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe"	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A55A71C8-226A-4ff8-9870-5A1327742C13}	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A55A71C8-226A-4ff8-9870-5A1327742C13}\stubpath = "C:\\Windows\\{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe"	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}\stubpath = "C:\\Windows\\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe"	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}\stubpath = "C:\\Windows\\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe"	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}\stubpath = "C:\\Windows\\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe"	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BD75D3-B3A0-4165-B378-5678FDD40821}	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}\stubpath = "C:\\Windows\\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe"	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{296DB55F-81B6-4c37-BDDF-A64009B797DA}\stubpath = "C:\\Windows\\{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe"	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}\stubpath = "C:\\Windows\\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe"	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55CD1F3-EA03-4787-98C8-21BB80535842}	{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}\stubpath = "C:\\Windows\\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe"	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{296DB55F-81B6-4c37-BDDF-A64009B797DA}	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe

Executes dropped EXE 12 IoCs

pid	Process
4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
2216	{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe
2184	{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
File created	C:\Windows\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
File created	C:\Windows\{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
File created	C:\Windows\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
File created	C:\Windows\{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
File created	C:\Windows\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
File created	C:\Windows\{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
File created	C:\Windows\{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
File created	C:\Windows\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
File created	C:\Windows\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
File created	C:\Windows\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
File created	C:\Windows\{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe	{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
Token: SeIncBasePriorityPrivilege	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
Token: SeIncBasePriorityPrivilege	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
Token: SeIncBasePriorityPrivilege	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
Token: SeIncBasePriorityPrivilege	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
Token: SeIncBasePriorityPrivilege	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
Token: SeIncBasePriorityPrivilege	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
Token: SeIncBasePriorityPrivilege	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
Token: SeIncBasePriorityPrivilege	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
Token: SeIncBasePriorityPrivilege	3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
Token: SeIncBasePriorityPrivilege	2216	{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4484	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	99
PID 4636 wrote to memory of 4484	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	99
PID 4636 wrote to memory of 4484	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	99
PID 4636 wrote to memory of 768	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	100
PID 4636 wrote to memory of 768	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	100
PID 4636 wrote to memory of 768	4636	2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe	100
PID 4484 wrote to memory of 1460	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	102
PID 4484 wrote to memory of 1460	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	102
PID 4484 wrote to memory of 1460	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	102
PID 4484 wrote to memory of 3000	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	103
PID 4484 wrote to memory of 3000	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	103
PID 4484 wrote to memory of 3000	4484	{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe	103
PID 1460 wrote to memory of 2876	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	105
PID 1460 wrote to memory of 2876	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	105
PID 1460 wrote to memory of 2876	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	105
PID 1460 wrote to memory of 3592	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	106
PID 1460 wrote to memory of 3592	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	106
PID 1460 wrote to memory of 3592	1460	{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe	106
PID 2876 wrote to memory of 2524	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	109
PID 2876 wrote to memory of 2524	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	109
PID 2876 wrote to memory of 2524	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	109
PID 2876 wrote to memory of 4340	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	110
PID 2876 wrote to memory of 4340	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	110
PID 2876 wrote to memory of 4340	2876	{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe	110
PID 2524 wrote to memory of 3116	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	111
PID 2524 wrote to memory of 3116	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	111
PID 2524 wrote to memory of 3116	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	111
PID 2524 wrote to memory of 2316	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	112
PID 2524 wrote to memory of 2316	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	112
PID 2524 wrote to memory of 2316	2524	{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe	112
PID 3116 wrote to memory of 2012	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	118
PID 3116 wrote to memory of 2012	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	118
PID 3116 wrote to memory of 2012	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	118
PID 3116 wrote to memory of 1416	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	119
PID 3116 wrote to memory of 1416	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	119
PID 3116 wrote to memory of 1416	3116	{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe	119
PID 2012 wrote to memory of 3228	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	120
PID 2012 wrote to memory of 3228	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	120
PID 2012 wrote to memory of 3228	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	120
PID 2012 wrote to memory of 2872	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	121
PID 2012 wrote to memory of 2872	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	121
PID 2012 wrote to memory of 2872	2012	{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe	121
PID 3228 wrote to memory of 3624	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	122
PID 3228 wrote to memory of 3624	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	122
PID 3228 wrote to memory of 3624	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	122
PID 3228 wrote to memory of 4484	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	123
PID 3228 wrote to memory of 4484	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	123
PID 3228 wrote to memory of 4484	3228	{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe	123
PID 3624 wrote to memory of 4256	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	128
PID 3624 wrote to memory of 4256	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	128
PID 3624 wrote to memory of 4256	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	128
PID 3624 wrote to memory of 4792	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	129
PID 3624 wrote to memory of 4792	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	129
PID 3624 wrote to memory of 4792	3624	{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe	129
PID 4256 wrote to memory of 3644	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	133
PID 4256 wrote to memory of 3644	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	133
PID 4256 wrote to memory of 3644	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	133
PID 4256 wrote to memory of 408	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	134
PID 4256 wrote to memory of 408	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	134
PID 4256 wrote to memory of 408	4256	{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe	134
PID 3644 wrote to memory of 2216	3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe	135
PID 3644 wrote to memory of 2216	3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe	135
PID 3644 wrote to memory of 2216	3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe	135
PID 3644 wrote to memory of 5104	3644	{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_256ccc7157cdafe8a695d2330dfec592_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
  C:\Windows\{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
    C:\Windows\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
      C:\Windows\{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
        
        C:\Windows\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
        
        C:\Windows\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
        
        C:\Windows\{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
        
        C:\Windows\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
        
        C:\Windows\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
        
        C:\Windows\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
        
        C:\Windows\{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe
        
        C:\Windows\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe
        
        C:\Windows\{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe
        13⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4E7B~1.EXE > nul
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A55A7~1.EXE > nul
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C41E~1.EXE > nul
        11⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E003D~1.EXE > nul
        10⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{185DA~1.EXE > nul
        9⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C87DA~1.EXE > nul
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BFC3~1.EXE > nul
        7⤵
        
        PID:1416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D364~1.EXE > nul
        6⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{296DB~1.EXE > nul
        5⤵
        
        PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38E30~1.EXE > nul
      4⤵
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70BD7~1.EXE > nul
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{185DA7CB-AF01-470d-B6A4-1FD85D2235AB}.exe

Filesize
204KB

MD5
915e90ac91222a1059488b4bdb182a23

SHA1
95e33e08f45118da600c784e162aadbb50d9c177

SHA256
f4712977845536b9c86af2fa0b7f2f106de6dd4803eebfb0faa436ea3575ef9d

SHA512
0063c82da372a90b78f3c084c7b92abb31c9bdfb7a8fa9ece209dd11077621cd2b54d59f30fb54d086611f28d93c87ff0b8b28f512d6bc01bcab2731947736e5

Download Submit
C:\Windows\{296DB55F-81B6-4c37-BDDF-A64009B797DA}.exe

Filesize
204KB

MD5
76fa26f3406abe3b03d1e08003f86ebc

SHA1
6bb6a6ace23eea90f7408440211c7d3748748fed

SHA256
a21428ce41165f5e37cfeea0c3d85fc7f1349ba6c0633a9f6358468083d08f54

SHA512
2a01d27f9cf64f4e3d53039677378440dba45e050c50e1f8adbbc5649ac723f23fca1b85c0f851ecea003d1fcc47cac722a10afd7658ba837c003b0c81f046cd

Download Submit
C:\Windows\{2C41E85B-20A6-4a0b-B98E-7A27DB33E8EE}.exe

Filesize
204KB

MD5
f70ffcb1012ca10d469e3ac608d5a0f7

SHA1
bd2d845456f43fa12500e5607d4e82ede2ef92f3

SHA256
54f5bc5921f3bc3e8c051206ee55b5846516324fadd135e1d4eb1e7c6d0866b9

SHA512
1fb003fa66358cb67ebb7d0bbfb6055222d07680fa337d6977802224484115fffa2113852bf54dceb1bd3c5246d42090b3d7bd94ca975f4c99dba55da9227fd3

Download Submit
C:\Windows\{38E30DA8-A58C-453f-B0EB-8AF3A651F7A3}.exe

Filesize
204KB

MD5
4db2f33b3f24356f06fb00b6e887e071

SHA1
aea3b508d18d7787ea344952c44060120cc76160

SHA256
fd7563220f01ecde986b93c3a0da3a35aecdf55d3e18e38a10b8ff5dabef5f0c

SHA512
d4fd0edeaabb6a2718434c01f02de73fe525571853d3a465c1f6e50f6eb5e44deec689b2dda4558d7ec95a426dc4f1c807b76f7255025087c65b27a386580d59

Download Submit
C:\Windows\{5D364AB6-5BA5-4d30-84B6-AC349BC44CB7}.exe

Filesize
204KB

MD5
e976eaf9cd1f1670e3dcb0dd67526e2a

SHA1
a2e23da7b4782824f94d1e6c2379e2a9264c2c3b

SHA256
e0178b36cbcf05d4e30b22b005e54af97cb23dd264d5e8aa2e40e85b8452359e

SHA512
13685d8c1b360557d4aee99eb63557f57f95ea56a0cc559c4890c7788764742f887173165f834b7cebc14073ab7f863812fc6f747db07d5cab90d8bafbbf10c4

Download Submit
C:\Windows\{70BD75D3-B3A0-4165-B378-5678FDD40821}.exe

Filesize
204KB

MD5
84d240348cd3193b759f1fbf7e16d649

SHA1
9d6fbf6245310fd19e71f734866a3ed90cfa5567

SHA256
0c7e310325599c8865f1d86a69410a27279feee463ec71f061a1395ade2dbb75

SHA512
19a907fb3548fdb49db3e8498ad354e502eab9c1f1200bddc4eceeed41ca0366f6a0a9f51e39af6e8bbfcf640fd73763ea3e25ca9474dbc707810751d1c11170

Download Submit
C:\Windows\{7BFC3759-595F-4d90-8F2A-C3DA79F8C230}.exe

Filesize
204KB

MD5
a52bb00c1fed23a073178a207a0ffd4c

SHA1
634d2960f963d8dc5554455bde3387543fa94a26

SHA256
55146f1685e68f482007c9d67c22f8048c3a70a87586dd431945d03965731c7f

SHA512
b3bc9f2f5c4dc02c0945602196c93c95ae011e853ff1a7b06335710e8e9aa20abfac7f05562160de00f1d8980e5ffb7c38917140713529d733ae65fcc71e8349

Download Submit
C:\Windows\{A55A71C8-226A-4ff8-9870-5A1327742C13}.exe

Filesize
204KB

MD5
1bcc3c5d4f082e4532631e0e73bc824f

SHA1
493be1cb88a1cdfde90f9a85dbbc7ee9b72ded34

SHA256
3735e28127017f38097856a1ff02712d1067a32ccbfd57e3485fbee8433749f2

SHA512
5cf715af5149d00ec538710a68609814fdb11da42680518fadbc5efe789f0ee9ecc0809a363906cc4d8010560c5c23535a45fd340b984c78e6dc62bae9112b4c

Download Submit
C:\Windows\{C87DA574-BA4D-4147-8DEF-D33008AA7011}.exe

Filesize
204KB

MD5
17b9ffb809f7eabb97e330dec8184766

SHA1
10cae17758bc5d509e7b26dafa39075f60f51e70

SHA256
96750a04b091f23abf2904b815be2bd201e3249016351ec00ef948fb999e59d2

SHA512
96050d8c8e8c4a277a2be13651a40bb3c002e587edcdfde38cfd5cd65880c4ff6f5b34a46b92745b859ed79493a96f069a512f15047010e8f41e76c5b5634ab8

Download Submit
C:\Windows\{E003D0A7-B2C2-4d43-8F6E-434BCA321261}.exe

Filesize
204KB

MD5
8a54c8b866453cb9e71703b31d1ce547

SHA1
4a7422292034fb06af0b6f87c82b409ba926b0e4

SHA256
db65a9991746536e2eaded349ad83fc010500291a90b93b722bb00d20b1c766a

SHA512
8a8233977fd0d14f8288e6bd464ce449f977a5afd11e1813d669291d5f627a1b753aa7644d1b9d91b14ab00eb9c0481fa524560ade32b5fc9a05f3ad49fa8857

Download Submit
C:\Windows\{F4E7B4A1-96B0-4ec9-A045-F66FEAD2E582}.exe

Filesize
204KB

MD5
e157a621bb7d14a523fe28a38e482e04

SHA1
e7be31b2c48c5b5716b1fb5123873c3c2c8de0d4

SHA256
4779a35c9077a025c9f6eb323301d0a379a515223e152e083bcf9fc830233275

SHA512
9c93d459a9030619547716e803160697e28fabc77bedf580df770c335df8776ead3912c3a67e11597e9fbcfd9343ca2a0391891747f5262a7b8c969a628fb43b

Download Submit
C:\Windows\{F55CD1F3-EA03-4787-98C8-21BB80535842}.exe

Filesize
204KB

MD5
b62ab0e20ef8c428aa71d17f2215fae5

SHA1
c786a49c6c36691b8df76387b85c593c6f516adf

SHA256
67af0853e839b53fec6e3f9e1480acb3539a223d0398aa30832e75b5e73a6f3c

SHA512
1b45182735c39753c3df0ba9165d2276e2ce99fd7cbd0b0da94a24c216510c2b8473fb867e7122ae0b60fa6fe1fcec019f4af18f41077665d5b6b3e26adf911e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads