1b48f3489d014b19becebe6e18a17ca2e34b67997b7ced09cd5df9b7a94a66cb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Size

204KB
MD5

ec8c79d9550fe428670c387184871322
SHA1

fdd2e746f0f64cfd34cc1c55fe80871f5660ddd2
SHA256

1b48f3489d014b19becebe6e18a17ca2e34b67997b7ced09cd5df9b7a94a66cb
SHA512

dc2d6c3f46023c3628f4bc6f453c609d39ec716ccf1bfa985feaab308a191f843178756d08165600ea400ecfbc91147d66a6293636da3229b966c9505b3b4bdb
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023391-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023423-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023438-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023530-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002336c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023531-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002336c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023548-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023551-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023554-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022985-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0481174A-5928-4d85-B081-C5C179A181B9}	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6003D746-1840-420b-BE61-BFED1C5CF1B2}	{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}\stubpath = "C:\\Windows\\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe"	{EB116D92-5124-49db-A42B-ECB180C05736}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0481174A-5928-4d85-B081-C5C179A181B9}\stubpath = "C:\\Windows\\{0481174A-5928-4d85-B081-C5C179A181B9}.exe"	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27BB091B-15BF-41d5-A61A-8832258300C2}\stubpath = "C:\\Windows\\{27BB091B-15BF-41d5-A61A-8832258300C2}.exe"	{0481174A-5928-4d85-B081-C5C179A181B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}\stubpath = "C:\\Windows\\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe"	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}\stubpath = "C:\\Windows\\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe"	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705C43D8-848F-433d-9E85-E538B896CCDB}\stubpath = "C:\\Windows\\{705C43D8-848F-433d-9E85-E538B896CCDB}.exe"	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB116D92-5124-49db-A42B-ECB180C05736}	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}	{EB116D92-5124-49db-A42B-ECB180C05736}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}\stubpath = "C:\\Windows\\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe"	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}\stubpath = "C:\\Windows\\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe"	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}\stubpath = "C:\\Windows\\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe"	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}\stubpath = "C:\\Windows\\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe"	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6003D746-1840-420b-BE61-BFED1C5CF1B2}\stubpath = "C:\\Windows\\{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe"	{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705C43D8-848F-433d-9E85-E538B896CCDB}	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27BB091B-15BF-41d5-A61A-8832258300C2}	{0481174A-5928-4d85-B081-C5C179A181B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB116D92-5124-49db-A42B-ECB180C05736}\stubpath = "C:\\Windows\\{EB116D92-5124-49db-A42B-ECB180C05736}.exe"	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe
4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe
4600	{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
1348	{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
File created	C:\Windows\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
File created	C:\Windows\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
File created	C:\Windows\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
File created	C:\Windows\{EB116D92-5124-49db-A42B-ECB180C05736}.exe	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
File created	C:\Windows\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	{EB116D92-5124-49db-A42B-ECB180C05736}.exe
File created	C:\Windows\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
File created	C:\Windows\{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
File created	C:\Windows\{0481174A-5928-4d85-B081-C5C179A181B9}.exe	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
File created	C:\Windows\{27BB091B-15BF-41d5-A61A-8832258300C2}.exe	{0481174A-5928-4d85-B081-C5C179A181B9}.exe
File created	C:\Windows\{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe	{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
File created	C:\Windows\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
Token: SeIncBasePriorityPrivilege	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
Token: SeIncBasePriorityPrivilege	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
Token: SeIncBasePriorityPrivilege	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe
Token: SeIncBasePriorityPrivilege	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
Token: SeIncBasePriorityPrivilege	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
Token: SeIncBasePriorityPrivilege	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
Token: SeIncBasePriorityPrivilege	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
Token: SeIncBasePriorityPrivilege	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
Token: SeIncBasePriorityPrivilege	1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe
Token: SeIncBasePriorityPrivilege	4600	{27BB091B-15BF-41d5-A61A-8832258300C2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4928	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	95
PID 2992 wrote to memory of 4928	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	95
PID 2992 wrote to memory of 4928	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	95
PID 2992 wrote to memory of 3004	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	96
PID 2992 wrote to memory of 3004	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	96
PID 2992 wrote to memory of 3004	2992	2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe	96
PID 4928 wrote to memory of 3152	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	99
PID 4928 wrote to memory of 3152	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	99
PID 4928 wrote to memory of 3152	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	99
PID 4928 wrote to memory of 3080	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	100
PID 4928 wrote to memory of 3080	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	100
PID 4928 wrote to memory of 3080	4928	{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe	100
PID 3152 wrote to memory of 1312	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	103
PID 3152 wrote to memory of 1312	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	103
PID 3152 wrote to memory of 1312	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	103
PID 3152 wrote to memory of 3752	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	104
PID 3152 wrote to memory of 3752	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	104
PID 3152 wrote to memory of 3752	3152	{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe	104
PID 1312 wrote to memory of 4908	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	106
PID 1312 wrote to memory of 4908	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	106
PID 1312 wrote to memory of 4908	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	106
PID 1312 wrote to memory of 2132	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	107
PID 1312 wrote to memory of 2132	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	107
PID 1312 wrote to memory of 2132	1312	{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe	107
PID 4908 wrote to memory of 4112	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	108
PID 4908 wrote to memory of 4112	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	108
PID 4908 wrote to memory of 4112	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	108
PID 4908 wrote to memory of 3876	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	109
PID 4908 wrote to memory of 3876	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	109
PID 4908 wrote to memory of 3876	4908	{EB116D92-5124-49db-A42B-ECB180C05736}.exe	109
PID 4112 wrote to memory of 4032	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	114
PID 4112 wrote to memory of 4032	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	114
PID 4112 wrote to memory of 4032	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	114
PID 4112 wrote to memory of 2348	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	115
PID 4112 wrote to memory of 2348	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	115
PID 4112 wrote to memory of 2348	4112	{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe	115
PID 4032 wrote to memory of 2856	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	116
PID 4032 wrote to memory of 2856	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	116
PID 4032 wrote to memory of 2856	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	116
PID 4032 wrote to memory of 2404	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	117
PID 4032 wrote to memory of 2404	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	117
PID 4032 wrote to memory of 2404	4032	{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe	117
PID 2856 wrote to memory of 2428	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	118
PID 2856 wrote to memory of 2428	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	118
PID 2856 wrote to memory of 2428	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	118
PID 2856 wrote to memory of 4848	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	119
PID 2856 wrote to memory of 4848	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	119
PID 2856 wrote to memory of 4848	2856	{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe	119
PID 2428 wrote to memory of 3992	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	124
PID 2428 wrote to memory of 3992	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	124
PID 2428 wrote to memory of 3992	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	124
PID 2428 wrote to memory of 1440	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	125
PID 2428 wrote to memory of 1440	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	125
PID 2428 wrote to memory of 1440	2428	{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe	125
PID 3992 wrote to memory of 1340	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	126
PID 3992 wrote to memory of 1340	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	126
PID 3992 wrote to memory of 1340	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	126
PID 3992 wrote to memory of 836	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	127
PID 3992 wrote to memory of 836	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	127
PID 3992 wrote to memory of 836	3992	{705C43D8-848F-433d-9E85-E538B896CCDB}.exe	127
PID 1340 wrote to memory of 4600	1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe	128
PID 1340 wrote to memory of 4600	1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe	128
PID 1340 wrote to memory of 4600	1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe	128
PID 1340 wrote to memory of 4440	1340	{0481174A-5928-4d85-B081-C5C179A181B9}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_ec8c79d9550fe428670c387184871322_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
  C:\Windows\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
    C:\Windows\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
      C:\Windows\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\{EB116D92-5124-49db-A42B-ECB180C05736}.exe
        
        C:\Windows\{EB116D92-5124-49db-A42B-ECB180C05736}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
        
        C:\Windows\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
        
        C:\Windows\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
        
        C:\Windows\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
        
        C:\Windows\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
        
        C:\Windows\{705C43D8-848F-433d-9E85-E538B896CCDB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{0481174A-5928-4d85-B081-C5C179A181B9}.exe
        
        C:\Windows\{0481174A-5928-4d85-B081-C5C179A181B9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
        
        C:\Windows\{27BB091B-15BF-41d5-A61A-8832258300C2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe
        
        C:\Windows\{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe
        13⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27BB0~1.EXE > nul
        13⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04811~1.EXE > nul
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{705C4~1.EXE > nul
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDE8~1.EXE > nul
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19FB5~1.EXE > nul
        9⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87144~1.EXE > nul
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{280ED~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB116~1.EXE > nul
        6⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA72~1.EXE > nul
        5⤵
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1131D~1.EXE > nul
      4⤵
      PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B5AE~1.EXE > nul
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0481174A-5928-4d85-B081-C5C179A181B9}.exe

Filesize
204KB

MD5
ebfee595f31b783fd450614928279559

SHA1
9164041206ccad98a5e3c3fd3040e12dc5ada773

SHA256
237540ec775af313790210ab23643c8748e8ccd5e706955f7e2349b5fa021748

SHA512
026c80a414ebb8d88f2e3195e5386f52de0df19e0bf842f04b4ff1cc3b1fec98c6d3cef30234b57ca0d814eea7b35d7f4070e0bd3ee35b1a8bcac9caef72091d

Download Submit
C:\Windows\{1131DC1C-68A4-4f16-878F-C0FC10D11EB1}.exe

Filesize
204KB

MD5
ec7a54961ab6819c837d9e10535b639d

SHA1
00c2c502d3917a8f0b12380a67417de08df70ddb

SHA256
e000f4fc0292553c90d33ef07b42a6340d5ea816f60f48dffc7d30837c05e19a

SHA512
f1e01236b869afb75a1304183ec62d3f928602263101f71b4b5692f72f08002679522f4da5a9c0dbd08a43cacbda46572a6544b69cb4bcb7764113722e2f8a81

Download Submit
C:\Windows\{19FB51B0-37E4-4c3b-A94A-E7B6E2AF3E93}.exe

Filesize
204KB

MD5
49252819e7040f75257ff7db5d670ad7

SHA1
aa9687ab80b4bcfdaae672d91995255522545a15

SHA256
72c6c71f5bf872ca453a9d6cb174c1f869725c80f8881f5e3138f1ff0d82c486

SHA512
a7caa9563999eb054eb1c8aee5144cc3d8905e729a461dec157b1c44f0100217b1b16eb965d3d2646ba71ff9dbc9da0a099e5766b25312b5a6a018c0bc3a76ed

Download Submit
C:\Windows\{27BB091B-15BF-41d5-A61A-8832258300C2}.exe

Filesize
204KB

MD5
45e5c5a34db52891f5ff192d06692fef

SHA1
07f7c6eee3a193d03d0e970d65c9293893ee65a2

SHA256
27dc73497d7336c876cd992206af31da813c1b74ec5cbae75b57dcd468db841c

SHA512
0be95e8c9024152b531584cf33273b0167a90449aa527ea3c2823da9f067b433a3d457d79dd375d8ced4c01960675ac5d2803f32d9c4bde76e3867ee3d917bff

Download Submit
C:\Windows\{280EDCEB-FA48-47aa-B71C-BE080A6F0BE3}.exe

Filesize
204KB

MD5
677c56606ee6c301e6dc19a72d84cbc2

SHA1
b2163304b849d2509e345e24ae988dbafc70c870

SHA256
1d36eb4dd0b72fdb398f411f2ac3ec6de360cdc34e4506b3138f3ad11beb94e8

SHA512
46f7df261542ba7fcd5d9856453478a48f6b1e3d4149b86e639a77ea2cbc7403f7436e58f988257b460f9e60f1ad43fc161b89b68456c13a87bbbdc7d42fd154

Download Submit
C:\Windows\{5DDE8815-1E14-40a5-8EA9-C8C365BD0E2A}.exe

Filesize
204KB

MD5
5758f6fedb3e891aa2654f0c9de74029

SHA1
3986a33076265d1caa38b96906ac3e6f82e1f7ef

SHA256
6edce5fd6239f190fdadaf90d7267a7a410df8911bdf6b47d44e05df119445ed

SHA512
dc26de7f75c653af5d142f615f1e7079312a150482fb1462ce12d78a1ddef79b511ef110ef9c7f5161ff3c8a1206fb1d382eab29be71a46b43d08786a325506c

Download Submit
C:\Windows\{6003D746-1840-420b-BE61-BFED1C5CF1B2}.exe

Filesize
204KB

MD5
0c60947caa755de1ee6b2ca5c37ff97a

SHA1
becb7e36e429005b2cc91c1117fe26ef25f78cae

SHA256
7ce292c24606d5b8aefccd02feb0679593a9ce87e2e4b46c3dd089b6d7fc6460

SHA512
ec9feb9cc31e8abacd2048802ad461eb9a298cffcfcf8a327531ccdeaa57ca2363e87d31df58f98cf65457906b403593b32460ba13d152d9f6882874b5823e2d

Download Submit
C:\Windows\{705C43D8-848F-433d-9E85-E538B896CCDB}.exe

Filesize
204KB

MD5
e3b2721922bc5220f9fcf37a6823adfa

SHA1
eb48085530522ee5f96c34814b98317cfe5f504f

SHA256
946fd4e592a0c5b07ee47d5cf1c4fd3e1177240261404c8dc1ce55b1c2f7b895

SHA512
b8c34649921ab93f6ffd1a98ad2c36e485a919f3d9e1531a378a9ba20d21c3f52b70d55464e97ee240118f3c8558ded527843cce27ae079d82a45276a29b008c

Download Submit
C:\Windows\{871443BB-4BAE-43ed-80F1-0E3EFC09F07C}.exe

Filesize
204KB

MD5
d772ba51924b96c68979d20a0a3333ca

SHA1
16a7c508d6007a0ec81d289a542f7cdcd4d615e3

SHA256
4b02b8fe59b99fece27e529182ecf483eac716ac3260e82060b467c990584d8c

SHA512
037205488f540dee57061ac51bfa238e6bc4bb61987aa58daa3ca6660d389d08b42b5714ad4c1075c40425ff6ef416b2dea3f85b8db152948cb8b7d3b98e35e4

Download Submit
C:\Windows\{8CA72661-5F5E-455b-BA5A-E7B0E4BE93AF}.exe

Filesize
204KB

MD5
40d8069a053d412d9c5eabfa54581c5e

SHA1
660596755aa20a1f983fdb96b27acbf700b15e0d

SHA256
c5510b66599ea0eaef6a5a859aba8e95de73ccfc7260a68e2ec85ffa040814e2

SHA512
dfe2f7c069165a61cf7bdbca41412969bf21da187ec9fac4c47051cb7b1cced74d75eef7e153849cfe437b342d504d623895ae4aa56661861be26f6c034704c1

Download Submit
C:\Windows\{9B5AE503-FF58-4994-9B78-75CE1EE2E9DB}.exe

Filesize
204KB

MD5
13cbbc13b99ff0345d746bb038c2f7cd

SHA1
f9280aa1b1fad8d8743815be071c3b4d88e52dd6

SHA256
a4d4f3d7783d0aeb4516a8f5683a0fcf813aaad5eff87d3f708cb27ab11935a3

SHA512
5c2d38302dc663e1e10238e3eac8c37ab72475348d39f7e9e36f35a36d353473c506360fef5878dc6d81e35af9be7bf7c09b29e5dfd06a8fa87c11d749c00bc5

Download Submit
C:\Windows\{EB116D92-5124-49db-A42B-ECB180C05736}.exe

Filesize
204KB

MD5
45753bed57061de8383375628ad65984

SHA1
f4dfd525f1cdbb9f691daf42414ae72704701d0c

SHA256
2ce2bda9c63d1b7f5adb76868bbcf6e3915604a7ce41a006e97038fa8a24ebde

SHA512
adb88b4e6ad01319b825ffc47800370f450c0b4de8a038618fb16c29b1305b3dd88581f84f4a415d29389cc575fb61783d9c6271c25db07608d399a9d20dff86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads