b2dd5d6f21b74e2086a67341b11bf6c6b12e7e5b32727ba1f6e28cc9dae536ed

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
Size

408KB
MD5

70b675a73947d231543c0c872fdf1d41
SHA1

c5f3b3d868c91d519af8fddf3f25d2a11f9e2a3f
SHA256

b2dd5d6f21b74e2086a67341b11bf6c6b12e7e5b32727ba1f6e28cc9dae536ed
SHA512

63afc55ce42202d4c3713139d9d4c889737ed19040dd331c109585d7675c479372eeb262791062921db5b3f96b6b2e75d5585ece79e18c957bca05ff7a53a28e
SSDEEP

3072:CEGh0ogl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGmldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233d0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233e8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fc-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e399-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002333c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016956-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db1f-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016956-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000234f1-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234f7-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234fb-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023503-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F0B82EF-FA5D-4016-B774-196E360D7F48}\stubpath = "C:\\Windows\\{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe"	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}\stubpath = "C:\\Windows\\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe"	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F0B82EF-FA5D-4016-B774-196E360D7F48}	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{628FE6D7-788C-465a-BEE0-5F8F497C957E}	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}\stubpath = "C:\\Windows\\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe"	{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}\stubpath = "C:\\Windows\\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe"	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18983C16-4C2A-4e34-A102-7FC83B6E658E}	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}\stubpath = "C:\\Windows\\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe"	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18983C16-4C2A-4e34-A102-7FC83B6E658E}\stubpath = "C:\\Windows\\{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe"	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}\stubpath = "C:\\Windows\\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe"	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}\stubpath = "C:\\Windows\\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe"	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{628FE6D7-788C-465a-BEE0-5F8F497C957E}\stubpath = "C:\\Windows\\{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe"	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}\stubpath = "C:\\Windows\\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe"	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}\stubpath = "C:\\Windows\\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe"	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}	{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}\stubpath = "C:\\Windows\\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe"	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe

Executes dropped EXE 12 IoCs

pid	Process
2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
2784	{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
4324	{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
File created	C:\Windows\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
File created	C:\Windows\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
File created	C:\Windows\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
File created	C:\Windows\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
File created	C:\Windows\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
File created	C:\Windows\{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
File created	C:\Windows\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe	{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
File created	C:\Windows\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
File created	C:\Windows\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
File created	C:\Windows\{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
File created	C:\Windows\{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
Token: SeIncBasePriorityPrivilege	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
Token: SeIncBasePriorityPrivilege	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
Token: SeIncBasePriorityPrivilege	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
Token: SeIncBasePriorityPrivilege	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
Token: SeIncBasePriorityPrivilege	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
Token: SeIncBasePriorityPrivilege	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
Token: SeIncBasePriorityPrivilege	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
Token: SeIncBasePriorityPrivilege	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
Token: SeIncBasePriorityPrivilege	1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
Token: SeIncBasePriorityPrivilege	2784	{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2780	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	94
PID 4088 wrote to memory of 2780	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	94
PID 4088 wrote to memory of 2780	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	94
PID 4088 wrote to memory of 3880	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	95
PID 4088 wrote to memory of 3880	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	95
PID 4088 wrote to memory of 3880	4088	2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe	95
PID 2780 wrote to memory of 3660	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	98
PID 2780 wrote to memory of 3660	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	98
PID 2780 wrote to memory of 3660	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	98
PID 2780 wrote to memory of 4996	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	99
PID 2780 wrote to memory of 4996	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	99
PID 2780 wrote to memory of 4996	2780	{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe	99
PID 3660 wrote to memory of 3320	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	102
PID 3660 wrote to memory of 3320	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	102
PID 3660 wrote to memory of 3320	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	102
PID 3660 wrote to memory of 2856	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	103
PID 3660 wrote to memory of 2856	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	103
PID 3660 wrote to memory of 2856	3660	{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe	103
PID 3320 wrote to memory of 4660	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	106
PID 3320 wrote to memory of 4660	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	106
PID 3320 wrote to memory of 4660	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	106
PID 3320 wrote to memory of 2492	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	107
PID 3320 wrote to memory of 2492	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	107
PID 3320 wrote to memory of 2492	3320	{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe	107
PID 4660 wrote to memory of 116	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	108
PID 4660 wrote to memory of 116	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	108
PID 4660 wrote to memory of 116	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	108
PID 4660 wrote to memory of 4384	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	109
PID 4660 wrote to memory of 4384	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	109
PID 4660 wrote to memory of 4384	4660	{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe	109
PID 116 wrote to memory of 4144	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	110
PID 116 wrote to memory of 4144	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	110
PID 116 wrote to memory of 4144	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	110
PID 116 wrote to memory of 3016	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	111
PID 116 wrote to memory of 3016	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	111
PID 116 wrote to memory of 3016	116	{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe	111
PID 4144 wrote to memory of 4532	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	118
PID 4144 wrote to memory of 4532	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	118
PID 4144 wrote to memory of 4532	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	118
PID 4144 wrote to memory of 1484	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	119
PID 4144 wrote to memory of 1484	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	119
PID 4144 wrote to memory of 1484	4144	{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe	119
PID 4532 wrote to memory of 1436	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	120
PID 4532 wrote to memory of 1436	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	120
PID 4532 wrote to memory of 1436	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	120
PID 4532 wrote to memory of 1092	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	121
PID 4532 wrote to memory of 1092	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	121
PID 4532 wrote to memory of 1092	4532	{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe	121
PID 1436 wrote to memory of 2996	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	126
PID 1436 wrote to memory of 2996	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	126
PID 1436 wrote to memory of 2996	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	126
PID 1436 wrote to memory of 4640	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	127
PID 1436 wrote to memory of 4640	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	127
PID 1436 wrote to memory of 4640	1436	{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe	127
PID 2996 wrote to memory of 1052	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	128
PID 2996 wrote to memory of 1052	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	128
PID 2996 wrote to memory of 1052	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	128
PID 2996 wrote to memory of 3716	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	129
PID 2996 wrote to memory of 3716	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	129
PID 2996 wrote to memory of 3716	2996	{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe	129
PID 1052 wrote to memory of 2784	1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe	130
PID 1052 wrote to memory of 2784	1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe	130
PID 1052 wrote to memory of 2784	1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe	130
PID 1052 wrote to memory of 1028	1052	{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
  C:\Windows\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
    C:\Windows\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
      C:\Windows\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
        
        C:\Windows\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
        
        C:\Windows\{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
        
        C:\Windows\{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
        
        C:\Windows\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
        
        C:\Windows\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
        
        C:\Windows\{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
        
        C:\Windows\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
        
        C:\Windows\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe
        
        C:\Windows\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8DB0~1.EXE > nul
        13⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ACEA~1.EXE > nul
        12⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{628FE~1.EXE > nul
        11⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BA4A~1.EXE > nul
        10⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F454E~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F0B8~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18983~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C33AC~1.EXE > nul
        6⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BA3~1.EXE > nul
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{245E5~1.EXE > nul
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{39F20~1.EXE > nul
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18983C16-4C2A-4e34-A102-7FC83B6E658E}.exe

Filesize
408KB

MD5
1f97552372a33a32d6f55522015e1e87

SHA1
eaf1be427bc337c8b75bc621e7ba2f86e1509b38

SHA256
7757d1167e4a4bddaea3caed9dc17551e1e90d31c9947de8323bb70a8c61fc07

SHA512
2a12d9e3e20bb38084c565e1496be4efd8bb6ee265c5786e411231ab2181c300a2f07de66805d7e5ceee34bf6af2c5a071930003bdf530a1c0ef569f9f26ea77

Download Submit
C:\Windows\{245E5CE1-7CEA-4930-B255-20841D6BEBF2}.exe

Filesize
408KB

MD5
57ac0294ecd9984a249e4962a63e66f4

SHA1
2f6e1abe5c12a3477006ab37a307b85e011b9d67

SHA256
b6f4d8948e4fddf7109d7b21b7580423d3531bae7199e8f0dbb82eff5144ce3d

SHA512
69de2b743f07be0c0ddddc42b60b06a15b9193329005cec43480ceab70aaf3735ebc9fe6b72e3a1c0145f0381924ea357e88fc37509947bd4b4f852579767286

Download Submit
C:\Windows\{2F0B82EF-FA5D-4016-B774-196E360D7F48}.exe

Filesize
408KB

MD5
8156396fc05b5e1bd0420e6f56214352

SHA1
1db23ecd8f9d511914ea8e939bdafe951b342ced

SHA256
ffd14e313d2be4e2f2e49c3b68d8820b9a47225e04968ebc79d06510856e5a96

SHA512
6790ec40088650f33b190bf1306dcdea39466dce3a0d0e27e029ea55433f3b7cb9883cdfd7c68de3c6a83da0553528f9e260e721d48d9e6332e018351aa3cbb7

Download Submit
C:\Windows\{39F20E6A-A13A-4ecd-B2A3-C479ED860B1A}.exe

Filesize
408KB

MD5
a3d45f8e98931e54beceaec66ac0fce7

SHA1
02f3e0712967d339b8aa8588eb7534e7d7445d5b

SHA256
0375c4e42f11d6b9da20fc23835c1e2c49b8d82b332f906dcbefcd1028cf8101

SHA512
2e16d2a22e0d9b28771fb13b83aaaae68cbd7716b40aea2c8c6b0ff52a0e53b1af2f6d20602de6a9c3c8b60942d78a7606ea7a80d2d57527b7e05dd9f9c2b84f

Download Submit
C:\Windows\{628FE6D7-788C-465a-BEE0-5F8F497C957E}.exe

Filesize
408KB

MD5
913ed71b47ec48409323221c61337cb4

SHA1
2ba4bf55d582c359f713507e0dd36d027bf5c85a

SHA256
5e56a5fbd4c176cfd295a4ffbda19dcccab2f9155e548fa7a179d8ae05b467fb

SHA512
8cf5e1ec71cc9ee81cc4eebab47f7534b446805ce3320017711a76125a4a118a6f967977912ac2f8891138a497e7c2fcf8d1e70a0413be1050074109c8ec74f6

Download Submit
C:\Windows\{6ACEAC28-DD4F-4795-A561-8CB2F3CD0917}.exe

Filesize
408KB

MD5
6e830830048241ec83ba0fa6857cf080

SHA1
ea780a78045d75cb1773fa4be6e66e52469baa2e

SHA256
8bc61a6a725616ce065090213859ef8fd089b1539a40881f1b263e03e08b4e6c

SHA512
060b53f6be5f6f54e380b33cddca768132b354e392756d189d7cf2803dcd4ee26defe62f813b8d5eae20167ed1a33cad4a61da384314c5a6d5b0fb6e4fb41198

Download Submit
C:\Windows\{7BA4AC4E-AA55-45cc-BE36-C4BC4BDE3703}.exe

Filesize
408KB

MD5
0f51bbb25017ad98aba41b7c798726d8

SHA1
d594b36569014a0e76cd341e85976d4b7fac1ec2

SHA256
07c1b9b7348d7b386f03a4c4c683bed2dd358f471ca9e7dbc696257d75e683df

SHA512
90b3d78be428e897ac02f0eeb1ff60a084f97e9cec28d7976ccb4356b90b752b2210fbaa41665d1f2d862c14b647c09cc43704a131826aa866b1f8fa9c2af287

Download Submit
C:\Windows\{A1BA3D34-0369-433e-A4A2-E186C6F7F414}.exe

Filesize
408KB

MD5
5dbf980a1c41189acdbefd19787d7c15

SHA1
d50f4470e793c388f52e053b45f48692ea8691c9

SHA256
22d603cb627005b155b19fd99298b7a9d876969993ac6f728cc60ea6c79de358

SHA512
5d74d0de2280be64e9c9c463352d6867624b28e51e96f06ad7a2e9439aa184db32e2ee6d7457a484faa7a6ee817720ef62afbb0c99397c23f5a6ffd309e79d5b

Download Submit
C:\Windows\{AAE4B134-CFA7-44e4-8487-E62DCCFC78A5}.exe

Filesize
408KB

MD5
fefe862a11140606f5e794f16c3f0d4d

SHA1
e9b1f5fd71463c4e49bee049d4321b034265a7f2

SHA256
f320ce16ea3bfb640ecf9b8bf29b91566bd1b974dcb650b613f89d045deedcf6

SHA512
16afa880be13d5071d57de7d9e1197e20b8119bde4ebd1fbcd5095073adbba2bda839391fae8388d5e79ce9fd632272cd7cd3386c00d81771c1895103d018f42

Download Submit
C:\Windows\{B8DB0458-B749-4977-AB0A-520F4D7C85A6}.exe

Filesize
408KB

MD5
a7bc12ec63589d349729e240d87ebbba

SHA1
83101e23e28f97efa4e2268c3058a877b41fce56

SHA256
d01291e34ff4986d9caabd540b8a892ce2a6fedb8f02d4c152ad0f8a8903f907

SHA512
d62826b62c3cfe1cbc3995de233b0c1aa82823e785ff6a81c609c4fdda0a7e4301c117881eabdaeedaec4b3620fd5462cf04697e1499b1ddcd91813034a64c92

Download Submit
C:\Windows\{C33ACCF8-AB08-44c2-AE4E-9601AEF6D5ED}.exe

Filesize
408KB

MD5
b4a3b68fb3dca0b43e69291ffc02ec74

SHA1
d4311c5f454cab36b6c414c5ad08d4439e3689a3

SHA256
9e49995f515cdbbe403dc012055fce46eb96218e7fa9d0b23fb28f6120b0b7fc

SHA512
01178298b7d988e0e4ea3068d1726ce13bcbba6ddda1728b1e6b5e105126735cc3ac1fcee59eea5ece6c7eb213babe2921e01d7042980f300dee9ac6912ee8ea

Download Submit
C:\Windows\{F454E8CF-13FB-4ab3-81CA-2C6DDE63DE93}.exe

Filesize
408KB

MD5
38bc6939e08a5802b1eb9dfcc4c2c0f2

SHA1
813b1860a496e57e6ef61d917619490773dc7c37

SHA256
f5ac27849b9a464657dff2c4e72c1480733a66a8f00e1f7d061d2adc44a6981a

SHA512
d08ccc8145ef276ffba6ae6c99a13320a88925d9bbae568dfaac62029420ca3547fd956817cd358bcf3eeab4cd56a388b6de58c19eb83643704c9f477aaf2dbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads