9f9b38fea339cc538b93435179adceac35f80feef4d10bd637cc487fd9cf6c6c

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 11:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
Size

408KB
MD5

0f673fbd392e9c94da0b2cd67bc54b54
SHA1

a2d242f7f0826409f645fea1f609dab605b2137f
SHA256

9f9b38fea339cc538b93435179adceac35f80feef4d10bd637cc487fd9cf6c6c
SHA512

b603bbbd473937ff14c776cd298fd58dfa871f357f67612b42932f52ad365e1243c1cc16de07b17eb342eecd8598126851c5e569486372d1d433c3c32e6efc1d
SSDEEP

3072:CEGh0oul3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGcldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002345b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002345d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023467-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002345d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023467-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002345d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023467-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002345d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023480-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023452-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002345d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002346c-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CFD50C5-4990-41f8-A449-8B60648F7C21}	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}\stubpath = "C:\\Windows\\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe"	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F73013-004E-4ab3-8BC6-065B582923EF}	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2819F66F-5B12-4b02-A648-64FEF8511742}	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2819F66F-5B12-4b02-A648-64FEF8511742}\stubpath = "C:\\Windows\\{2819F66F-5B12-4b02-A648-64FEF8511742}.exe"	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}\stubpath = "C:\\Windows\\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe"	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58288030-27BA-4f99-A1F6-A521354B259E}	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58288030-27BA-4f99-A1F6-A521354B259E}\stubpath = "C:\\Windows\\{58288030-27BA-4f99-A1F6-A521354B259E}.exe"	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}\stubpath = "C:\\Windows\\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe"	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F73013-004E-4ab3-8BC6-065B582923EF}\stubpath = "C:\\Windows\\{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe"	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}\stubpath = "C:\\Windows\\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe"	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F8369D-A209-4748-BF3D-D8F7FBA84211}	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F8369D-A209-4748-BF3D-D8F7FBA84211}\stubpath = "C:\\Windows\\{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe"	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CFD50C5-4990-41f8-A449-8B60648F7C21}\stubpath = "C:\\Windows\\{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe"	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}\stubpath = "C:\\Windows\\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe"	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0833F9E5-C196-4c82-8788-C52694FC1AE5}\stubpath = "C:\\Windows\\{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe"	{58288030-27BA-4f99-A1F6-A521354B259E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}	{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}\stubpath = "C:\\Windows\\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe"	{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0833F9E5-C196-4c82-8788-C52694FC1AE5}	{58288030-27BA-4f99-A1F6-A521354B259E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe
4904	{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
2064	{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
File created	C:\Windows\{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
File created	C:\Windows\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
File created	C:\Windows\{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
File created	C:\Windows\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
File created	C:\Windows\{58288030-27BA-4f99-A1F6-A521354B259E}.exe	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
File created	C:\Windows\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe	{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
File created	C:\Windows\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
File created	C:\Windows\{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
File created	C:\Windows\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
File created	C:\Windows\{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
File created	C:\Windows\{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe	{58288030-27BA-4f99-A1F6-A521354B259E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
Token: SeIncBasePriorityPrivilege	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
Token: SeIncBasePriorityPrivilege	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
Token: SeIncBasePriorityPrivilege	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
Token: SeIncBasePriorityPrivilege	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
Token: SeIncBasePriorityPrivilege	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
Token: SeIncBasePriorityPrivilege	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
Token: SeIncBasePriorityPrivilege	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
Token: SeIncBasePriorityPrivilege	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
Token: SeIncBasePriorityPrivilege	4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe
Token: SeIncBasePriorityPrivilege	4904	{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3812	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	101
PID 4008 wrote to memory of 3812	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	101
PID 4008 wrote to memory of 3812	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	101
PID 4008 wrote to memory of 5112	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	102
PID 4008 wrote to memory of 5112	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	102
PID 4008 wrote to memory of 5112	4008	2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe	102
PID 3812 wrote to memory of 2408	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	103
PID 3812 wrote to memory of 2408	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	103
PID 3812 wrote to memory of 2408	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	103
PID 3812 wrote to memory of 1552	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	104
PID 3812 wrote to memory of 1552	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	104
PID 3812 wrote to memory of 1552	3812	{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe	104
PID 2408 wrote to memory of 4960	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	107
PID 2408 wrote to memory of 4960	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	107
PID 2408 wrote to memory of 4960	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	107
PID 2408 wrote to memory of 2840	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	108
PID 2408 wrote to memory of 2840	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	108
PID 2408 wrote to memory of 2840	2408	{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe	108
PID 4960 wrote to memory of 4360	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	109
PID 4960 wrote to memory of 4360	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	109
PID 4960 wrote to memory of 4360	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	109
PID 4960 wrote to memory of 3340	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	110
PID 4960 wrote to memory of 3340	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	110
PID 4960 wrote to memory of 3340	4960	{2819F66F-5B12-4b02-A648-64FEF8511742}.exe	110
PID 4360 wrote to memory of 2064	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	111
PID 4360 wrote to memory of 2064	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	111
PID 4360 wrote to memory of 2064	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	111
PID 4360 wrote to memory of 3532	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	112
PID 4360 wrote to memory of 3532	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	112
PID 4360 wrote to memory of 3532	4360	{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe	112
PID 2064 wrote to memory of 1036	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	117
PID 2064 wrote to memory of 1036	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	117
PID 2064 wrote to memory of 1036	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	117
PID 2064 wrote to memory of 3524	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	118
PID 2064 wrote to memory of 3524	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	118
PID 2064 wrote to memory of 3524	2064	{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe	118
PID 1036 wrote to memory of 1552	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	119
PID 1036 wrote to memory of 1552	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	119
PID 1036 wrote to memory of 1552	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	119
PID 1036 wrote to memory of 2380	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	120
PID 1036 wrote to memory of 2380	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	120
PID 1036 wrote to memory of 2380	1036	{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe	120
PID 1552 wrote to memory of 2784	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	123
PID 1552 wrote to memory of 2784	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	123
PID 1552 wrote to memory of 2784	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	123
PID 1552 wrote to memory of 1348	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	124
PID 1552 wrote to memory of 1348	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	124
PID 1552 wrote to memory of 1348	1552	{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe	124
PID 2784 wrote to memory of 2648	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	127
PID 2784 wrote to memory of 2648	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	127
PID 2784 wrote to memory of 2648	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	127
PID 2784 wrote to memory of 2520	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	128
PID 2784 wrote to memory of 2520	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	128
PID 2784 wrote to memory of 2520	2784	{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe	128
PID 2648 wrote to memory of 4132	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	129
PID 2648 wrote to memory of 4132	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	129
PID 2648 wrote to memory of 4132	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	129
PID 2648 wrote to memory of 548	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	130
PID 2648 wrote to memory of 548	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	130
PID 2648 wrote to memory of 548	2648	{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe	130
PID 4132 wrote to memory of 4904	4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe	135
PID 4132 wrote to memory of 4904	4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe	135
PID 4132 wrote to memory of 4904	4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe	135
PID 4132 wrote to memory of 3208	4132	{58288030-27BA-4f99-A1F6-A521354B259E}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_0f673fbd392e9c94da0b2cd67bc54b54_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
  C:\Windows\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
    C:\Windows\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
      C:\Windows\{2819F66F-5B12-4b02-A648-64FEF8511742}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
        
        C:\Windows\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
        
        C:\Windows\{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
        
        C:\Windows\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
        
        C:\Windows\{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
        
        C:\Windows\{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
        
        C:\Windows\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{58288030-27BA-4f99-A1F6-A521354B259E}.exe
        
        C:\Windows\{58288030-27BA-4f99-A1F6-A521354B259E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
        
        C:\Windows\{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe
        
        C:\Windows\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe
        13⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0833F~1.EXE > nul
        13⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58288~1.EXE > nul
        12⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D666~1.EXE > nul
        11⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CFD5~1.EXE > nul
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61F83~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3A42~1.EXE > nul
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F73~1.EXE > nul
        7⤵
        
        PID:3524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F8D~1.EXE > nul
        6⤵
        
        PID:3532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2819F~1.EXE > nul
        5⤵
        
        PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8AE96~1.EXE > nul
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F05E~1.EXE > nul
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0833F9E5-C196-4c82-8788-C52694FC1AE5}.exe

Filesize
408KB

MD5
36a3f74c64a4e87646ec564e9944266b

SHA1
8bd851444e88b5747f093db0659e00883df34c1d

SHA256
8910f6417025757a9674b36fe686675ab3f9075cc027e17c967d9858653e958f

SHA512
a188063513acaa036dd47adb238801975ff4cd57e02264c7ea8c4c156652b9832396cf0ce032cf14a72fb1a57a5f3b66c90a1024e6517e177d07b6d4a61de726

Download Submit
C:\Windows\{1CFD50C5-4990-41f8-A449-8B60648F7C21}.exe

Filesize
408KB

MD5
55b6e758643bddf68aa9f311fa9eda3c

SHA1
132346fcc5cc2d03545f2c9da69c00aa1380ef1e

SHA256
70bb0cef107c077b00317e1cfd930b858076ca37a6eb4081fc324ef11b61993a

SHA512
dd2e2e98d328edaf1d883466f7c92194e09a9a4c03a018de7d6b69a46828e4e253e6e7f39d745d0aeec2a630053b4303af132419e94225f0083904e6e3dd3451

Download Submit
C:\Windows\{2819F66F-5B12-4b02-A648-64FEF8511742}.exe

Filesize
408KB

MD5
3a65f6ee874fc744a7338a30728bd6ec

SHA1
da62ea75ba25e517014ffd8ed046c5374f157ff5

SHA256
3c67aba5f91cf6b5b3a237a241358e47549fb3f21596688a04e6d34a2cfcf221

SHA512
7a1a72b785cffd89ff6a0d35e1c2fe2c2479093ef1ed561026f11fe1c5dce0798ca09bfacf5711c8e02d8ca16127e6e532f611dd333b0b54a5608dad306b2788

Download Submit
C:\Windows\{2D66648A-DAD5-4fe8-95D1-FE2E5F06EC20}.exe

Filesize
408KB

MD5
84d4520faaaa0e96dcd67a37c86b416c

SHA1
1d7a2b3a7df64cbcd2e9f3b6b5b6968ae64fef3e

SHA256
fb362e727f92682c341d5d6dd1a8a36bcd6fe494ef9dc23a3a2f26ad2d2676dd

SHA512
6adbe6910f33827c7bcb6fbdaeeee8dd414a064982b528b1df53bca9cc7006e48d01b3f534363cc68366c0d10448c42d5fb8026627dae9d8b5b7fa5f5db9104c

Download Submit
C:\Windows\{4F05E144-9C44-4ecd-8C73-E6F08354CBE0}.exe

Filesize
408KB

MD5
2eb191b1d757998054a69cd9739f13d9

SHA1
b38d304d571f69a7bfa40760a48c941b0571e806

SHA256
a47ee15ade08d98706a15777e3c16f5054c4b7883b1c5c3ed00d7a8d4b473728

SHA512
0d44a427aa6fcad5e97cbb4ac36c0ab98c2e8cab3adfab2ce9c357eb470fc2f34e9d6916c8da4778746a161099f5b0d0c00082ffe698f6a8425fcba63ac4fdc4

Download Submit
C:\Windows\{58288030-27BA-4f99-A1F6-A521354B259E}.exe

Filesize
408KB

MD5
fe9e905a73187873853c57884c8e10f9

SHA1
39679ff7936254e288752b2a26cacbcd7e5a49a7

SHA256
5d75b9aa159cd4db58f9154740c684320d45a7fde7074fc584fde265e9d9cd64

SHA512
86baa4e87ec90c97d52b953db2a983a89f36490eaab13d9030392534d75e5da5c0fe562788d7cd341751283d76a86c9e584dad70b521dbd5cc970ea6abf55c7c

Download Submit
C:\Windows\{5BA3164D-C2AC-4ee5-8C8B-7AAFCED20196}.exe

Filesize
408KB

MD5
fb429d169996aac4d627f734810f6e96

SHA1
9df055d0f4deae3e749b2b487e17c523dbe1c66e

SHA256
31840d581b7eb5be522076a328f44fefd65cd073b6119e662a3a6ef998bdc5cd

SHA512
ef247b9b68f79e0e4b47ed56988107c4cb96dfc0bb7adf1b67e2bb42aafee6e68aa7234b5661d0ab7be5106ecc2d35cdce49ce84f09f433500030cf46e8329a0

Download Submit
C:\Windows\{61F8369D-A209-4748-BF3D-D8F7FBA84211}.exe

Filesize
408KB

MD5
9502c3e67b07c243577cde45d6775939

SHA1
4748abdaee354005c1d5f3a8522eaf7e7dc7e35b

SHA256
5ea6d2ef14a0cbcd15cb771f7622b5d1dd00776511b172890284c72ec7486037

SHA512
a4c1f9bc0f4f9c31abcc99753a1ae54fee3812c08d0665691c7bd883219f0f0369c33df1969542e5f4ecbf572fa9b4c38ff92b47228aed44bc9897c394a0869a

Download Submit
C:\Windows\{8AE96BE9-9DC6-4d9e-A423-13632288B5D1}.exe

Filesize
408KB

MD5
5edb80ab543fcab8028f56769e515f18

SHA1
54c27f8cff04c85769d9a81f3f2fb09caa952d89

SHA256
f8cca492a8079091a734f9098538604fda905e950ef28859843ea3a57835a6ac

SHA512
0968bc7e6003c7e7de9a1b9d7fa85e29ac5510bc41d49a62bf4b1cd7fe6d800449f2aacb857ba3fc8c845c54e407e01ed62af0138b313e99ea60e5e27095b087

Download Submit
C:\Windows\{A0F73013-004E-4ab3-8BC6-065B582923EF}.exe

Filesize
408KB

MD5
7e963448812774ea1abc682c3d693c38

SHA1
0563d408dd3325ef219944418227572b734fcf07

SHA256
b46a279d38adbe18bc961b1fabee965675e1f4718083db4d13b76253f37317b1

SHA512
ee1503e8dfc7a20c485901513ec7703ff5d1e465b385e78a411076f176b008845bcc89a1e4250506037148949e8d29acd73fcbc867603f0c54abd87b2100e769

Download Submit
C:\Windows\{A5F8DC55-15AD-445c-9CA2-BFE25A68B0E6}.exe

Filesize
408KB

MD5
7585bbe48edfbbb2b974e3f525610003

SHA1
60cb8be29fa0de68557e2f6cdba7114caa8574cc

SHA256
494d1fe7a2e9b60d5b3e52f2eb45fbbe052a88d33ed77866b8e7f74598d394ab

SHA512
d1d551cb1be90b15ce711f2f3b55a63b70fc3d7f32a30edd7149727784e2c2f3ce42ef71e4818ffb2b8b3a1cd66a17dade1d0157f789e89fc18702a9ebfbcc16

Download Submit
C:\Windows\{C3A42C7C-A0E6-4514-A8A4-9256E1D3ABE3}.exe

Filesize
408KB

MD5
269e48fe6ab1fb61e719eafea5e7f10c

SHA1
3cd32a385e598965c82ca8f85f78c5086f957265

SHA256
c3793613db5a583052c7b480255aa8df4eb21352ec19c4d48f1412f90f52461d

SHA512
7d1870b9a2983e85bf9fe2c20f891bc04e814d88f1efadce4563ed32abc39b526347d4cbd570f02183951e5aab2648c10e4cbee98f5dbdd7785b6cdaafa8da9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads