293097b3f3a5b7d5eb55377e444c1f16c9cb972122e77da05a245890b296484d

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
Size

408KB
MD5

1ea9e3b39423ef51a3762516fd58dbb5
SHA1

b598185d3f25e7f07230f9104ade7692b7b9522d
SHA256

293097b3f3a5b7d5eb55377e444c1f16c9cb972122e77da05a245890b296484d
SHA512

8b0b732b4a467dd291945e678225887bb4e1ba971f36a391678ad42adac0b8a9d8d894274fbc42611812f6257dc3f71a893e2860d8821983e2b0ad117dc319de
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGUldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023401-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023402-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f8-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023402-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233f8-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340a-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233f8-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002340a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0017000000023402-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002337e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0018000000023402-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023368-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{973F582A-6F62-42d1-8705-EA75D3386DDB}	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F8E31C-7784-45df-A663-0DA51B8521A8}\stubpath = "C:\\Windows\\{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe"	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}\stubpath = "C:\\Windows\\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe"	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{973F582A-6F62-42d1-8705-EA75D3386DDB}\stubpath = "C:\\Windows\\{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe"	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91809C9-6C72-4b25-8D8E-182458EF325A}\stubpath = "C:\\Windows\\{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe"	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}\stubpath = "C:\\Windows\\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe"	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91809C9-6C72-4b25-8D8E-182458EF325A}	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0739482C-4B06-48b4-97C1-A30E2CB9815C}	{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}\stubpath = "C:\\Windows\\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe"	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2C149BB-5F76-40ac-979F-F3EA001F103D}	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0739482C-4B06-48b4-97C1-A30E2CB9815C}\stubpath = "C:\\Windows\\{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe"	{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}\stubpath = "C:\\Windows\\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe"	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13874F9C-FD51-47dd-8178-219C77D07B2C}	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13874F9C-FD51-47dd-8178-219C77D07B2C}\stubpath = "C:\\Windows\\{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe"	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2C149BB-5F76-40ac-979F-F3EA001F103D}\stubpath = "C:\\Windows\\{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe"	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}\stubpath = "C:\\Windows\\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe"	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F8E31C-7784-45df-A663-0DA51B8521A8}	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}\stubpath = "C:\\Windows\\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe"	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe

Executes dropped EXE 12 IoCs

pid	Process
3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
3472	{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
3020	{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
File created	C:\Windows\{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
File created	C:\Windows\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
File created	C:\Windows\{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
File created	C:\Windows\{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
File created	C:\Windows\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
File created	C:\Windows\{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
File created	C:\Windows\{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe	{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
File created	C:\Windows\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
File created	C:\Windows\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
File created	C:\Windows\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
File created	C:\Windows\{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
Token: SeIncBasePriorityPrivilege	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
Token: SeIncBasePriorityPrivilege	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
Token: SeIncBasePriorityPrivilege	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
Token: SeIncBasePriorityPrivilege	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
Token: SeIncBasePriorityPrivilege	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
Token: SeIncBasePriorityPrivilege	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
Token: SeIncBasePriorityPrivilege	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
Token: SeIncBasePriorityPrivilege	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
Token: SeIncBasePriorityPrivilege	4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
Token: SeIncBasePriorityPrivilege	3472	{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3956	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	101
PID 4276 wrote to memory of 3956	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	101
PID 4276 wrote to memory of 3956	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	101
PID 4276 wrote to memory of 1696	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	102
PID 4276 wrote to memory of 1696	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	102
PID 4276 wrote to memory of 1696	4276	2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe	102
PID 3956 wrote to memory of 3636	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	103
PID 3956 wrote to memory of 3636	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	103
PID 3956 wrote to memory of 3636	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	103
PID 3956 wrote to memory of 1532	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	104
PID 3956 wrote to memory of 1532	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	104
PID 3956 wrote to memory of 1532	3956	{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe	104
PID 3636 wrote to memory of 4952	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	107
PID 3636 wrote to memory of 4952	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	107
PID 3636 wrote to memory of 4952	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	107
PID 3636 wrote to memory of 2256	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	108
PID 3636 wrote to memory of 2256	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	108
PID 3636 wrote to memory of 2256	3636	{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe	108
PID 4952 wrote to memory of 4012	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	109
PID 4952 wrote to memory of 4012	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	109
PID 4952 wrote to memory of 4012	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	109
PID 4952 wrote to memory of 1104	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	110
PID 4952 wrote to memory of 1104	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	110
PID 4952 wrote to memory of 1104	4952	{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe	110
PID 4012 wrote to memory of 4444	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	111
PID 4012 wrote to memory of 4444	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	111
PID 4012 wrote to memory of 4444	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	111
PID 4012 wrote to memory of 4188	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	112
PID 4012 wrote to memory of 4188	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	112
PID 4012 wrote to memory of 4188	4012	{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe	112
PID 4444 wrote to memory of 5052	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	118
PID 4444 wrote to memory of 5052	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	118
PID 4444 wrote to memory of 5052	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	118
PID 4444 wrote to memory of 1708	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	119
PID 4444 wrote to memory of 1708	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	119
PID 4444 wrote to memory of 1708	4444	{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe	119
PID 5052 wrote to memory of 1928	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	120
PID 5052 wrote to memory of 1928	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	120
PID 5052 wrote to memory of 1928	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	120
PID 5052 wrote to memory of 3296	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	121
PID 5052 wrote to memory of 3296	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	121
PID 5052 wrote to memory of 3296	5052	{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe	121
PID 1928 wrote to memory of 1136	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	124
PID 1928 wrote to memory of 1136	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	124
PID 1928 wrote to memory of 1136	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	124
PID 1928 wrote to memory of 1104	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	125
PID 1928 wrote to memory of 1104	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	125
PID 1928 wrote to memory of 1104	1928	{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe	125
PID 1136 wrote to memory of 1636	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	131
PID 1136 wrote to memory of 1636	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	131
PID 1136 wrote to memory of 1636	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	131
PID 1136 wrote to memory of 4540	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	132
PID 1136 wrote to memory of 4540	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	132
PID 1136 wrote to memory of 4540	1136	{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe	132
PID 1636 wrote to memory of 4616	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	133
PID 1636 wrote to memory of 4616	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	133
PID 1636 wrote to memory of 4616	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	133
PID 1636 wrote to memory of 1844	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	134
PID 1636 wrote to memory of 1844	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	134
PID 1636 wrote to memory of 1844	1636	{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe	134
PID 4616 wrote to memory of 3472	4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe	135
PID 4616 wrote to memory of 3472	4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe	135
PID 4616 wrote to memory of 3472	4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe	135
PID 4616 wrote to memory of 4208	4616	{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_1ea9e3b39423ef51a3762516fd58dbb5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
  C:\Windows\{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
    C:\Windows\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
      C:\Windows\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
        
        C:\Windows\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
        
        C:\Windows\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
        
        C:\Windows\{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
        
        C:\Windows\{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
        
        C:\Windows\{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
        
        C:\Windows\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
        
        C:\Windows\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
        
        C:\Windows\{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe
        
        C:\Windows\{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9180~1.EXE > nul
        13⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A028~1.EXE > nul
        12⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36CF1~1.EXE > nul
        11⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2C14~1.EXE > nul
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13874~1.EXE > nul
        9⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{973F5~1.EXE > nul
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAEF3~1.EXE > nul
        7⤵
        
        PID:1708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E97~1.EXE > nul
        6⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77A43~1.EXE > nul
        5⤵
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8AA~1.EXE > nul
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27F8E~1.EXE > nul
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0739482C-4B06-48b4-97C1-A30E2CB9815C}.exe

Filesize
408KB

MD5
a786b6439206271f92921b382e7d0f2b

SHA1
b70c3d034f1e3eb27b1c0264885ee5a8cd118c3e

SHA256
10e677c071d6e9924e73471ee86eafb9a78a32714d3b0665d41282f27fe03b02

SHA512
bcfc22cc1c4b1be78746c865d86f0c452127f57c2366b6d8f9092e1db80d3464f086255cd7152b034069447411a7aa7c3b8ba92060c74a96689784f1a2bda1f3

Download Submit
C:\Windows\{0B8AA06B-FCF6-41e6-80AD-F05853C623D3}.exe

Filesize
408KB

MD5
62d6b0c5d94a97e79ac53d5b14dab538

SHA1
833adf3b6c41f17efb05481ff84cd9d36e79e747

SHA256
2ef3a8759c5d31d1c88d2f17fe66be8af1a35a868b573fb8ff8d6a814e6face1

SHA512
99051e9c7e23a82101867b29099cfd901c3d4bf4b2460dac27cd37f6343c401d01bd9e44c21e074b4df70f5d1385b3a0484e3ae187c2a7247a676d13db7fcc96

Download Submit
C:\Windows\{13874F9C-FD51-47dd-8178-219C77D07B2C}.exe

Filesize
408KB

MD5
b93abcf7f92397c97b5adc1ab2fb41f6

SHA1
a89556443393374d2587e1d8dcb048fdd0c42652

SHA256
cb89c7529811570ba89f6e6589a298f51d9c45a4640399e7e3b6de3e6fb1805a

SHA512
6e29f798299f14b471d4ad1b5bdb8d455916327b37e9009e95f71f6d6b0abb1de5c51c6f8325d183726ec49b65627ccd8120544abd37ea13a9267ff3bf7cdd10

Download Submit
C:\Windows\{27F8E31C-7784-45df-A663-0DA51B8521A8}.exe

Filesize
408KB

MD5
bd63241cd88f00ac0ae596c24657bb96

SHA1
428f4ebd0dea25a09157bb094f87d8d045d2b047

SHA256
26cc790eb3b4aaf6628755751ae384035f330dcd39a1cac930193a3aa5fb3f28

SHA512
ad4eb3f8d437d791c1635675a972b6c5788619e67c28f20bba9c519fa85d1d4498507fce0728dca6ec5e9a64a91715e2e5ea19ab94bfff00282473a519858352

Download Submit
C:\Windows\{36CF1CD9-8E78-4a09-8BF7-BFE6B0EAFC38}.exe

Filesize
408KB

MD5
4e62d2f77ab68ced3b52b3b7188742ce

SHA1
ad5b0dce09cdd609173026608520ab0b7ff15df3

SHA256
5460733d9cde0a7f74fcb8369264407a0f63f623e50c70830995fd47b0402ebc

SHA512
af65b84c44ba4116429baee086cf982370f7587db5b253adab7a39bb335d21813d922eb509f1eaadf188e2b60f03642e980cc8945291bb7df4f6d88d3f58a572

Download Submit
C:\Windows\{44E97B16-A02E-4c9c-A6BF-1D6169C1F0BE}.exe

Filesize
408KB

MD5
42cee17c79785fe9bed62375b2810fe3

SHA1
158dfce95ab0297447227f924afc6be7bba6cd1e

SHA256
5f8808c29721ad2b27c40d48a3763afb0d1936272639b643c157df2d28f6704a

SHA512
b904acb12e31f5ef947f227dba444275b7cf85fe6c6efc47ca7c6bf58a062b50d71a0f29327bd6fd0e23c01339f9ce18f122374e7b155cb5f6ca9633275cbfea

Download Submit
C:\Windows\{77A43EF1-A951-4d9c-AC16-79EBFDCD4882}.exe

Filesize
408KB

MD5
e7fb7d8071c454ef1973708edecb2859

SHA1
41912322cbd5300bf83e07a4af057122d8b23ad7

SHA256
52a96762fdea92929a4da20a0f0f8494960c633780ffde3c903b5795e748c1f4

SHA512
577fdf031cada6be86b199545d0beb64e0b9b2f7a048f7f4b2ccdcaf44d3710bbba087bdae7cdd9af6ceefb3c204e99aa45634cc1c8a61c8bc170f380a0fe0a2

Download Submit
C:\Windows\{7A028F6F-922D-4aae-A16E-0A4BDB41D330}.exe

Filesize
408KB

MD5
42b8e9dff800f62c076c5a24a1006f0e

SHA1
8dae3ec1fcee3c191a01b01f9cf5ec84954cdcbf

SHA256
ebba39f6f01aa30443948b9684edbd3399be52fb8c367639eb6c43560c9d021d

SHA512
52cc0b97f8ac6f71e42d9e9972832eeae1cdf4c22626c22cfe20fb58209c4667fbb114ff9bdffdf7daac9511c15f47502d6b9724ae333c052a6fc07b50af79f6

Download Submit
C:\Windows\{973F582A-6F62-42d1-8705-EA75D3386DDB}.exe

Filesize
408KB

MD5
29e428b006c03fe5b8fd1880efaab6d9

SHA1
8cfb6c150e0a9cf18635b64a90013c7b1443d4cb

SHA256
6e5efc8ad6b5e9ac39715f85c2ff9b372fcc1f7e7849374d32d3a8c77a5d9711

SHA512
92ac152d28a6b7cd68296f3d94941026b1be7cc7ff2117cccb5165a9a5de635c9306bf2dbbff42e87c189e0a9af07063f70b6e33b8c86ee0999d54910607fd64

Download Submit
C:\Windows\{C91809C9-6C72-4b25-8D8E-182458EF325A}.exe

Filesize
408KB

MD5
52f5d8e0b5378a2aa0aa85942a81d731

SHA1
fc5fb99ba75914720397e71283f65d26ec52733d

SHA256
830b563bb4a56f264efea3680b5c8de65143c64788e5b31229feddcfa3249fd5

SHA512
6bc7046cf107bb990bb12deeea206b3024d9badd25653c9a4ceae8e483d72383b27f7fcb03e4e123cc1358c6770a4467cc3262aa1373164bd1a294f285e67fac

Download Submit
C:\Windows\{CAEF335F-58D5-43b8-81AD-2140F1949FE5}.exe

Filesize
408KB

MD5
c598789acb96efd20279b269423717e4

SHA1
95c8628016c032e0e3e49411d8d72fcf77870d92

SHA256
6b189a60cefecc4dd5bf6c4a3b24f0f7087651e728e2f39a49c756f924a80c1b

SHA512
9f025394dec85d5331e56be75df3e1f520184a5ec31c0d42b2ccae2b2306469c92bd52b56583b3e2731dd974d19cf30d8f1885f679164d61ad5978c33e7a5abb

Download Submit
C:\Windows\{F2C149BB-5F76-40ac-979F-F3EA001F103D}.exe

Filesize
408KB

MD5
d499c7ed4e1954accf22c64a276a8fb2

SHA1
2d6e7193e3ccf079a7951a0ffc0be626cd7488e4

SHA256
e44c9ec13ee1e33c1d681c1aa6290c24c1ac8bf44d32f5497f59ea46bee6aa76

SHA512
c50c7dbe26ec796676afc3e3aa0a7fcf0e94f050958ea8946eca42575f2bd2184829672346d0082d684ecdf19f849614b7c560aef2973b949fc5ccfa13a06bb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads