954b77ccae42f2c61b2ca819dd5337d58b33b52188978b623ee77dd5244552c7

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Size

216KB
MD5

0e47a90689afa51956f920c914848175
SHA1

2acd5655d18097831d68dda57c359b8461603d2a
SHA256

954b77ccae42f2c61b2ca819dd5337d58b33b52188978b623ee77dd5244552c7
SHA512

d17a806ad6b1cce25a4799459ca098f24790a5786f8f7b031033b91c3024568f38e1777f147b4f2e3edc4809c702a60ce481c5ac596907f28ebfef598491f440
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002339c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002341b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023422-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002341f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023425-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002341f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002343c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002341f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023411-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002341f-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023384-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}\stubpath = "C:\\Windows\\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe"	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4089A4F8-48AB-4d35-8112-C87251F92599}	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4089A4F8-48AB-4d35-8112-C87251F92599}\stubpath = "C:\\Windows\\{4089A4F8-48AB-4d35-8112-C87251F92599}.exe"	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}\stubpath = "C:\\Windows\\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe"	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}\stubpath = "C:\\Windows\\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe"	{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8FD15B5-D18C-48bd-B624-72669F39E015}\stubpath = "C:\\Windows\\{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe"	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC17030D-DFE6-4a78-8709-525D662BEA59}	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC17030D-DFE6-4a78-8709-525D662BEA59}\stubpath = "C:\\Windows\\{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe"	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}\stubpath = "C:\\Windows\\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe"	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B8318-3563-4878-8016-61DBFD4F382D}\stubpath = "C:\\Windows\\{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe"	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8FD15B5-D18C-48bd-B624-72669F39E015}	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}\stubpath = "C:\\Windows\\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe"	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}\stubpath = "C:\\Windows\\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe"	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}\stubpath = "C:\\Windows\\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe"	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B8318-3563-4878-8016-61DBFD4F382D}	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}\stubpath = "C:\\Windows\\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe"	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}	{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
2404	{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe
4128	{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
File created	C:\Windows\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
File created	C:\Windows\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe	{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe
File created	C:\Windows\{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
File created	C:\Windows\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
File created	C:\Windows\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
File created	C:\Windows\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
File created	C:\Windows\{4089A4F8-48AB-4d35-8112-C87251F92599}.exe	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
File created	C:\Windows\{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
File created	C:\Windows\{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
File created	C:\Windows\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
File created	C:\Windows\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
Token: SeIncBasePriorityPrivilege	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
Token: SeIncBasePriorityPrivilege	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
Token: SeIncBasePriorityPrivilege	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
Token: SeIncBasePriorityPrivilege	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
Token: SeIncBasePriorityPrivilege	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
Token: SeIncBasePriorityPrivilege	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
Token: SeIncBasePriorityPrivilege	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
Token: SeIncBasePriorityPrivilege	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
Token: SeIncBasePriorityPrivilege	1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
Token: SeIncBasePriorityPrivilege	2404	{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 2212	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	102
PID 3608 wrote to memory of 2212	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	102
PID 3608 wrote to memory of 2212	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	102
PID 3608 wrote to memory of 1576	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	103
PID 3608 wrote to memory of 1576	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	103
PID 3608 wrote to memory of 1576	3608	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	103
PID 2212 wrote to memory of 900	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	105
PID 2212 wrote to memory of 900	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	105
PID 2212 wrote to memory of 900	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	105
PID 2212 wrote to memory of 5076	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	106
PID 2212 wrote to memory of 5076	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	106
PID 2212 wrote to memory of 5076	2212	{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe	106
PID 900 wrote to memory of 4356	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	109
PID 900 wrote to memory of 4356	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	109
PID 900 wrote to memory of 4356	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	109
PID 900 wrote to memory of 4608	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	110
PID 900 wrote to memory of 4608	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	110
PID 900 wrote to memory of 4608	900	{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe	110
PID 4356 wrote to memory of 2456	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	111
PID 4356 wrote to memory of 2456	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	111
PID 4356 wrote to memory of 2456	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	111
PID 4356 wrote to memory of 3268	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	112
PID 4356 wrote to memory of 3268	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	112
PID 4356 wrote to memory of 3268	4356	{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe	112
PID 2456 wrote to memory of 1176	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	113
PID 2456 wrote to memory of 1176	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	113
PID 2456 wrote to memory of 1176	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	113
PID 2456 wrote to memory of 4820	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	114
PID 2456 wrote to memory of 4820	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	114
PID 2456 wrote to memory of 4820	2456	{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe	114
PID 1176 wrote to memory of 1388	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	121
PID 1176 wrote to memory of 1388	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	121
PID 1176 wrote to memory of 1388	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	121
PID 1176 wrote to memory of 4220	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	122
PID 1176 wrote to memory of 4220	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	122
PID 1176 wrote to memory of 4220	1176	{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe	122
PID 1388 wrote to memory of 4924	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	123
PID 1388 wrote to memory of 4924	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	123
PID 1388 wrote to memory of 4924	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	123
PID 1388 wrote to memory of 3872	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	124
PID 1388 wrote to memory of 3872	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	124
PID 1388 wrote to memory of 3872	1388	{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe	124
PID 4924 wrote to memory of 1456	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	129
PID 4924 wrote to memory of 1456	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	129
PID 4924 wrote to memory of 1456	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	129
PID 4924 wrote to memory of 3156	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	130
PID 4924 wrote to memory of 3156	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	130
PID 4924 wrote to memory of 3156	4924	{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe	130
PID 1456 wrote to memory of 2496	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	134
PID 1456 wrote to memory of 2496	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	134
PID 1456 wrote to memory of 2496	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	134
PID 1456 wrote to memory of 2148	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	135
PID 1456 wrote to memory of 2148	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	135
PID 1456 wrote to memory of 2148	1456	{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe	135
PID 2496 wrote to memory of 1040	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	136
PID 2496 wrote to memory of 1040	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	136
PID 2496 wrote to memory of 1040	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	136
PID 2496 wrote to memory of 4860	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	137
PID 2496 wrote to memory of 4860	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	137
PID 2496 wrote to memory of 4860	2496	{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe	137
PID 1040 wrote to memory of 2404	1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe	138
PID 1040 wrote to memory of 2404	1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe	138
PID 1040 wrote to memory of 2404	1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe	138
PID 1040 wrote to memory of 4236	1040	{4089A4F8-48AB-4d35-8112-C87251F92599}.exe	139

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
  C:\Windows\{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
    C:\Windows\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
      C:\Windows\{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
        
        C:\Windows\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
        
        C:\Windows\{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
        
        C:\Windows\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
        
        C:\Windows\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
        
        C:\Windows\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
        
        C:\Windows\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
        
        C:\Windows\{4089A4F8-48AB-4d35-8112-C87251F92599}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe
        
        C:\Windows\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe
        
        C:\Windows\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACBA6~1.EXE > nul
        13⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4089A~1.EXE > nul
        12⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C38~1.EXE > nul
        11⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE8D~1.EXE > nul
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9329B~1.EXE > nul
        9⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A12F1~1.EXE > nul
        8⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B3B8~1.EXE > nul
        7⤵
        
        PID:4220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0C7~1.EXE > nul
        6⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC170~1.EXE > nul
        5⤵
        
        PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D70~1.EXE > nul
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8FD1~1.EXE > nul
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FE8D810-034F-43ad-AF82-02BD50D1E8C0}.exe

Filesize
216KB

MD5
73f315d92e9bb9c6b6a09a2a78a0e47d

SHA1
3803a2ae40cbcb2130271a6db2f1e7c4b93eed92

SHA256
5ac19852a5d7c421cedafeba53977f353b8692be65844134fab25c97015d456b

SHA512
0f14bee87aa06fbf48c3a96dae19e9a941021d5660517fbb86f56190fe327e676d3a8c285ec62af498ff989117779e782bd19ddf059cb6b68009a884fbb86fbb

Download Submit
C:\Windows\{3222A32C-6FDB-4bb1-BFF9-0A8848AE301A}.exe

Filesize
216KB

MD5
8a6e2bce7ede41abed4eabf96c4a3f10

SHA1
bb0a85373f4f3911c60314c931da64cdec20587e

SHA256
aaa61502054fb56550c1942336dff0c3df702c89ced2ae06fe34ba46f92fa30e

SHA512
76588e9309acd6d5375bb6eaf8f3c1e2a40dad8e13a94e30d249c52bca5cead023c14b9991c69d580b95664f4896af7bd7ff2e2098987e60b6ffd2f789f79d20

Download Submit
C:\Windows\{4089A4F8-48AB-4d35-8112-C87251F92599}.exe

Filesize
216KB

MD5
9852d6a4a3481f7ea51ace0d6e91fbb4

SHA1
820863a3fc0cdb7f66566f846f0471bc0d0f0cc2

SHA256
592bea8c3663a19c825d058339bd204a7dac70a3cdfc531a282847050172ed5a

SHA512
caa7bd8757afabc567e87822ec8ae86c4bafbf1d2c1bb79a20502f56e9b052c8729cf20c71d117ebe49f49c0ff21d37ebea44a118c168999fe7d40e2ee3f96c9

Download Submit
C:\Windows\{7E0C7F59-2C17-4403-8DA9-CAAC7EA25BDF}.exe

Filesize
216KB

MD5
50fc10f2d94ffe651c73ddbaa415e6e2

SHA1
82193844ed7684e61700dfb3e1a908c79ade4a6c

SHA256
5ecd0ab4a0e3af1593bafbc9b320beac7f0ded0a313ace17fb3511ec4f1b2245

SHA512
0d45d712c4825cca83cbf4385722fbd9acddd48922d73d3e322f9458143c6838f6311b1213c63131f7f0030ced42122b44ed86b63b4aafe696a0624b9d899f9a

Download Submit
C:\Windows\{8B3B8318-3563-4878-8016-61DBFD4F382D}.exe

Filesize
216KB

MD5
80f289cebffafadf2136c16f61891068

SHA1
7ef1376b843904b4e445d684fa85ad5e43cf5740

SHA256
75e49370cf11573dbfe123c53487acd467f50ce99050bd44ca73fc8df7843241

SHA512
6698e1e5b8e8cffccaa7620f295409f0a73126c9b2e88ddfb193f91bf7f4a26bbe56fade977991399aec539434d3428470f4e6464171af3fd0b15b54d63f1287

Download Submit
C:\Windows\{9329BF22-C96D-4297-A93D-F7BDDFD83BB0}.exe

Filesize
216KB

MD5
0260939ebdf39237f8b9b2508b2b4a03

SHA1
941aa0707420d99cb6bf3072cca429e028072cfe

SHA256
469b8c2c3d4c6dbfd8d0345f2cbda8ee3c12451b4c19b4c718fe1e026bf48804

SHA512
c694999695bfd21a3a79cd59c8691e4c0b8aa3c0b7322ba24accd47fd3c87e01c340570f32eaa010a96d6a9efa3c2674c15a5b31a68cb7034af17567c55b9ca2

Download Submit
C:\Windows\{A12F1D1B-14ED-4251-A1F5-F6E6EEECCFDB}.exe

Filesize
216KB

MD5
3df66b78a3c9b9e117e0a5c64b730ded

SHA1
ee3e897cc0f0bc1245894bf3bae0ea366d246437

SHA256
b854f35c62b1c8531f3714709868d34f05828313e786302ff740a4d70c0692b2

SHA512
82a2b61a7a5a52a5a563f57925dcd1b33f1aa38343bda84766ef01a759551b963ef193e2b37a127c744572aeba7ef04bbd100fe4e3ad8877ec72fd6a58b03534

Download Submit
C:\Windows\{ACBA6927-C80D-44d0-9E4F-5249BE5978A0}.exe

Filesize
216KB

MD5
735ae7062d714cdf0cc86dc90417b15c

SHA1
fe123cdc8a69386015385ef6704313cc98aa1476

SHA256
be8ec5d4e8427de7dfa446f06f907811814f2c0f68da9cd97564f3a9337caa45

SHA512
ddcdeb53b2d30cefd224664194c79870867213afe74bcccf0080980225fe83c47779946eca4a176cc13b30e74039800ca9c8f6bf75f153a8f5af061e1a83181b

Download Submit
C:\Windows\{BC17030D-DFE6-4a78-8709-525D662BEA59}.exe

Filesize
216KB

MD5
906d2345b9b1a5cb666097b20f33b02b

SHA1
3f658bd8327f5fb3858f4d8e1e40746292ab7077

SHA256
aae7705922d37f1793dabf7f3896cba701da9101e3eccf75d2eac96436873a23

SHA512
4dca8979cae90c3479c0caa568adcda5601c17a05ba01c1e7f5fe2f5d1f746546d67293bb9049027e34750f3a25a6f378d8ba35d5d17704a055419433baacf68

Download Submit
C:\Windows\{D8FD15B5-D18C-48bd-B624-72669F39E015}.exe

Filesize
216KB

MD5
97b282bf04f2a09895dc8f836fec5408

SHA1
87a4a5aee46e945db8bcb53a8809569da71b4c6c

SHA256
1a43e6cbb5e1c2d243d93b7f6ba25a0c2f7c80c87dc30b3f384e7e621183bec2

SHA512
cfedf2466eb329b3fc1fd05265a30f159b3a0f7a2b835cc9098ee791e2dd24133ffaba36feb898e64a166bf2acc349a08715cee72d36689fa4c7ccffdc2652ce

Download Submit
C:\Windows\{E1C38DDA-26DA-4f37-9C55-F94E56568C50}.exe

Filesize
216KB

MD5
d21dc08bd1fac4d920b47915535b7e08

SHA1
b694b420be05fa4eb2cb44bf177a149981f4245d

SHA256
8132b131e589cb6cec8f19b4f5c27fff3a109c9e6d3ba74f06eeb7898d148cee

SHA512
2061ff33c0b668742f4a7eb0de114193c2e9a17f18d72a2643c034d4a3d5a9beb46dcc8c71a9b10f0d592fd641b1531d7c6a590b49aed6d3630b32df71176edb

Download Submit
C:\Windows\{E4D703A7-7B37-4e7a-BACE-E1D4E1EE0E2C}.exe

Filesize
216KB

MD5
ca17164285a99e5e508aaa51fea068e8

SHA1
0bbb08d25533ed901c9715bbeb808a9eb8273780

SHA256
5f1d6109adc3ed87fd7fde3150c742be9774d600efb37dc16560df69869fc134

SHA512
ac9524f584d88423f4010d16dde9bc6d24bab7b455c94d149ca8aae1b526eadca63cf3cca2dcd736e007a4b37c015eac4e1394ad1612d32c0d2f3bedcf746b4c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads