4004dc82dab14b273b8234556c7786482a4e4702045cce3eafa3b3befd5cf31e

Analysis

max time kernel
149s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Size

408KB
MD5

3d9887811fde67e9f59b564f07e0d419
SHA1

3142be4b863c77fe4e9d8614f3cf3b1eb4f16e99
SHA256

4004dc82dab14b273b8234556c7786482a4e4702045cce3eafa3b3befd5cf31e
SHA512

30f67050a0377c43eb7d5710f1944eb38b72057bb444c2cb134fde540814a971523547dbe1eebb8586c626fccb370601831016b2640613c875778de45bf4afd7
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGbldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ab8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001b0000000234ed-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x002000000002384c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b77-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016935-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b77-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016935-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b77-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016935-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b77-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016935-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b77-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA51500-CA9D-4c36-ACB0-62AF51083621}	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D66A86-7119-42cf-AE7E-75609FD49272}\stubpath = "C:\\Windows\\{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe"	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73579A0E-EBB7-4959-943A-89B76CDB37E7}\stubpath = "C:\\Windows\\{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe"	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}\stubpath = "C:\\Windows\\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe"	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}\stubpath = "C:\\Windows\\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe"	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}	{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}\stubpath = "C:\\Windows\\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe"	{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA51500-CA9D-4c36-ACB0-62AF51083621}\stubpath = "C:\\Windows\\{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe"	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}\stubpath = "C:\\Windows\\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe"	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D66A86-7119-42cf-AE7E-75609FD49272}	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}\stubpath = "C:\\Windows\\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe"	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}\stubpath = "C:\\Windows\\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe"	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73579A0E-EBB7-4959-943A-89B76CDB37E7}	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}\stubpath = "C:\\Windows\\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe"	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}\stubpath = "C:\\Windows\\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe"	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}\stubpath = "C:\\Windows\\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe"	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
3040	{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
4892	{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
File created	C:\Windows\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
File created	C:\Windows\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
File created	C:\Windows\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
File created	C:\Windows\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe	{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
File created	C:\Windows\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
File created	C:\Windows\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
File created	C:\Windows\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
File created	C:\Windows\{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
File created	C:\Windows\{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
File created	C:\Windows\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
File created	C:\Windows\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
Token: SeIncBasePriorityPrivilege	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
Token: SeIncBasePriorityPrivilege	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
Token: SeIncBasePriorityPrivilege	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
Token: SeIncBasePriorityPrivilege	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
Token: SeIncBasePriorityPrivilege	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
Token: SeIncBasePriorityPrivilege	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
Token: SeIncBasePriorityPrivilege	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
Token: SeIncBasePriorityPrivilege	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
Token: SeIncBasePriorityPrivilege	552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
Token: SeIncBasePriorityPrivilege	3040	{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4892	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	88
PID 4412 wrote to memory of 4892	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	88
PID 4412 wrote to memory of 4892	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	88
PID 4412 wrote to memory of 3620	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	89
PID 4412 wrote to memory of 3620	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	89
PID 4412 wrote to memory of 3620	4412	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	89
PID 4892 wrote to memory of 924	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	90
PID 4892 wrote to memory of 924	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	90
PID 4892 wrote to memory of 924	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	90
PID 4892 wrote to memory of 4716	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	91
PID 4892 wrote to memory of 4716	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	91
PID 4892 wrote to memory of 4716	4892	{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe	91
PID 924 wrote to memory of 4276	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	98
PID 924 wrote to memory of 4276	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	98
PID 924 wrote to memory of 4276	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	98
PID 924 wrote to memory of 960	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	99
PID 924 wrote to memory of 960	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	99
PID 924 wrote to memory of 960	924	{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe	99
PID 4276 wrote to memory of 2448	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	102
PID 4276 wrote to memory of 2448	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	102
PID 4276 wrote to memory of 2448	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	102
PID 4276 wrote to memory of 3080	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	103
PID 4276 wrote to memory of 3080	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	103
PID 4276 wrote to memory of 3080	4276	{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe	103
PID 2448 wrote to memory of 116	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	105
PID 2448 wrote to memory of 116	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	105
PID 2448 wrote to memory of 116	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	105
PID 2448 wrote to memory of 1684	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	106
PID 2448 wrote to memory of 1684	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	106
PID 2448 wrote to memory of 1684	2448	{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe	106
PID 116 wrote to memory of 3840	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	107
PID 116 wrote to memory of 3840	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	107
PID 116 wrote to memory of 3840	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	107
PID 116 wrote to memory of 4884	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	108
PID 116 wrote to memory of 4884	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	108
PID 116 wrote to memory of 4884	116	{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe	108
PID 3840 wrote to memory of 3228	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	109
PID 3840 wrote to memory of 3228	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	109
PID 3840 wrote to memory of 3228	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	109
PID 3840 wrote to memory of 4684	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	110
PID 3840 wrote to memory of 4684	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	110
PID 3840 wrote to memory of 4684	3840	{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe	110
PID 3228 wrote to memory of 704	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	111
PID 3228 wrote to memory of 704	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	111
PID 3228 wrote to memory of 704	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	111
PID 3228 wrote to memory of 1760	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	112
PID 3228 wrote to memory of 1760	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	112
PID 3228 wrote to memory of 1760	3228	{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe	112
PID 704 wrote to memory of 2088	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	113
PID 704 wrote to memory of 2088	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	113
PID 704 wrote to memory of 2088	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	113
PID 704 wrote to memory of 436	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	114
PID 704 wrote to memory of 436	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	114
PID 704 wrote to memory of 436	704	{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe	114
PID 2088 wrote to memory of 552	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	115
PID 2088 wrote to memory of 552	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	115
PID 2088 wrote to memory of 552	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	115
PID 2088 wrote to memory of 2520	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	116
PID 2088 wrote to memory of 2520	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	116
PID 2088 wrote to memory of 2520	2088	{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe	116
PID 552 wrote to memory of 3040	552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe	117
PID 552 wrote to memory of 3040	552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe	117
PID 552 wrote to memory of 3040	552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe	117
PID 552 wrote to memory of 3912	552	{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
  C:\Windows\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
    C:\Windows\{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
      C:\Windows\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Windows\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
        
        C:\Windows\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
        
        C:\Windows\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
        
        C:\Windows\{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
        
        C:\Windows\{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
        
        C:\Windows\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
        
        C:\Windows\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
        
        C:\Windows\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
        
        C:\Windows\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe
        
        C:\Windows\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE38B~1.EXE > nul
        13⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DF62~1.EXE > nul
        12⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{193B5~1.EXE > nul
        11⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A237~1.EXE > nul
        10⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73579~1.EXE > nul
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D66~1.EXE > nul
        8⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFF0~1.EXE > nul
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E723~1.EXE > nul
        6⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F121C~1.EXE > nul
        5⤵
        
        PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA51~1.EXE > nul
      4⤵
      PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D4FC~1.EXE > nul
    3⤵
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{193B544B-F2E6-4dd7-9D09-8F77C3FB60E8}.exe

Filesize
408KB

MD5
111dd19e1a967a25fe2b4564cf4eb0ef

SHA1
457a95e05d3d8cc10dfc4df0a4ff05ec0dadf266

SHA256
966940206e4a5a47cde70020373fddbe831200fafb99b176507e1f2737af5e42

SHA512
e084e8cd78a8b3b8c45d94d96247e2683b155b3cb182eb70ca65706e894e43f0c042ae8841246e0b063c24b3bd7b90d74fa42c9a6b67f6deed6496a3e8e472c5

Download Submit
C:\Windows\{2A237278-AA24-4569-8EC0-4AA2D1DBF15C}.exe

Filesize
408KB

MD5
5eb5bec277bc088a211ff65a094e8cde

SHA1
4f272d1e2a8efd33803ba7e5a1b2049332b9152a

SHA256
ce4f0bb0085e0dc06a1555c02c0c146acdaabadeb7b2d7a4965390007b5442b6

SHA512
9e69f68480f9df6dd49d5b10c02726334df8a8c9a2b982e73ef22a40aab583189768917000465ec62e8eda969089248c6cce572424fa7750ec66cc8a2611459a

Download Submit
C:\Windows\{3DF62086-2E1E-42ce-9DD7-7D89F72A470B}.exe

Filesize
408KB

MD5
7fc236a1240d425da99c92c12f5097db

SHA1
ea9e7ab2433da5d5bec79609b5cc58d9ade274f3

SHA256
c320f69c5b66f59730a9e6c3a6cd1971ad57a907f2cd0614207ec579d8a3c2bf

SHA512
f980eb779b0801961459cfe3dfe58b9655cc88bff5be19c84bd34737eae0097ad5646c66850f4aea1c7f0cb4441580a3305cefb30a66224d0687ed2cbc7a082f

Download Submit
C:\Windows\{5D4FC037-2339-438f-875D-AAB9B3ADFFA9}.exe

Filesize
408KB

MD5
02a263fae38fb565739c90558e5045d8

SHA1
3a897572b3c05afdb4a0ad89aa5f8335d1108084

SHA256
6050ee5c826f35e60b3e6633da203601810b67d5bb648e967c1326caae25ecac

SHA512
2035a3b5295edf4d3b82e8970faee2f21d6d89bb3fcac2cf862546c65ce9cecdfc05f776f88aff49d66af9dedf8bf00fecf9afa33ca365a43858effd1f1d8c89

Download Submit
C:\Windows\{73579A0E-EBB7-4959-943A-89B76CDB37E7}.exe

Filesize
408KB

MD5
e34c64268a2f55a6d9b1f91b5c3be02c

SHA1
68d3f75256e7af17bc9880eedcc426c695ea68a2

SHA256
4b5bc7046e328e8a97e6a15d696b945e5ce23fed39297c31cc277e63c2906748

SHA512
624f4eafcdd530a4ac08a6d4a929de59f12b183db970baebf31fa27aa8d2ec4f423ebf3be085e320561bb918cb8cc49f2c8215688e3dc4984aa7a2f6078053e8

Download Submit
C:\Windows\{8CFF014F-3E1D-4c16-AD18-47EAB417C466}.exe

Filesize
408KB

MD5
ad3689532c441a73c36d272cda1e8472

SHA1
b151eb4a260b8c5d7bd394aab66d89e21650f0a9

SHA256
1819e03830500673d1e616153522ece54f74849269ff16e1a013b29750385617

SHA512
fdb322bdd28d4e32ef2284100d17a9347d6ee6c3b7d1447ff17bb7d6c911e3403f43d2438d3cfd13d7dc8f42b4c74d8440861db6dcb53d7a08ebeb0470b0063b

Download Submit
C:\Windows\{9E723CD6-7506-4296-938F-4B1F02CBE1FA}.exe

Filesize
408KB

MD5
9d7d9fa93a6fe61906173270e1448430

SHA1
b1e3e16cbf31be6ff317e837ac0dab8ae805e76b

SHA256
aae93909704fd0682a2e6f78cc51a18300972d7f9d27f52197689935dd3de02e

SHA512
0e35e2cfaffcbe6d54adb6fad145c760b0a73c37d7e266ddb7f468d98eec3dc8d1f0086655f821caba9db84adedcc2376d1d357167214837e93f42263a1fd818

Download Submit
C:\Windows\{BE38B4B1-DD7E-423f-B345-6B01E2F2FA23}.exe

Filesize
408KB

MD5
64f6b24c98c00d8a49ed16a698ffed9d

SHA1
056d1012ab021c726d33f0764f217925a7cdecd1

SHA256
e401578853b280d8c02ec412faef916dc2d196605e183b47ed0cf57b8491e8d6

SHA512
9c4797b07d4be493180d0670cd884a7fb3733ac5b1565cbb6ba02d8a217568da2180eda7a806d152950778cbf6717f458832bcd12697c33e8911be9f022a4b82

Download Submit
C:\Windows\{E7D66A86-7119-42cf-AE7E-75609FD49272}.exe

Filesize
408KB

MD5
90ce7f1abd4380f45742aa99801f91f7

SHA1
0039471afbca60ecc6fed5232ed255ee8a18bf0d

SHA256
26ed86416b4751a939ae90ce22338f68c70965f1b8bf5f01bbf03c57ee536f4f

SHA512
4ae88ac819f40da19ca9b526868c6e00441e8501141d66723fc2845c3bd3113252b1851e8523b847563fba4acb7d63664c38c60aa052c180b64e13f6384d3572

Download Submit
C:\Windows\{F121CE5A-8249-4ea3-92D3-D8D0F85247BE}.exe

Filesize
408KB

MD5
aa0d7b27a3faf0d617d84a63d01f6224

SHA1
00bacbce0e047d105df788fbf3b389409537ba88

SHA256
6941ecc96870fca7f6e874607e7d7bc4655d9ea0bc2b55dab00ce1d48fc6d4fc

SHA512
c8a509f08abb08b388f84071eddfac4f14519cb96c6fb8177dc7038f752a84474db64f3d59dddb4cfff5eb21e675167f1f829472d1e8e6a54f5f4d479ad242f0

Download Submit
C:\Windows\{F45C2ADF-8F59-4bb5-BB34-2D2CDFD5E81F}.exe

Filesize
408KB

MD5
fee254fc909bc68c6911b8a0233f51e2

SHA1
8b8bac76a20fab2c389facf5ee6640bcc8b322e4

SHA256
ea30745b21a47080b5d76bc55568b05e5a64ada29609845d9e210b7f86c7b4c3

SHA512
7715392b468f80b95562ded24b5d9a541f36b0106b4cd3702ef0b3cf261d543c35e27cb18b8d3ae05b99b4ea41d8c72e0a197644f9b9ce8abb379f90f93e36e6

Download Submit
C:\Windows\{FDA51500-CA9D-4c36-ACB0-62AF51083621}.exe

Filesize
408KB

MD5
5792ec9e36566a34cb9226eaa1076df8

SHA1
59b7fb0b22c09082fcda8a1631c674a3b053a7c8

SHA256
c47314637dea7a3599bffa76d4248c9822d72f4aa5f44e88a55bd0229b87abc5

SHA512
bace26a343415eec04d30661473300d3add4b138845d3aae4b7e6f16d6e5b6012933fbafe3625bdecc580db35e6047194c30bdcb50a991011f197d1cd57e767d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads