ec36b1216cc881bbf90cdc2c1fd40a3b94e2a1d65651a853016b2dbbc1b1ab75

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
Size

344KB
MD5

e58edfe0001676c4c63cb0aef14d67ea
SHA1

fde4dab6e4368cc334206fadca009de47ad0b338
SHA256

ec36b1216cc881bbf90cdc2c1fd40a3b94e2a1d65651a853016b2dbbc1b1ab75
SHA512

217f5c6c53036116e2e4d4fcc5408ab0901609fcc8e3b4406381d3f173fdbe304a0f754dfa5095e615b4f7acab5d4352d4c17edd0a4f2d6f8b5dd75e0da0e08c
SSDEEP

3072:mEGh0oJlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGHlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b9e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b9f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba4-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bb2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bb2-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}\stubpath = "C:\\Windows\\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe"	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB00A34-8500-445b-A9F8-054AD290B59D}\stubpath = "C:\\Windows\\{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe"	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}\stubpath = "C:\\Windows\\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe"	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}\stubpath = "C:\\Windows\\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe"	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}\stubpath = "C:\\Windows\\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe"	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C675A2-8CF7-4e08-A373-154096B70BD3}\stubpath = "C:\\Windows\\{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe"	{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}\stubpath = "C:\\Windows\\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe"	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB00A34-8500-445b-A9F8-054AD290B59D}	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91552BE9-437D-4229-8284-54F1F2239CF4}\stubpath = "C:\\Windows\\{91552BE9-437D-4229-8284-54F1F2239CF4}.exe"	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}\stubpath = "C:\\Windows\\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe"	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}\stubpath = "C:\\Windows\\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe"	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91552BE9-437D-4229-8284-54F1F2239CF4}	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}\stubpath = "C:\\Windows\\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe"	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C675A2-8CF7-4e08-A373-154096B70BD3}	{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}\stubpath = "C:\\Windows\\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe"	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe

Executes dropped EXE 12 IoCs

pid	Process
1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe
3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
3516	{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
3332	{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
File created	C:\Windows\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
File created	C:\Windows\{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
File created	C:\Windows\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
File created	C:\Windows\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
File created	C:\Windows\{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
File created	C:\Windows\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
File created	C:\Windows\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
File created	C:\Windows\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
File created	C:\Windows\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
File created	C:\Windows\{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe	{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
File created	C:\Windows\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
Token: SeIncBasePriorityPrivilege	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
Token: SeIncBasePriorityPrivilege	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
Token: SeIncBasePriorityPrivilege	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe
Token: SeIncBasePriorityPrivilege	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
Token: SeIncBasePriorityPrivilege	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
Token: SeIncBasePriorityPrivilege	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
Token: SeIncBasePriorityPrivilege	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
Token: SeIncBasePriorityPrivilege	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
Token: SeIncBasePriorityPrivilege	884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
Token: SeIncBasePriorityPrivilege	3516	{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1576	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	87
PID 772 wrote to memory of 1576	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	87
PID 772 wrote to memory of 1576	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	87
PID 772 wrote to memory of 2452	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	88
PID 772 wrote to memory of 2452	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	88
PID 772 wrote to memory of 2452	772	2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe	88
PID 1576 wrote to memory of 4480	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	89
PID 1576 wrote to memory of 4480	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	89
PID 1576 wrote to memory of 4480	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	89
PID 1576 wrote to memory of 3332	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	90
PID 1576 wrote to memory of 3332	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	90
PID 1576 wrote to memory of 3332	1576	{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe	90
PID 4480 wrote to memory of 3868	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	96
PID 4480 wrote to memory of 3868	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	96
PID 4480 wrote to memory of 3868	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	96
PID 4480 wrote to memory of 2948	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	97
PID 4480 wrote to memory of 2948	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	97
PID 4480 wrote to memory of 2948	4480	{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe	97
PID 3868 wrote to memory of 5040	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	100
PID 3868 wrote to memory of 5040	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	100
PID 3868 wrote to memory of 5040	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	100
PID 3868 wrote to memory of 3768	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	101
PID 3868 wrote to memory of 3768	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	101
PID 3868 wrote to memory of 3768	3868	{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe	101
PID 5040 wrote to memory of 3284	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	104
PID 5040 wrote to memory of 3284	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	104
PID 5040 wrote to memory of 3284	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	104
PID 5040 wrote to memory of 3560	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	105
PID 5040 wrote to memory of 3560	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	105
PID 5040 wrote to memory of 3560	5040	{91552BE9-437D-4229-8284-54F1F2239CF4}.exe	105
PID 3284 wrote to memory of 5016	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	106
PID 3284 wrote to memory of 5016	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	106
PID 3284 wrote to memory of 5016	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	106
PID 3284 wrote to memory of 3740	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	107
PID 3284 wrote to memory of 3740	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	107
PID 3284 wrote to memory of 3740	3284	{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe	107
PID 5016 wrote to memory of 1132	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	108
PID 5016 wrote to memory of 1132	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	108
PID 5016 wrote to memory of 1132	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	108
PID 5016 wrote to memory of 220	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	109
PID 5016 wrote to memory of 220	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	109
PID 5016 wrote to memory of 220	5016	{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe	109
PID 1132 wrote to memory of 4244	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	110
PID 1132 wrote to memory of 4244	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	110
PID 1132 wrote to memory of 4244	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	110
PID 1132 wrote to memory of 4604	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	111
PID 1132 wrote to memory of 4604	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	111
PID 1132 wrote to memory of 4604	1132	{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe	111
PID 4244 wrote to memory of 2848	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	112
PID 4244 wrote to memory of 2848	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	112
PID 4244 wrote to memory of 2848	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	112
PID 4244 wrote to memory of 4004	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	113
PID 4244 wrote to memory of 4004	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	113
PID 4244 wrote to memory of 4004	4244	{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe	113
PID 2848 wrote to memory of 884	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	114
PID 2848 wrote to memory of 884	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	114
PID 2848 wrote to memory of 884	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	114
PID 2848 wrote to memory of 336	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	115
PID 2848 wrote to memory of 336	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	115
PID 2848 wrote to memory of 336	2848	{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe	115
PID 884 wrote to memory of 3516	884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe	116
PID 884 wrote to memory of 3516	884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe	116
PID 884 wrote to memory of 3516	884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe	116
PID 884 wrote to memory of 3880	884	{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_e58edfe0001676c4c63cb0aef14d67ea_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
  C:\Windows\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
    C:\Windows\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
      C:\Windows\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\{91552BE9-437D-4229-8284-54F1F2239CF4}.exe
        
        C:\Windows\{91552BE9-437D-4229-8284-54F1F2239CF4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
        
        C:\Windows\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
        
        C:\Windows\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
        
        C:\Windows\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
        
        C:\Windows\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
        
        C:\Windows\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
        
        C:\Windows\{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
        
        C:\Windows\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe
        
        C:\Windows\{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe
        13⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BA5~1.EXE > nul
        13⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB00~1.EXE > nul
        12⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF81~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{405A6~1.EXE > nul
        10⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22702~1.EXE > nul
        9⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43392~1.EXE > nul
        8⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3DBC~1.EXE > nul
        7⤵
        
        PID:3740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91552~1.EXE > nul
        6⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C192~1.EXE > nul
        5⤵
        
        PID:3768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD1B~1.EXE > nul
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D10~1.EXE > nul
    3⤵
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C675A2-8CF7-4e08-A373-154096B70BD3}.exe

Filesize
344KB

MD5
91368a6935087118b67ec17501dab441

SHA1
4c90ba22a1761f493cb8f1bb6153247a956a2a3b

SHA256
37ed24692172757b61e56de36b895c34c8357e46a31ad3d8b2f9b64d16965bb0

SHA512
c8393e8453e30f0dc97aff033c808727802e0f17c0493a7f33d7bc38d1f1f76d05b7606755590407838210d16046e6e9f0fc343178bd5556cc79b151deea0e2e

Download Submit
C:\Windows\{227021B3-DD1D-4b8c-ABCF-BF5D6B1B9CC0}.exe

Filesize
344KB

MD5
e8f9616d5202b74a8b5d2a054f8db836

SHA1
99dca724bde7d4a3eb57aeb0cb0f89926aa79964

SHA256
74d183deb4f94135f0bbe4eee0d3c236fc00ec79665d2b12157e3ba1e184b0c0

SHA512
d20eb782874640fff804db2d1bd75d2b7ec16b7c567abaa87ce140567b7b2bb057ffcb02173941835c6a78c2d68da988ce547ecfb946406fd6fa48148072ad3f

Download Submit
C:\Windows\{3C192140-7EE2-49d0-8E3A-CC023F1315C1}.exe

Filesize
344KB

MD5
1ff6c2df85031c038c593cf4cc6acf9c

SHA1
8eb63a4c760849048cb23e9ef420dfe4fe0faa9a

SHA256
912d2be9ce057e30465870186828db4bbbaf4f8d197e249d3a9c60a6e3e998ce

SHA512
c74ca93c43d5996ab99c656393766d51107a4c3dc4990bf6a2c1a9c40ae460e952a8a8c3317aed6d2da7c6c6313b173109327ad67ea39c0a86179dd3e8bd57a9

Download Submit
C:\Windows\{3EF81F65-E30A-4356-8EB0-E8F52AB137A1}.exe

Filesize
344KB

MD5
4c890c8e8513de556eca17ae6916d8b7

SHA1
ff109c8d02b06a719cd58fc703bf38114a47b9ca

SHA256
bc1a9e894c5a92d4fc347dac3e933882e1e9de3b27664bf9124fefc17b6c5dfe

SHA512
82062b0205674a3e687084babe5040d916820d67b9e27696349c586448c96bd7d2114a9d6a5ce6742447dd4046f4c700d0e46894f35dd03919c1e00c18beecca

Download Submit
C:\Windows\{405A6E62-C894-467d-8B8F-52F2AF3CB7D7}.exe

Filesize
344KB

MD5
f28f14678104e473b8b2c392191be554

SHA1
357f146bea8c483ed934f0612a3fb6a4d8896fa2

SHA256
1cad67b0cf20abdd8fc439746f6ed670b0f3c57046f5a8e83fc50e2bf769acda

SHA512
58984e5858eb640b3b1f36132e2543c899f0599e21ab51cef52b893df2377cf597f8fdbff05b5583d1649926ac816ecfbcfbeec43b28e5cb2d6b57a0b5f6e482

Download Submit
C:\Windows\{433928D2-6CBD-4e4e-87F8-2E421D7923E1}.exe

Filesize
344KB

MD5
654bf149eb0c10109ce8ef3a11eb161c

SHA1
11ba893734c2977dff1a6019742bd61b7760a4a1

SHA256
562d4a1b52395e5a5aed62fc47ee72a6a75fc64aa40d4666fe9c845089bcef9a

SHA512
6fd83e7de94fa334d2da7a72161f8db5fb3d855e03d15e42b0c42f8887c9f67bc27bc10d7477cfd25fb355479b6b91ffc365810ad662bc8100edc0b200313e2d

Download Submit
C:\Windows\{91552BE9-437D-4229-8284-54F1F2239CF4}.exe

Filesize
344KB

MD5
e334ee52655f0a3626e9475ed550c1ea

SHA1
a28c0b5b734e98acede966dd0ab3ef94d71161f5

SHA256
5c655c8e397989e039f29fbaf8ab61edf5760b316e4d4f79caafd98090b3a6a0

SHA512
e8aa0c6a30ae6da7f9abedaf70440d85f091a38c4637a2352777d361b5bc705500e4a8d5a25dd53cd41c71be42fb81aa65f3e92c0e11d42d792666d6525df3ec

Download Submit
C:\Windows\{9DB00A34-8500-445b-A9F8-054AD290B59D}.exe

Filesize
344KB

MD5
309c7961c1a74acffbf31e10453bac03

SHA1
e0cb941f4be82a5b81e542f6f471521f5275aed0

SHA256
3fdb931a55ab8e1f905dff96d13dd521416bf6d6571076b1ebed5e3d9b63f8ba

SHA512
59764be592570b72a701c6fa380abc8a4ce59adfbdb2169c01880cb2747b091693916338a2a0c96eb372069c7d8f658565d6733f47e3cb3aa9f7059831fbf9e9

Download Submit
C:\Windows\{C3DBC6EB-AF85-4d62-BDDD-70607BA5D39F}.exe

Filesize
344KB

MD5
a58c05e65874fbceeda43f6ad07343ed

SHA1
80bad6440b89a8d3432220b20a0d6c879f6426ef

SHA256
dbfac270bbd92e63e96f0496c65b112e39cab995efebbb90efefd71c79f15113

SHA512
bddaf7f7e535578cc084a4a67d5a5beca6872ab177af16145a70f8e581b39907e73c369f50d8bed3bd4ac5b76f4deb32c18f176e83f14a92a2df56c80806d953

Download Submit
C:\Windows\{D3D10C62-B7BD-4cdc-8A40-826962FA4BDD}.exe

Filesize
344KB

MD5
235e137f7b2ad7da331a04601a687549

SHA1
033ef2a72ba34584dc8e73d7761a89c88765c776

SHA256
175797a94ac9be6c43dd550155880f0a08e368101ae13df14b704eb962047078

SHA512
1207a3aec788dcdd980d636dd98eb43e67648ce6a31de5fa27a1a93b8c36096155452db43016c0306c23c77dd47450d1ff3d5f260340b752183604bda71bd1d5

Download Submit
C:\Windows\{EFD1BC2F-B096-48b1-B67E-F92B043FB152}.exe

Filesize
344KB

MD5
fd1e209bc8fda3bd1363897cdbe710f4

SHA1
5964c74d03f1f377be1df06fe4adf1c635cd9e74

SHA256
8ca96e585e4b6c40f79b535e041f3deb42368e2cad94380e2c5a6db99ac06df8

SHA512
584e2474c752371da44ed872a667cad9141dc3eea04e86f141662f844bb8f512787bd1ada9b2bb836a523d1e55ec5f70da92688000cfa4dc0711f71a6b286583

Download Submit
C:\Windows\{F8BA5181-9D8A-443d-A8C0-526B2D9D5E50}.exe

Filesize
344KB

MD5
23062bcd71603db5d58c7896de7ff775

SHA1
a2c50284d868ab8ee5b8ee4dff4c85989327925f

SHA256
fc7d5c52cbd2dc4115c21f01b51f13edf70faea1ef0026785534d24810fb5c9b

SHA512
6919c4833ec9f8cff9cdb14a3c1699702b395662a6ba6643873de0650e0091e9535a8558820454dde39e1d736936ae4eb3d6b84a429841ce9f1ea47b8666b071

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads