02139de7f2ee743bdbfc936320e99b7df7f7549ae9c73cd68eccbb45c397dacb

Analysis

max time kernel
149s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 05:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
Size

204KB
MD5

d2e6f3dc14c368fdcbce17c2bff90099
SHA1

d641e9e889373a92e4fb5829cc158c546b75e5f4
SHA256

02139de7f2ee743bdbfc936320e99b7df7f7549ae9c73cd68eccbb45c397dacb
SHA512

b369e241b37602d0056424a4479ec853f6d1da28398699fb98086d4d000a25543bf0add8038299226f89f1116ac70163e1777513a21a4e7cd031d3fbf4ffb7b3
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b8e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b8f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b94-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b97-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba3-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b97-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba3-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b97-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023ba3-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b97-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023ba3-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b97-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}\stubpath = "C:\\Windows\\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe"	{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D569F32-E90F-41da-998E-41D47DEF8546}\stubpath = "C:\\Windows\\{1D569F32-E90F-41da-998E-41D47DEF8546}.exe"	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}\stubpath = "C:\\Windows\\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe"	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}\stubpath = "C:\\Windows\\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe"	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B45112E-9692-4e42-A4A5-4454574A2443}	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B45112E-9692-4e42-A4A5-4454574A2443}\stubpath = "C:\\Windows\\{9B45112E-9692-4e42-A4A5-4454574A2443}.exe"	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06F20C1-9F4B-4204-9633-BDE7111476D5}\stubpath = "C:\\Windows\\{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe"	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}\stubpath = "C:\\Windows\\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe"	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D90DFE2-5279-498c-8B26-88C130BC4C85}	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D90DFE2-5279-498c-8B26-88C130BC4C85}\stubpath = "C:\\Windows\\{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe"	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}\stubpath = "C:\\Windows\\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe"	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06F20C1-9F4B-4204-9633-BDE7111476D5}	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}\stubpath = "C:\\Windows\\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe"	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}\stubpath = "C:\\Windows\\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe"	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}\stubpath = "C:\\Windows\\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe"	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}	{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D569F32-E90F-41da-998E-41D47DEF8546}	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
4200	{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
3100	{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
File created	C:\Windows\{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
File created	C:\Windows\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
File created	C:\Windows\{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
File created	C:\Windows\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
File created	C:\Windows\{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
File created	C:\Windows\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
File created	C:\Windows\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe	{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
File created	C:\Windows\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
File created	C:\Windows\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
File created	C:\Windows\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
File created	C:\Windows\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
Token: SeIncBasePriorityPrivilege	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
Token: SeIncBasePriorityPrivilege	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
Token: SeIncBasePriorityPrivilege	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
Token: SeIncBasePriorityPrivilege	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
Token: SeIncBasePriorityPrivilege	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
Token: SeIncBasePriorityPrivilege	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
Token: SeIncBasePriorityPrivilege	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
Token: SeIncBasePriorityPrivilege	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
Token: SeIncBasePriorityPrivilege	1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
Token: SeIncBasePriorityPrivilege	4200	{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4972	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	86
PID 840 wrote to memory of 4972	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	86
PID 840 wrote to memory of 4972	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	86
PID 840 wrote to memory of 4976	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	87
PID 840 wrote to memory of 4976	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	87
PID 840 wrote to memory of 4976	840	2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe	87
PID 4972 wrote to memory of 3392	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	88
PID 4972 wrote to memory of 3392	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	88
PID 4972 wrote to memory of 3392	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	88
PID 4972 wrote to memory of 2512	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	89
PID 4972 wrote to memory of 2512	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	89
PID 4972 wrote to memory of 2512	4972	{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe	89
PID 3392 wrote to memory of 364	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	92
PID 3392 wrote to memory of 364	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	92
PID 3392 wrote to memory of 364	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	92
PID 3392 wrote to memory of 1936	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	93
PID 3392 wrote to memory of 1936	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	93
PID 3392 wrote to memory of 1936	3392	{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe	93
PID 364 wrote to memory of 908	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	98
PID 364 wrote to memory of 908	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	98
PID 364 wrote to memory of 908	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	98
PID 364 wrote to memory of 2212	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	99
PID 364 wrote to memory of 2212	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	99
PID 364 wrote to memory of 2212	364	{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe	99
PID 908 wrote to memory of 1268	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	101
PID 908 wrote to memory of 1268	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	101
PID 908 wrote to memory of 1268	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	101
PID 908 wrote to memory of 1008	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	102
PID 908 wrote to memory of 1008	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	102
PID 908 wrote to memory of 1008	908	{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe	102
PID 1268 wrote to memory of 2752	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	105
PID 1268 wrote to memory of 2752	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	105
PID 1268 wrote to memory of 2752	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	105
PID 1268 wrote to memory of 3404	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	106
PID 1268 wrote to memory of 3404	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	106
PID 1268 wrote to memory of 3404	1268	{1D569F32-E90F-41da-998E-41D47DEF8546}.exe	106
PID 2752 wrote to memory of 4672	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	107
PID 2752 wrote to memory of 4672	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	107
PID 2752 wrote to memory of 4672	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	107
PID 2752 wrote to memory of 4332	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	108
PID 2752 wrote to memory of 4332	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	108
PID 2752 wrote to memory of 4332	2752	{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe	108
PID 4672 wrote to memory of 1108	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	109
PID 4672 wrote to memory of 1108	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	109
PID 4672 wrote to memory of 1108	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	109
PID 4672 wrote to memory of 3160	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	110
PID 4672 wrote to memory of 3160	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	110
PID 4672 wrote to memory of 3160	4672	{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe	110
PID 1108 wrote to memory of 1376	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	111
PID 1108 wrote to memory of 1376	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	111
PID 1108 wrote to memory of 1376	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	111
PID 1108 wrote to memory of 840	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	112
PID 1108 wrote to memory of 840	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	112
PID 1108 wrote to memory of 840	1108	{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe	112
PID 1376 wrote to memory of 1996	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	113
PID 1376 wrote to memory of 1996	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	113
PID 1376 wrote to memory of 1996	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	113
PID 1376 wrote to memory of 3496	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	114
PID 1376 wrote to memory of 3496	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	114
PID 1376 wrote to memory of 3496	1376	{9B45112E-9692-4e42-A4A5-4454574A2443}.exe	114
PID 1996 wrote to memory of 4200	1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe	115
PID 1996 wrote to memory of 4200	1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe	115
PID 1996 wrote to memory of 4200	1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe	115
PID 1996 wrote to memory of 4972	1996	{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d2e6f3dc14c368fdcbce17c2bff90099_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
  C:\Windows\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
    C:\Windows\{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
      C:\Windows\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
        
        C:\Windows\{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
        
        C:\Windows\{1D569F32-E90F-41da-998E-41D47DEF8546}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
        
        C:\Windows\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
        
        C:\Windows\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
        
        C:\Windows\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
        
        C:\Windows\{9B45112E-9692-4e42-A4A5-4454574A2443}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
        
        C:\Windows\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
        
        C:\Windows\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe
        
        C:\Windows\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDD19~1.EXE > nul
        13⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C309B~1.EXE > nul
        12⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B451~1.EXE > nul
        11⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A834~1.EXE > nul
        10⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D742~1.EXE > nul
        9⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8626~1.EXE > nul
        8⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D569~1.EXE > nul
        7⤵
        
        PID:3404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D06F2~1.EXE > nul
        6⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88EAC~1.EXE > nul
        5⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D90D~1.EXE > nul
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A5F2~1.EXE > nul
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05E47073-7EE4-4e62-B5E8-0411D4CAF67E}.exe

Filesize
204KB

MD5
0a28cad265b29fc38889022373c4d76f

SHA1
8da2250ef94a857c9da9936c3d5d6d5b31979ef2

SHA256
3afd419035ec1afb201212c7990c4d3d071abd49dab7b3c811fa3cdd40c496f0

SHA512
181a9b2fd5a84dd05c045755e226d857d9702d15f321d37fe8399f2967369918cd7e2c7d098901018d5c796ecae716b7c82f11fbcd2efad2f42e4ccef26db744

Download Submit
C:\Windows\{1D569F32-E90F-41da-998E-41D47DEF8546}.exe

Filesize
204KB

MD5
6cb9bbd95562beab62a9195e63ac4b49

SHA1
334082f3742f7e81883f1b02f4577a92134dea59

SHA256
f4b87aecfafb25cc7ffc24cca7709032a263ade9a172df8bccc11ba3a03e9c09

SHA512
1ffec413a1304f8d3f650f7672d330cf413996b58060c08aa0d5dadf7d85664c6107d59e4a5238efd0070ce4afec910844aab0d567d4bcd7e16eb9c72d28166f

Download Submit
C:\Windows\{3A5F236D-D8FE-4c89-B792-DD359D196FD5}.exe

Filesize
204KB

MD5
3b75d7af83a67de03b766632ea831b53

SHA1
a5fcab9540cead0ae30db4d41f1da3ccffed4786

SHA256
7da150025ae752c16d7447a8e1888c04246ddf763d76df075896ffb0827b6d6c

SHA512
010d21dc8047e77999d51978f367beb5fcd92fa4a0a4999444e76760d14b9128bbdd67ae61f196897ab80f7529b6f14e3b0e23c3741c6d7dac8fc0ca92de6a00

Download Submit
C:\Windows\{4D90DFE2-5279-498c-8B26-88C130BC4C85}.exe

Filesize
204KB

MD5
44a11a3091a90d03bf33a74b1f047df8

SHA1
4cf6ed8098d1a61ce22cb20ecbb5ff9557aa9b38

SHA256
f348425ec6cd4659cda2d69adf505552ccfbacb170e7ca7576d26dd8b96b70a4

SHA512
b7b07b3cab16a822697292052cb30e3914715bb5c16c25f57b8a090ff7a932006bf50fd6738ec900a2d20c36123652b40b952a1feed4afa4da5fd305462173a9

Download Submit
C:\Windows\{5D742DFE-13D6-4614-A58B-76FC19F9B9A1}.exe

Filesize
204KB

MD5
75201a6d5df20f4ac95e6fc538529780

SHA1
418fbbb03202164a1d380443bb4371c91ddfcd3e

SHA256
7127414e94b916c19a731d9b900d3788c60ff7086e0a0334396598933577f1f2

SHA512
f9385cd4c39d8b60aaf1dbb52628cadcb093b84604c23c30ffc4d27d791ac1985d3827490c2d42671aae471a0dcc5b49f8d22182ef38f81c2c820ec5880b8e82

Download Submit
C:\Windows\{88EAC0BC-98F6-4da4-B0E9-D2E80DE9F3D0}.exe

Filesize
204KB

MD5
af64dea2d3cdf5a0aff534eea0d7782c

SHA1
5a71d9a115688cf62f3827ae847eba6ddc454789

SHA256
b2b705cb47ae8e48850263ebc009cd9210ddc2bb3287f1709d6fb8e1baa7ae7b

SHA512
84c673611ad1b4849a35f764d07f1287751b89c2ac7c39cef13724b3aca6d1eaf5cd3f3bfc9cd9f0e57270140fed6b9ccf73eee62d51023d2b0306b2291db062

Download Submit
C:\Windows\{8A8346B2-3CDF-4169-84FC-AB3C9C54DEFA}.exe

Filesize
204KB

MD5
6b9a820aaa4d0f88f20be934ada0d9c1

SHA1
37f21fe36100816a5b0a2d7eacc00d6f8e45b4f0

SHA256
aaaf661aa9d8c9616b97269821cf7158eb062cc2273aa00ffb24f89a4daf202f

SHA512
27796a8737e357d2d8e2556e66ae0d6a84fb1b5151159533d1f55cbe3c85513b30616f422078978e292d2726918db262117ba48910f1c7693999e8ed99f9710a

Download Submit
C:\Windows\{9B45112E-9692-4e42-A4A5-4454574A2443}.exe

Filesize
204KB

MD5
4bf2030f533511e7fc156d68cfd6b1be

SHA1
83341207f7bdfdb7a7d0bb80621ea7d348ed1f28

SHA256
dbab024e848f4a627d32d5bb9ebb464407ba857de088022b3c8b73c023d563d9

SHA512
3d0c05a9e575aa558916c4744c46bcdc4707919936e2868bbf0d2f345d0a1295f6b91772df3fd160d526af0565aa8d6141029739d15392264e176fbb3c14bb57

Download Submit
C:\Windows\{BDD19D12-76F4-42ec-9CDE-F3C78CCFB5C1}.exe

Filesize
204KB

MD5
a8ecde6c4b96f94a832c1cf2c24115a6

SHA1
6e3c53f1d0c6c579502c51559359cde3c0865912

SHA256
c3cf5649f64a033bd790d9b4e9ec9cd97580ce81517a7de36823efcba3310e60

SHA512
ae7d92b02227bc456e902f3a1bb24f911737a05b5888ae71ed653e87df9234c1f788df5ae1aa6efb53eb7a2c1ad9eb0b8cc7e04a667845fef27ae327b4dc5ed1

Download Submit
C:\Windows\{C309B17A-6F60-4c40-960F-E779AD7E7FEB}.exe

Filesize
204KB

MD5
bd116d5cca1d5d872174cbd9b81e008b

SHA1
5294290f1255995ab90179df29caf78e1db1e1bc

SHA256
4a29c9617463cf8d1027fedfd0a5d6202ea89b3f2a35472267204f4816163878

SHA512
c0eaa026f5fb788c3720bc218e67c05ddfa97bbf7ecf583a1347ca50595ff94007c8934027badb94497fec666b929bad4b0672660b42593a9d2b5a118086d14f

Download Submit
C:\Windows\{C8626F62-7A8B-4cca-AA07-BDFE45C5A8EE}.exe

Filesize
204KB

MD5
35ccab12fc37d072e6d73c5aadb7f0c2

SHA1
10175ec8bc90fc451f9ad02a8fdaa2e66ceb4036

SHA256
cf23728f9ce291b0902badba7abc987d2cab2d04f73b2dfb30afc4f14ff84c11

SHA512
a40d69b0f2717a1294659497feb1592717bcac2b95ff31c92bc2edafbcecf6a7276a2788576575c29b72045ae64d90ec2a0ecc46eb9a1def07d6a70576780349

Download Submit
C:\Windows\{D06F20C1-9F4B-4204-9633-BDE7111476D5}.exe

Filesize
204KB

MD5
341fe97d4a1ad6af9b959d5331ecd919

SHA1
f61bee66cf48c090cc5e30c7bb5259adfadc09eb

SHA256
ce25fac9df31b35b42b0f7cf3752f9504ab545a5bf83a292276e811cb2cafa58

SHA512
74bb8bd531288fab3233ab14ad2bc3716889896961df6487f6eeb20e94939e1f5b82993f77785d31c9b48c8dc10bc5d95b258b7040e424bdc05734b64ade7577

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads