10d8516c2cd4b5ad123fa7af70110e95e94dffc037d2c6c7a7957d6088eb462d

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Size

344KB
MD5

4c435e98215bb9f0742fc1bf1136b642
SHA1

f268d679c2fce6b8d86045fc8d52577ec381582e
SHA256

10d8516c2cd4b5ad123fa7af70110e95e94dffc037d2c6c7a7957d6088eb462d
SHA512

1ba4b7ab531d23b30e6d6a78a6a0971bd75a1d14d9c61ebda88b56265f2904c0f840a0d3d27d62e84e7dc62e4553375f832e79d7efef0fef5da50616e3c4dba2
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG9lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023ba4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba5-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba9-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bac-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bac-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb8-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bac-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bb8-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bac-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb8-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bac-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}\stubpath = "C:\\Windows\\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe"	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAD5044-3A56-4150-9CED-890EDD31E903}\stubpath = "C:\\Windows\\{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe"	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92896F09-C150-4981-9F0A-930D2E27529C}\stubpath = "C:\\Windows\\{92896F09-C150-4981-9F0A-930D2E27529C}.exe"	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}\stubpath = "C:\\Windows\\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe"	{92896F09-C150-4981-9F0A-930D2E27529C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}\stubpath = "C:\\Windows\\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe"	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}\stubpath = "C:\\Windows\\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe"	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAD5044-3A56-4150-9CED-890EDD31E903}	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}	{92896F09-C150-4981-9F0A-930D2E27529C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}\stubpath = "C:\\Windows\\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe"	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C07D59EE-8A25-484f-AEA3-1E415723FECA}	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED69046-5317-495a-A8E6-896DFC573B0C}\stubpath = "C:\\Windows\\{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe"	{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}\stubpath = "C:\\Windows\\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe"	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}\stubpath = "C:\\Windows\\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe"	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED69046-5317-495a-A8E6-896DFC573B0C}	{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}\stubpath = "C:\\Windows\\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe"	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92896F09-C150-4981-9F0A-930D2E27529C}	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C07D59EE-8A25-484f-AEA3-1E415723FECA}\stubpath = "C:\\Windows\\{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe"	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe

Executes dropped EXE 12 IoCs

pid	Process
3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe
4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
3384	{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
2204	{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
File created	C:\Windows\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
File created	C:\Windows\{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
File created	C:\Windows\{92896F09-C150-4981-9F0A-930D2E27529C}.exe	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
File created	C:\Windows\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	{92896F09-C150-4981-9F0A-930D2E27529C}.exe
File created	C:\Windows\{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe	{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
File created	C:\Windows\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
File created	C:\Windows\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
File created	C:\Windows\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
File created	C:\Windows\{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
File created	C:\Windows\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
File created	C:\Windows\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
Token: SeIncBasePriorityPrivilege	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
Token: SeIncBasePriorityPrivilege	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
Token: SeIncBasePriorityPrivilege	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
Token: SeIncBasePriorityPrivilege	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
Token: SeIncBasePriorityPrivilege	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
Token: SeIncBasePriorityPrivilege	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe
Token: SeIncBasePriorityPrivilege	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
Token: SeIncBasePriorityPrivilege	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
Token: SeIncBasePriorityPrivilege	2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
Token: SeIncBasePriorityPrivilege	3384	{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3848	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	88
PID 4884 wrote to memory of 3848	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	88
PID 4884 wrote to memory of 3848	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	88
PID 4884 wrote to memory of 4668	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	89
PID 4884 wrote to memory of 4668	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	89
PID 4884 wrote to memory of 4668	4884	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	89
PID 3848 wrote to memory of 4320	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	90
PID 3848 wrote to memory of 4320	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	90
PID 3848 wrote to memory of 4320	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	90
PID 3848 wrote to memory of 928	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	91
PID 3848 wrote to memory of 928	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	91
PID 3848 wrote to memory of 928	3848	{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe	91
PID 4320 wrote to memory of 3580	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	94
PID 4320 wrote to memory of 3580	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	94
PID 4320 wrote to memory of 3580	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	94
PID 4320 wrote to memory of 4524	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	95
PID 4320 wrote to memory of 4524	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	95
PID 4320 wrote to memory of 4524	4320	{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe	95
PID 3580 wrote to memory of 2908	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	100
PID 3580 wrote to memory of 2908	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	100
PID 3580 wrote to memory of 2908	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	100
PID 3580 wrote to memory of 2424	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	101
PID 3580 wrote to memory of 2424	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	101
PID 3580 wrote to memory of 2424	3580	{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe	101
PID 2908 wrote to memory of 2968	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	103
PID 2908 wrote to memory of 2968	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	103
PID 2908 wrote to memory of 2968	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	103
PID 2908 wrote to memory of 4940	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	104
PID 2908 wrote to memory of 4940	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	104
PID 2908 wrote to memory of 4940	2908	{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe	104
PID 2968 wrote to memory of 2460	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	107
PID 2968 wrote to memory of 2460	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	107
PID 2968 wrote to memory of 2460	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	107
PID 2968 wrote to memory of 2348	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	108
PID 2968 wrote to memory of 2348	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	108
PID 2968 wrote to memory of 2348	2968	{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe	108
PID 2460 wrote to memory of 632	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	109
PID 2460 wrote to memory of 632	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	109
PID 2460 wrote to memory of 632	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	109
PID 2460 wrote to memory of 3320	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	110
PID 2460 wrote to memory of 3320	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	110
PID 2460 wrote to memory of 3320	2460	{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe	110
PID 632 wrote to memory of 4072	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	111
PID 632 wrote to memory of 4072	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	111
PID 632 wrote to memory of 4072	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	111
PID 632 wrote to memory of 3772	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	112
PID 632 wrote to memory of 3772	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	112
PID 632 wrote to memory of 3772	632	{92896F09-C150-4981-9F0A-930D2E27529C}.exe	112
PID 4072 wrote to memory of 1240	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	113
PID 4072 wrote to memory of 1240	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	113
PID 4072 wrote to memory of 1240	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	113
PID 4072 wrote to memory of 212	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	114
PID 4072 wrote to memory of 212	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	114
PID 4072 wrote to memory of 212	4072	{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe	114
PID 1240 wrote to memory of 2400	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	115
PID 1240 wrote to memory of 2400	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	115
PID 1240 wrote to memory of 2400	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	115
PID 1240 wrote to memory of 2744	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	116
PID 1240 wrote to memory of 2744	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	116
PID 1240 wrote to memory of 2744	1240	{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe	116
PID 2400 wrote to memory of 3384	2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe	117
PID 2400 wrote to memory of 3384	2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe	117
PID 2400 wrote to memory of 3384	2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe	117
PID 2400 wrote to memory of 216	2400	{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
  C:\Windows\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
    C:\Windows\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
      C:\Windows\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
        
        C:\Windows\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
        
        C:\Windows\{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
        
        C:\Windows\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{92896F09-C150-4981-9F0A-930D2E27529C}.exe
        
        C:\Windows\{92896F09-C150-4981-9F0A-930D2E27529C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
        
        C:\Windows\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
        
        C:\Windows\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
        
        C:\Windows\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
        
        C:\Windows\{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe
        
        C:\Windows\{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe
        13⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C07D5~1.EXE > nul
        13⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D11B~1.EXE > nul
        12⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE678~1.EXE > nul
        11⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC02~1.EXE > nul
        10⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92896~1.EXE > nul
        9⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07862~1.EXE > nul
        8⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAD5~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ED6D~1.EXE > nul
        6⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC25A~1.EXE > nul
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A58BD~1.EXE > nul
      4⤵
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AD6DA~1.EXE > nul
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07862689-9B2E-4bc7-8EA6-C14B3348B6D8}.exe

Filesize
344KB

MD5
d84e70ce84430b9995384795eadf1902

SHA1
237e0b001546cecba6343125422d1814e3e6df95

SHA256
7b2126fe1f2967aeddea94ea1556c7a962ae4e976145ab091f1377aabe93b53c

SHA512
ca9802e03a0a4e792527ab7466c46e4f4768e1716ef1bf3b49b9ff7d406202b8abb9255fe27b69cd2cbe8e5f7357a321e5c79ddf28ec6fc9fb84f06e790c39b8

Download Submit
C:\Windows\{3ED6D08B-8CA0-43fd-8E0C-DC7BC7E2A52B}.exe

Filesize
344KB

MD5
abf410fb0aaf7d4527d49c42b4d06b1a

SHA1
66b7e9c791d144be9f41b3198b107741f3af7c7f

SHA256
084394e13656a5026a72c4675731126bccf42473be20d7e2b9a234001ffa0d81

SHA512
bc597ef50eb2cd31922d39d782a6ef8ab9e125bcd4328e53fd69b938344661f12c1d965991c7c1c460b8487dbc17cec044dadea2612b6a0b76c910b7f7be7209

Download Submit
C:\Windows\{7D11BEA0-23F9-4944-BF48-4AA6018CFD52}.exe

Filesize
344KB

MD5
76c206f8c5ef218afc71444ae0b749ea

SHA1
d303b062b2e38626b9991ab6cfe2bca0878c10fa

SHA256
15a2fe885c4856a1c49cd1c558ae3f03b3e768ed84e2aef36ca8b4323ad2af95

SHA512
7a6e647f2fddecf170108f85134cb7856f9cb69425cd2c10c51ba9a2ff63093124b21d76297cd6c725d5ad2b9d5982433f5828cb89e2afc222bdf360a0b6ed15

Download Submit
C:\Windows\{7ED69046-5317-495a-A8E6-896DFC573B0C}.exe

Filesize
344KB

MD5
c1713570e662191a7805ed5da15acef7

SHA1
fceea611b70866f1ed38b24f13c257c8c7c7dcfd

SHA256
ed0ca0d99bc9ccab3a0b091f9363b31b42ac368d0fc86c913a5ccbdb020f6b09

SHA512
7af0324557b3f805cfdf76dce18481761c3ac1379889bb069b1e22d0daa98d001b9341a1caaecb5f2f84cbc0074318b8dd1944d5d1509bae252b5fa6c923d10d

Download Submit
C:\Windows\{92896F09-C150-4981-9F0A-930D2E27529C}.exe

Filesize
344KB

MD5
8c186be9e5926bd81efa816ef6c19665

SHA1
54385c4b77ffd7b96f73343186913ba6fe4f203b

SHA256
3fe1f7c56b9fca7fd6a9205fe2d9b0a5deebeed4eb2011110021b95cfbca01bc

SHA512
d8ec8993fff327d7b119e72895f54fe892d624cb3add90111d338d32094813951e1f2b8006e7fba04d2e7cb2d19903f59f934f6d97f05bee96eccc2d933c4a4f

Download Submit
C:\Windows\{9DC02D53-988B-4c27-AC1D-849765EC7EE9}.exe

Filesize
344KB

MD5
4443d490f18da220fcb92204f33710d5

SHA1
6c9d553f0070d99c6f247a45666606c5a882dfd9

SHA256
3ac5ad801adc2fdce52ade7313bcfbe7382b6bc3a275f9cce9f32343f5c7d57e

SHA512
7f4c24d760f74aee44df0ccfaa626483d39a03061b9ff4241324a8f29dfa312fd9d143d7b32b4429f12719acaad3b7d5bba90ccd382e87e9ef644e7455af0c06

Download Submit
C:\Windows\{A58BD7FC-B331-434e-A0B7-43F97E47ADE7}.exe

Filesize
344KB

MD5
65c793e78f1a249a50fed3638cc2372a

SHA1
7b3220aa87ce9cd2ced6b2e70c2ad2584bf85787

SHA256
1d0f86110d91a1773a0845fb6f2a26f3ae6605f64a8c13643811df0609c2e242

SHA512
2c8f49afc4958170e901b373444178905e4622d2025afd2d7d2dc48e10d67c0e0b0f53064b2dec920ce7d7aca27ce9f55351122942e4101feaf42fbe5690d56d

Download Submit
C:\Windows\{AD6DA166-412E-49fd-9165-C31F3BF63EA3}.exe

Filesize
344KB

MD5
de0fe05edd83059f3da9d9ab42185f30

SHA1
101d75bd4168299c47623d53ab0e676c12eacf3a

SHA256
5805948c2d1bb57453c51263d07e1480cd81351c473dbf5376a54341cfea5441

SHA512
04cf928ab0b1ec9c0994505140d133d5893497535afa0669587de9982b8b036cad1f5504a1180e5e4e9990737ab779beb843bce9333f669f52221d86a2b7c128

Download Submit
C:\Windows\{AE678F44-9B14-4e4f-8E3A-F738CB9A9FE4}.exe

Filesize
344KB

MD5
c2e7d00f87ffa625751e66d3eebf8c33

SHA1
4a31bcca49c34bccd08e332dea7c0317b6ad4ca2

SHA256
c3916a199f49c65ffbde34135cdbf1f5b3dbdfe76103c38780794ad39e2244b3

SHA512
52e41da8d3282f90575fc9db4e52eaa864513f6c9157d3e0870ff4760564530a3e8ec2607b87de0594c01a790e99dd23355e102f34b75070608fac4907042eb3

Download Submit
C:\Windows\{BC25AAB5-FFA0-4eb1-A23C-C664F4D2FE10}.exe

Filesize
344KB

MD5
6345cb8d415e1c557d0e411dfecc8739

SHA1
f7f6dafc44d9d653a68ac24a0e9c4a02717bd400

SHA256
92e832bd5437dab6a4def23c58155c7ef88f538c9dc14ccf0cc4ee0db1c0c633

SHA512
7660be45bb772206a47b4961948df52c2e512ae117634af3307e61a7e184a4a96c68a8d459bd8f7982dcea985fbc9388cb55106832f078c0488cb6ab8a9fb973

Download Submit
C:\Windows\{C07D59EE-8A25-484f-AEA3-1E415723FECA}.exe

Filesize
344KB

MD5
732707753b329a99cee8c8334b14ec1e

SHA1
1cbe99e6a1fbc7daaa57b4e1d85436eb8b5d9276

SHA256
c5a88c74a337ea8a1bf0a6ab74dd271c555f932ac20a8b0d6b65ee0fd5d5e233

SHA512
90df7c3e256338e0a71d958f27a628188a9260a3528d1b7d5d21897a2011b7e8a3c84a62e0c2d4faa0b3f65aed7356dc884817398cf3f8d84d47a77d09e13c99

Download Submit
C:\Windows\{DAAD5044-3A56-4150-9CED-890EDD31E903}.exe

Filesize
344KB

MD5
7e6f677db2da881305ee47849751fbdf

SHA1
ac2d4b07d001517b27936bbf47dfa98067d75ae0

SHA256
c2366b97e8de8539dd669998f4a238d5e35708f5378a16a31fbfc81c55b02ded

SHA512
9936e8be595eac4e5d895380575883b5ad0e57b831a4a317e42568b4723ba680c195a2f626e8d560381241ecd3e1bfc6e0b0713278d990f99ba9c976b5a8dec5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads