6bb8777789b11b512c70e92d6c732fbf088960cbca26097e5cf473f9d1dc4b37

Analysis

max time kernel
149s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Size

168KB
MD5

5d584b36a8e3e14c4cc713e0a6f40fa9
SHA1

3b7e3b31e01e28db83a840293c80edc72d4a5c99
SHA256

6bb8777789b11b512c70e92d6c732fbf088960cbca26097e5cf473f9d1dc4b37
SHA512

e9db19ad1ce146ef547ec8d78a8422b36e3f782b185c27b65c4648244e25096da520ce722c21e515dbb3dcfefd40260fefc24ab4f5fc4a0226760494b8f2c806
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b96-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b97-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00190000000239ca-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023a49-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b9e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023a13-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0027000000023a40-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023a13-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0028000000023a40-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023a13-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0029000000023a40-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0016000000023a13-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}\stubpath = "C:\\Windows\\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe"	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD392AB2-DD51-47b9-B021-B881653B3B89}	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD392AB2-DD51-47b9-B021-B881653B3B89}\stubpath = "C:\\Windows\\{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe"	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A984D524-3E8C-4308-A97E-35B5A4DC7073}	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70443D5D-FC5B-48ef-B202-648A032EF4BC}\stubpath = "C:\\Windows\\{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe"	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}\stubpath = "C:\\Windows\\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe"	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A984D524-3E8C-4308-A97E-35B5A4DC7073}\stubpath = "C:\\Windows\\{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe"	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70443D5D-FC5B-48ef-B202-648A032EF4BC}	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}\stubpath = "C:\\Windows\\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe"	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}\stubpath = "C:\\Windows\\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe"	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}\stubpath = "C:\\Windows\\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe"	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A492359B-111E-46c2-926C-7612D11040C1}	{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}\stubpath = "C:\\Windows\\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe"	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}\stubpath = "C:\\Windows\\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe"	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}\stubpath = "C:\\Windows\\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe"	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A492359B-111E-46c2-926C-7612D11040C1}\stubpath = "C:\\Windows\\{A492359B-111E-46c2-926C-7612D11040C1}.exe"	{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe

Executes dropped EXE 12 IoCs

pid	Process
4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
3332	{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe
1108	{A492359B-111E-46c2-926C-7612D11040C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
File created	C:\Windows\{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
File created	C:\Windows\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
File created	C:\Windows\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
File created	C:\Windows\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
File created	C:\Windows\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
File created	C:\Windows\{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
File created	C:\Windows\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
File created	C:\Windows\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
File created	C:\Windows\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
File created	C:\Windows\{A492359B-111E-46c2-926C-7612D11040C1}.exe	{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe
File created	C:\Windows\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
Token: SeIncBasePriorityPrivilege	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
Token: SeIncBasePriorityPrivilege	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
Token: SeIncBasePriorityPrivilege	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
Token: SeIncBasePriorityPrivilege	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
Token: SeIncBasePriorityPrivilege	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
Token: SeIncBasePriorityPrivilege	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
Token: SeIncBasePriorityPrivilege	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
Token: SeIncBasePriorityPrivilege	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
Token: SeIncBasePriorityPrivilege	4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
Token: SeIncBasePriorityPrivilege	3332	{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4332	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	88
PID 2836 wrote to memory of 4332	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	88
PID 2836 wrote to memory of 4332	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	88
PID 2836 wrote to memory of 3180	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	89
PID 2836 wrote to memory of 3180	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	89
PID 2836 wrote to memory of 3180	2836	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	89
PID 4332 wrote to memory of 696	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	90
PID 4332 wrote to memory of 696	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	90
PID 4332 wrote to memory of 696	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	90
PID 4332 wrote to memory of 1428	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	91
PID 4332 wrote to memory of 1428	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	91
PID 4332 wrote to memory of 1428	4332	{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe	91
PID 696 wrote to memory of 1604	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	95
PID 696 wrote to memory of 1604	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	95
PID 696 wrote to memory of 1604	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	95
PID 696 wrote to memory of 2732	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	96
PID 696 wrote to memory of 2732	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	96
PID 696 wrote to memory of 2732	696	{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe	96
PID 1604 wrote to memory of 2568	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	101
PID 1604 wrote to memory of 2568	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	101
PID 1604 wrote to memory of 2568	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	101
PID 1604 wrote to memory of 4996	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	102
PID 1604 wrote to memory of 4996	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	102
PID 1604 wrote to memory of 4996	1604	{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe	102
PID 2568 wrote to memory of 1412	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	104
PID 2568 wrote to memory of 1412	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	104
PID 2568 wrote to memory of 1412	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	104
PID 2568 wrote to memory of 4800	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	105
PID 2568 wrote to memory of 4800	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	105
PID 2568 wrote to memory of 4800	2568	{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe	105
PID 1412 wrote to memory of 4168	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	107
PID 1412 wrote to memory of 4168	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	107
PID 1412 wrote to memory of 4168	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	107
PID 1412 wrote to memory of 4448	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	108
PID 1412 wrote to memory of 4448	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	108
PID 1412 wrote to memory of 4448	1412	{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe	108
PID 4168 wrote to memory of 5088	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	109
PID 4168 wrote to memory of 5088	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	109
PID 4168 wrote to memory of 5088	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	109
PID 4168 wrote to memory of 3508	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	110
PID 4168 wrote to memory of 3508	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	110
PID 4168 wrote to memory of 3508	4168	{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe	110
PID 5088 wrote to memory of 2544	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	111
PID 5088 wrote to memory of 2544	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	111
PID 5088 wrote to memory of 2544	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	111
PID 5088 wrote to memory of 2836	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	112
PID 5088 wrote to memory of 2836	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	112
PID 5088 wrote to memory of 2836	5088	{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe	112
PID 2544 wrote to memory of 3680	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	113
PID 2544 wrote to memory of 3680	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	113
PID 2544 wrote to memory of 3680	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	113
PID 2544 wrote to memory of 2284	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	114
PID 2544 wrote to memory of 2284	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	114
PID 2544 wrote to memory of 2284	2544	{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe	114
PID 3680 wrote to memory of 4332	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	115
PID 3680 wrote to memory of 4332	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	115
PID 3680 wrote to memory of 4332	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	115
PID 3680 wrote to memory of 232	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	116
PID 3680 wrote to memory of 232	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	116
PID 3680 wrote to memory of 232	3680	{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe	116
PID 4332 wrote to memory of 3332	4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe	117
PID 4332 wrote to memory of 3332	4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe	117
PID 4332 wrote to memory of 3332	4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe	117
PID 4332 wrote to memory of 4456	4332	{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
  C:\Windows\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
    C:\Windows\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
      C:\Windows\{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
        
        C:\Windows\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
        
        C:\Windows\{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
        
        C:\Windows\{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
        
        C:\Windows\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
        
        C:\Windows\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
        
        C:\Windows\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
        
        C:\Windows\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe
        
        C:\Windows\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\{A492359B-111E-46c2-926C-7612D11040C1}.exe
        
        C:\Windows\{A492359B-111E-46c2-926C-7612D11040C1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D4C1~1.EXE > nul
        13⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC11~1.EXE > nul
        12⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4D2~1.EXE > nul
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B73C~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E12~1.EXE > nul
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70443~1.EXE > nul
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A984D~1.EXE > nul
        7⤵
        
        PID:4448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6CF~1.EXE > nul
        6⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD392~1.EXE > nul
        5⤵
        
        PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF0E~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB85~1.EXE > nul
    3⤵
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A6CF689-6E53-4a65-AEA8-E680008F2D0D}.exe

Filesize
168KB

MD5
0f6ee492f1635ad3ad68975f7031ec86

SHA1
076fb021eaf620154ae2ed725fee858517fa63c7

SHA256
f21ce61b792bd46107a314753d66f6e9a1fff30d57e7078ad44896259abf7105

SHA512
2ee6b32fc65238430dad97fff45d94715973cfb74065f6a8f264dbc02e50be918caef01a3d9ef685af66d933d72c64709d1c154f9b0759cf2e2ee2d9fb6f39ff

Download Submit
C:\Windows\{6D4C17DF-27D7-4c98-B48F-3E8C32150451}.exe

Filesize
168KB

MD5
31ea6b648240187f6dcfb43400f94f1b

SHA1
c47337c222774b796323423f77fd723f617d3ba7

SHA256
514a1774b7a3a49e1c4aea6947ce3c00ee00710a0dd71c60805ce6dc407bc4cb

SHA512
fdacf0fd74bc0b81c15775077b84ffa68a45d690ff67f5e8f12fdc267758513498b4caf37b53a43c9b6386662d2fa7d155b124e7acb1543e7c8af9fe895d333f

Download Submit
C:\Windows\{6EB856ED-A194-47b8-AA3F-B7A092D868CF}.exe

Filesize
168KB

MD5
4c2bf15d1a31cfc1e80f392f35944f61

SHA1
13be95491bfc5a6e933e7328115c91e678eebfac

SHA256
4bd8b17230e02513b530bf9676061605a5bec12f7d3479a037f0dc0f7bc0e0da

SHA512
93efbd668ece1748ce399bfb0d6b4aa241135a2e50fabcc11ccedcbae1f4aa6d3cacfde883307df9eed6698b4e95d092ea430f96d6b48eecb32d1bf657d5ccda

Download Submit
C:\Windows\{70443D5D-FC5B-48ef-B202-648A032EF4BC}.exe

Filesize
168KB

MD5
6328fb4f98b0fb3306c8845c44f0a587

SHA1
08fab82efff996e1fb9e15ff251b6c73ed47ffcb

SHA256
a6f5b49f0e90786953f9bd82bb004a52993504066355fc0d9e9ba7dfaf23a9c4

SHA512
b43024f14a429ed3fa88f63296ae429634d4d051c296ba165c2b67a0c2daaa1c014d55d5c9b199bc944e4a05a3ab3ebb49b78755a0cb27f6f874245262f7529c

Download Submit
C:\Windows\{7B73CD98-67AE-4450-B803-0F7D9E244CF1}.exe

Filesize
168KB

MD5
04a770797a847340c8f186939b4dc30c

SHA1
30a407b616363e19cc365a4979d9dd61e1d8ea91

SHA256
e7348fde3d2bc5ce55024c9c46fd3c02455034c6fc1072f9711d2425f5f4b07e

SHA512
2d6fb8426d1ce65f6f77c5f09b5b060a48940073a6db2b84af27d7559f330338e83f2545fdd80614150941b5e799b06fe1b632548197365e5ea453ebf5e9368f

Download Submit
C:\Windows\{7FC116B8-BC0D-4623-B0A1-EB8915A7A1B4}.exe

Filesize
168KB

MD5
d6242aacfccef5a81a95a1a01d9f3dfe

SHA1
8ef778be0a4577ee8511052adbf79fc54fe66075

SHA256
71675419bebc8004f23fbee81ac1d16f7cc836692101a756a3625e9732717339

SHA512
3244da83fd59972bc7fd8064be382d4eb109bdf5f947fcbc6a9e6a98eeaf94ccaba5f242dbeda11408fc05eb85c695cd3ebb33a1f1b82d420e2e629de686521a

Download Submit
C:\Windows\{8D4D2C2E-4FE1-4a1c-9983-90E30CD4A15C}.exe

Filesize
168KB

MD5
172e68943bf38fb60d4b02e3cb9f4fc9

SHA1
c424235932ed8180f81f73279f2fc1821955dbcb

SHA256
8b75911cefce2a73fb6d98fccb5b645905ad5d82be171b4208884b0fb318a892

SHA512
10b7b4cc045681412949d5418265df76a578f5ab6d24c3fc8bd2d7182f21803c7f8d3e7864b500f81ba657b54125ce8f5fcbabad4cfefb1cbdb7ad499f6cd8f5

Download Submit
C:\Windows\{9BF0EFAE-FE6A-474b-9BE9-2DD86F222C16}.exe

Filesize
168KB

MD5
33c517ae84a0610b5805c95aa19839fc

SHA1
8aa07878867dba7dc454c3ea64d284fe08d62848

SHA256
4016d8dd527ad183651e428252e4842d2b6943c5e64748c2c1c081e12f4e905b

SHA512
6945658fdc0328fd04d93fc6f7801dcbc6be1e5955c6a5c2094ed846663ec6c77e0696e291bf90b9fc49e38263858cddfca088a3c46c424e323defe0197cb5bd

Download Submit
C:\Windows\{A492359B-111E-46c2-926C-7612D11040C1}.exe

Filesize
168KB

MD5
41e2ac8103b9d36139e3d50936896903

SHA1
68044eabf8d21631f0a9ae28da2209e38f7cd85a

SHA256
d96b6fa4b72f3cf4e7bf48dbcf8bd7fa67fbd87c3abf7d8ad428507a6abecd0c

SHA512
1d172becda5f42ec0a0cf4466ed134ac9596da34ac03fe5b2dfc65c2d43b6440992b6f99c173dc4180090c1eef6d841a30efbde7283e0c27c5d577aab6655eb5

Download Submit
C:\Windows\{A984D524-3E8C-4308-A97E-35B5A4DC7073}.exe

Filesize
168KB

MD5
16462990a54364b4875a26d1c489528f

SHA1
561d39e5a6966ff2bcf0903ead64da003007eb31

SHA256
125046ac66b134baa130eb9341fab9056a8e575c5a2936601e63fda757b04d6c

SHA512
de582145cab8a640ae8cee6989414cf6457da40f89cf34e12bcfa01985358071f6b06a27e31b638f925a77a731a4556db393f8093f2e15b908ea5dc76980f86f

Download Submit
C:\Windows\{AD392AB2-DD51-47b9-B021-B881653B3B89}.exe

Filesize
168KB

MD5
835b780ee0797fe88ebeaba9c78fa2d5

SHA1
3fcebc746fc474f86263d4a65db0c2f0e450162e

SHA256
bcc55bee0ceaa0b05a11e2ae134df5a4fc7ec676b42ba101bca579d62596a123

SHA512
0fd78083ce91949a19eb2f34f5e01ef507ec1c2d6ff7d883ce338af00725d7ef5ba728030035cea3aa1441c58a6e2bbe320b493abf43c07ca96f41240f479ea2

Download Submit
C:\Windows\{F9E126B1-B9C1-4745-83AB-8CCB1457E553}.exe

Filesize
168KB

MD5
8563aef6d8b43c500528a3db5518b39a

SHA1
33b7d8502e664aabb810503a0050a03e26431364

SHA256
7af9e54d22c99d9f62f1808321c7179b798a3da834ecf87a0a442a3596cc0769

SHA512
e4f2c10ac6557262e3f3281f98143d7e31fb74aa29ee4518f06958bb4a573b08d3a5e485aa4cbf92ba96809d6fdea9dba8caaf01c15dd5f6bbc6180dff280368

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads