b0a4eee8a510c7ce3e8a6f2fe8bfd34603aa4a3ebda202dab0b1713ff304afc6

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Size

168KB
MD5

49adaccbd3f7a4876fbead1ed11df86a
SHA1

72bbe67c17d3385f16b55975be8e2e95151e5a4f
SHA256

b0a4eee8a510c7ce3e8a6f2fe8bfd34603aa4a3ebda202dab0b1713ff304afc6
SHA512

8063f07fc550aba0cd2301c691332265dfdb06558e446e729266f6f3093779be6e3067134d2fb71a3e39037d3a7ab782631e6c5834b95d24288197d1bc3a565e
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b83-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b88-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022972-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b8f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b9a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b8f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b9a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b8f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b9a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b8f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b9a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b8f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}\stubpath = "C:\\Windows\\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe"	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}\stubpath = "C:\\Windows\\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe"	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}\stubpath = "C:\\Windows\\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe"	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}\stubpath = "C:\\Windows\\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe"	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E56E07-9BD6-4565-8736-917137F75363}\stubpath = "C:\\Windows\\{A7E56E07-9BD6-4565-8736-917137F75363}.exe"	{D358F970-6F99-4728-84F9-D7271B222F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}\stubpath = "C:\\Windows\\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe"	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}\stubpath = "C:\\Windows\\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe"	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BD94BF-05BD-460f-9F38-59F2A014F94F}	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0EB449-D623-47b4-9CC0-5737A39D3567}	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}\stubpath = "C:\\Windows\\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe"	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BD94BF-05BD-460f-9F38-59F2A014F94F}\stubpath = "C:\\Windows\\{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe"	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D358F970-6F99-4728-84F9-D7271B222F50}	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D358F970-6F99-4728-84F9-D7271B222F50}\stubpath = "C:\\Windows\\{D358F970-6F99-4728-84F9-D7271B222F50}.exe"	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E56E07-9BD6-4565-8736-917137F75363}	{D358F970-6F99-4728-84F9-D7271B222F50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0EB449-D623-47b4-9CC0-5737A39D3567}\stubpath = "C:\\Windows\\{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe"	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}\stubpath = "C:\\Windows\\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe"	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
3748	{D358F970-6F99-4728-84F9-D7271B222F50}.exe
1172	{A7E56E07-9BD6-4565-8736-917137F75363}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D358F970-6F99-4728-84F9-D7271B222F50}.exe	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
File created	C:\Windows\{A7E56E07-9BD6-4565-8736-917137F75363}.exe	{D358F970-6F99-4728-84F9-D7271B222F50}.exe
File created	C:\Windows\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
File created	C:\Windows\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
File created	C:\Windows\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
File created	C:\Windows\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
File created	C:\Windows\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
File created	C:\Windows\{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
File created	C:\Windows\{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
File created	C:\Windows\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
File created	C:\Windows\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
File created	C:\Windows\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
Token: SeIncBasePriorityPrivilege	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
Token: SeIncBasePriorityPrivilege	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
Token: SeIncBasePriorityPrivilege	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
Token: SeIncBasePriorityPrivilege	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
Token: SeIncBasePriorityPrivilege	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
Token: SeIncBasePriorityPrivilege	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
Token: SeIncBasePriorityPrivilege	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
Token: SeIncBasePriorityPrivilege	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
Token: SeIncBasePriorityPrivilege	3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
Token: SeIncBasePriorityPrivilege	3748	{D358F970-6F99-4728-84F9-D7271B222F50}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2448	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	88
PID 4604 wrote to memory of 2448	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	88
PID 4604 wrote to memory of 2448	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	88
PID 4604 wrote to memory of 3184	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	89
PID 4604 wrote to memory of 3184	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	89
PID 4604 wrote to memory of 3184	4604	2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe	89
PID 2448 wrote to memory of 1196	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	90
PID 2448 wrote to memory of 1196	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	90
PID 2448 wrote to memory of 1196	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	90
PID 2448 wrote to memory of 1100	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	91
PID 2448 wrote to memory of 1100	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	91
PID 2448 wrote to memory of 1100	2448	{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe	91
PID 1196 wrote to memory of 3672	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	94
PID 1196 wrote to memory of 3672	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	94
PID 1196 wrote to memory of 3672	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	94
PID 1196 wrote to memory of 3396	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	95
PID 1196 wrote to memory of 3396	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	95
PID 1196 wrote to memory of 3396	1196	{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe	95
PID 3672 wrote to memory of 1376	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	100
PID 3672 wrote to memory of 1376	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	100
PID 3672 wrote to memory of 1376	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	100
PID 3672 wrote to memory of 2944	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	101
PID 3672 wrote to memory of 2944	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	101
PID 3672 wrote to memory of 2944	3672	{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe	101
PID 1376 wrote to memory of 3500	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	103
PID 1376 wrote to memory of 3500	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	103
PID 1376 wrote to memory of 3500	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	103
PID 1376 wrote to memory of 2744	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	104
PID 1376 wrote to memory of 2744	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	104
PID 1376 wrote to memory of 2744	1376	{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe	104
PID 3500 wrote to memory of 3920	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	107
PID 3500 wrote to memory of 3920	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	107
PID 3500 wrote to memory of 3920	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	107
PID 3500 wrote to memory of 2272	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	108
PID 3500 wrote to memory of 2272	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	108
PID 3500 wrote to memory of 2272	3500	{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe	108
PID 3920 wrote to memory of 4924	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	109
PID 3920 wrote to memory of 4924	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	109
PID 3920 wrote to memory of 4924	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	109
PID 3920 wrote to memory of 1352	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	110
PID 3920 wrote to memory of 1352	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	110
PID 3920 wrote to memory of 1352	3920	{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe	110
PID 4924 wrote to memory of 2568	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	111
PID 4924 wrote to memory of 2568	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	111
PID 4924 wrote to memory of 2568	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	111
PID 4924 wrote to memory of 2820	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	112
PID 4924 wrote to memory of 2820	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	112
PID 4924 wrote to memory of 2820	4924	{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe	112
PID 2568 wrote to memory of 1532	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	113
PID 2568 wrote to memory of 1532	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	113
PID 2568 wrote to memory of 1532	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	113
PID 2568 wrote to memory of 944	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	114
PID 2568 wrote to memory of 944	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	114
PID 2568 wrote to memory of 944	2568	{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe	114
PID 1532 wrote to memory of 3516	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	115
PID 1532 wrote to memory of 3516	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	115
PID 1532 wrote to memory of 3516	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	115
PID 1532 wrote to memory of 2308	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	116
PID 1532 wrote to memory of 2308	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	116
PID 1532 wrote to memory of 2308	1532	{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe	116
PID 3516 wrote to memory of 3748	3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe	117
PID 3516 wrote to memory of 3748	3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe	117
PID 3516 wrote to memory of 3748	3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe	117
PID 3516 wrote to memory of 3840	3516	{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_49adaccbd3f7a4876fbead1ed11df86a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
  C:\Windows\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
    C:\Windows\{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
      C:\Windows\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
        
        C:\Windows\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
        
        C:\Windows\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
        
        C:\Windows\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
        
        C:\Windows\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
        
        C:\Windows\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
        
        C:\Windows\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
        
        C:\Windows\{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{D358F970-6F99-4728-84F9-D7271B222F50}.exe
        
        C:\Windows\{D358F970-6F99-4728-84F9-D7271B222F50}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Windows\{A7E56E07-9BD6-4565-8736-917137F75363}.exe
        
        C:\Windows\{A7E56E07-9BD6-4565-8736-917137F75363}.exe
        13⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D358F~1.EXE > nul
        13⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00BD9~1.EXE > nul
        12⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{512E9~1.EXE > nul
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82115~1.EXE > nul
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C66B~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BEC5~1.EXE > nul
        8⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC6AD~1.EXE > nul
        7⤵
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B4EC~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF86~1.EXE > nul
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0EB~1.EXE > nul
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9927F~1.EXE > nul
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00BD94BF-05BD-460f-9F38-59F2A014F94F}.exe

Filesize
168KB

MD5
8f9dcc926c2c38abd1f00aae4011cfc7

SHA1
d78ea97721a3e78bec6b9675f43ff98a2784456f

SHA256
5b24973b507ffb8d81afabe5e18a18866d3f8e1aaa8e188babbdbbf5cbbd1713

SHA512
60de4a3f224217c9811b78442abcd8f75d6e7664fa02613984377faa2135f007189b9e52febd003aec7338a065c25600dbae11ae7c089d02b3df00477d039f5b

Download Submit
C:\Windows\{1F0EB449-D623-47b4-9CC0-5737A39D3567}.exe

Filesize
168KB

MD5
887c76a548595b4fc66319aacb9f893a

SHA1
918647c8a4b027a1f682c7c1cd136cfc14948149

SHA256
7ba4f48e0386fcab9c1360e3abba5bcc169e845376c4ea787f90d400306b8fe0

SHA512
c9c1d78d81acc4856e205236b5750c4dcbc3a5582c6695f59f805920c0a241165988bab05059d4d722a31256825d7f3dd5b8e1bfb221bbd081359404dfe1acc4

Download Submit
C:\Windows\{512E9CF8-BE73-46c1-BF5F-9699D0F7481B}.exe

Filesize
168KB

MD5
eef1b300f160a087d40b69e9c01405be

SHA1
021f58ed2e406f77b97b035e81e2a45ae9983107

SHA256
d799a1175b7a1534c6c3df8af437b4abca5db75f1cf7f98ebaeb54fbfd266236

SHA512
2a3c22483eca5010fadb23f1143c13bd8eaec0334b98205ee5bb0eece22ab75934756250053b82bb1cadcbcc583cc5fbb17ce771dd4492edd67b871fe0cc4760

Download Submit
C:\Windows\{5B4ECBCD-51B5-4f91-872A-BC7DCFAEC0A3}.exe

Filesize
168KB

MD5
873de0d6f8f1155b641e4de23ae7c8e7

SHA1
a788ca2d5fb53d8f6b4739f58e12f8947aa1cf25

SHA256
ec022b213c43a97604e0d64a1c5b5f1930a98010872c3be97ad648c0753587b2

SHA512
512f787780cf3468880aa4fd06196e9e4956f7134b48ba8c5fc141c4afe4e9378d836662707dfb41bc2b0a3d414f5756a135eb0903249acb0d136ce1eda80c2a

Download Submit
C:\Windows\{7BEC5A98-F59E-43ea-8958-5666C83DE8A5}.exe

Filesize
168KB

MD5
b27bae1bee939045a2eb40988ead648d

SHA1
cbb414be64f7c7837fd378e87fab25df2850257b

SHA256
53407a3c97662ca0d193b3dd3d8b9c0aa0b642dea73e9788e35d269af0c53681

SHA512
070a8939a3801daf641ae6a1168b8d858ff0a34739ac2742bed96bab45c068b0d7914dfa5812f13d15b6da25fa4469c403b6bb531dc20b9f0aba196b21f2f61c

Download Submit
C:\Windows\{7EF86F25-37B4-40e0-AA5D-FEF3B0E875B7}.exe

Filesize
168KB

MD5
e2244d97d7826ce34814d1614baf41d6

SHA1
10134aa8fcce94adfa7ba4bdcda52aca040b0ccc

SHA256
4e335805e6859f3d53810fd525597f0df0fafb7359a1ccb10e68f6245f9ad9a4

SHA512
ed540c6547d8a951bd6c62f2f4aa6b9da5911656f2a6f2b5a979c7a7f793b6e6966cd12aa0fafe05bb1813599d5da4666baef97ff5b9c7475f2d527106df15be

Download Submit
C:\Windows\{821157EF-B551-4ed2-A80D-3B4C504F9BA6}.exe

Filesize
168KB

MD5
20938a1849b407411e10321fe9a3908c

SHA1
98f78782f3607883bdc8507332beb84b4f333a8c

SHA256
0f3f3a6c401f81f5f34e06978138a7ee305412f7c27a8c893fa1b333178441ac

SHA512
776e9c8a2d42394ab0dfd18ee7d8a7781afce80716cf373c9e4a08354a71f29f63540bc3a428d1ecc1f291a7b6860e5e1864df7910930f01a67627d7cea63448

Download Submit
C:\Windows\{8C66B130-0065-428e-B4D4-9ED0260CEA7A}.exe

Filesize
168KB

MD5
a366abb5fd7cd1f7c9b848598c0f8681

SHA1
2c84fca3c45faf1cfb4e59d45a625bc3c69ca9b5

SHA256
47d3e594c69f8a52a26a1718537e50823c7dee7b79c0a9053f19090bcc176aeb

SHA512
47ab61455007d3bc78208ec58247ae49ae03fda8819494a7cf2621321fb78be6a765779378fc91a0745bcb8e8ccffa67851a2e9f4ade0c0af3ec56001c9f2872

Download Submit
C:\Windows\{9927FDD1-4AEC-4e1c-9FEE-69C5AF749CB0}.exe

Filesize
168KB

MD5
f313262b1b3101e1c4b611d447d54e53

SHA1
39ecbe57d227a406f447d785bbfb2b03feda5197

SHA256
32bccde9a9008d505f737c3f0e56bdf6a67414345f6f097d2d73de98ba3ded7d

SHA512
e034519d1db39209723be7ca93e0262db1001cc1b87e93c8490f9aeaec3e6410abdbed7fe95b7ffbbc07e8166c508347ae8f6091a0a1484ef0313e2625f40ad1

Download Submit
C:\Windows\{A7E56E07-9BD6-4565-8736-917137F75363}.exe

Filesize
168KB

MD5
7877a18551b8918c00696d36aca0aa21

SHA1
d8c308565fa06f5ec1e5c0ce17e2dc2bef209728

SHA256
3cc93a5919dc21984ca975831f7a57c878c36a90a72961023030125bfb6da0ca

SHA512
d7fec3bf9b1808474fd4a22b1ca890917b6069ca3d79d107f148a5c97f7054dcf4463225414ab10e1cd397235761e27df62edd500d402e1de3394328e7c7195f

Download Submit
C:\Windows\{D358F970-6F99-4728-84F9-D7271B222F50}.exe

Filesize
168KB

MD5
4deab2459b90a8b50e14845b6d091190

SHA1
9153defaae72b7b525935e91ae5775627c640687

SHA256
3b363bb1d6d026bc819e5249c30f6bb3d86a8a3d3e3cd269a4560d431299d6bc

SHA512
073aac5bc6d885bfcb4ef499c9c03835bc7211d6e8ec2cea5ffee0e2dc3f847ebd38a7ee5ebf748ad560d6b83577c11ea46af7ddddc3efc63ee94ea036d6359c

Download Submit
C:\Windows\{FC6ADC65-6E3F-4e84-B471-2C78167D73EE}.exe

Filesize
168KB

MD5
2392a31a4039713e95b5b47b0a892dfe

SHA1
63370dfa206dd494e7db8394825bcba1fc401b62

SHA256
33c3b96c81e8db6a866cf7262135ba09e59f31c2a14414f9cd38517c01241cf2

SHA512
8c7bbeb0eae6de552dbf6f402aee594777c82d811b60639e49545cac5df8ec9bd4944e2ff52bf39805ee8f1363ce5d1b3d9fd38c2ac15243bf16378e3c14f6c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads