723c10ec1c6b6b331f17fa08437acfc0485ae4ee8a2d3c8197dccbfd4bcd5352

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Size

372KB
MD5

7903fb89198ede416f03b7dfffbf6228
SHA1

d22d316a50a6323ebbfa2ef24e8c762dad0f769b
SHA256

723c10ec1c6b6b331f17fa08437acfc0485ae4ee8a2d3c8197dccbfd4bcd5352
SHA512

096942af0e319547f266be887020799e6b225705364396d4438ee3217f32a62759d9ffe7bc275dd6918de6d145c46a855e70e97ce3b8cb9ff649de3dbfadcdb7
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG8lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023abb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023abe-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb0-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023abe-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb1-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bb4-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bb1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000001e4eb-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023a78-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000001e4eb-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023bc2-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000001e4eb-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}\stubpath = "C:\\Windows\\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe"	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}\stubpath = "C:\\Windows\\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe"	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02104F20-4144-4b71-A760-7276E843401F}	{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02104F20-4144-4b71-A760-7276E843401F}\stubpath = "C:\\Windows\\{02104F20-4144-4b71-A760-7276E843401F}.exe"	{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{930E7B2C-DF48-4e15-A32B-B48034C602C5}\stubpath = "C:\\Windows\\{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe"	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1052D647-B4C3-45ab-9C02-3E287DF793D9}	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AB948F-ADBD-497d-A258-49F537DB3401}\stubpath = "C:\\Windows\\{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe"	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}\stubpath = "C:\\Windows\\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe"	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}\stubpath = "C:\\Windows\\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe"	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}\stubpath = "C:\\Windows\\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe"	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}\stubpath = "C:\\Windows\\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe"	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AB948F-ADBD-497d-A258-49F537DB3401}	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7656166-5FEA-40f9-8C43-DB523729D405}	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7656166-5FEA-40f9-8C43-DB523729D405}\stubpath = "C:\\Windows\\{C7656166-5FEA-40f9-8C43-DB523729D405}.exe"	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}\stubpath = "C:\\Windows\\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe"	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1052D647-B4C3-45ab-9C02-3E287DF793D9}\stubpath = "C:\\Windows\\{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe"	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{930E7B2C-DF48-4e15-A32B-B48034C602C5}	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe

Executes dropped EXE 12 IoCs

pid	Process
5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
4728	{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
4828	{02104F20-4144-4b71-A760-7276E843401F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{02104F20-4144-4b71-A760-7276E843401F}.exe	{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
File created	C:\Windows\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
File created	C:\Windows\{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
File created	C:\Windows\{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
File created	C:\Windows\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
File created	C:\Windows\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
File created	C:\Windows\{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
File created	C:\Windows\{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
File created	C:\Windows\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
File created	C:\Windows\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
File created	C:\Windows\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
File created	C:\Windows\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
Token: SeIncBasePriorityPrivilege	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
Token: SeIncBasePriorityPrivilege	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
Token: SeIncBasePriorityPrivilege	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
Token: SeIncBasePriorityPrivilege	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
Token: SeIncBasePriorityPrivilege	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
Token: SeIncBasePriorityPrivilege	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
Token: SeIncBasePriorityPrivilege	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
Token: SeIncBasePriorityPrivilege	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
Token: SeIncBasePriorityPrivilege	4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
Token: SeIncBasePriorityPrivilege	4728	{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 5052	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	99
PID 760 wrote to memory of 5052	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	99
PID 760 wrote to memory of 5052	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	99
PID 760 wrote to memory of 4824	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	100
PID 760 wrote to memory of 4824	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	100
PID 760 wrote to memory of 4824	760	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	100
PID 5052 wrote to memory of 1968	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	101
PID 5052 wrote to memory of 1968	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	101
PID 5052 wrote to memory of 1968	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	101
PID 5052 wrote to memory of 3156	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	102
PID 5052 wrote to memory of 3156	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	102
PID 5052 wrote to memory of 3156	5052	{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe	102
PID 1968 wrote to memory of 1808	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	105
PID 1968 wrote to memory of 1808	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	105
PID 1968 wrote to memory of 1808	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	105
PID 1968 wrote to memory of 2944	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	106
PID 1968 wrote to memory of 2944	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	106
PID 1968 wrote to memory of 2944	1968	{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe	106
PID 1808 wrote to memory of 3464	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	107
PID 1808 wrote to memory of 3464	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	107
PID 1808 wrote to memory of 3464	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	107
PID 1808 wrote to memory of 1908	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	108
PID 1808 wrote to memory of 1908	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	108
PID 1808 wrote to memory of 1908	1808	{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe	108
PID 3464 wrote to memory of 3836	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	111
PID 3464 wrote to memory of 3836	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	111
PID 3464 wrote to memory of 3836	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	111
PID 3464 wrote to memory of 2440	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	112
PID 3464 wrote to memory of 2440	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	112
PID 3464 wrote to memory of 2440	3464	{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe	112
PID 3836 wrote to memory of 2664	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	116
PID 3836 wrote to memory of 2664	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	116
PID 3836 wrote to memory of 2664	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	116
PID 3836 wrote to memory of 2612	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	117
PID 3836 wrote to memory of 2612	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	117
PID 3836 wrote to memory of 2612	3836	{C7656166-5FEA-40f9-8C43-DB523729D405}.exe	117
PID 2664 wrote to memory of 1708	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	118
PID 2664 wrote to memory of 1708	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	118
PID 2664 wrote to memory of 1708	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	118
PID 2664 wrote to memory of 5100	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	119
PID 2664 wrote to memory of 5100	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	119
PID 2664 wrote to memory of 5100	2664	{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe	119
PID 1708 wrote to memory of 4900	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	128
PID 1708 wrote to memory of 4900	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	128
PID 1708 wrote to memory of 4900	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	128
PID 1708 wrote to memory of 2024	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	129
PID 1708 wrote to memory of 2024	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	129
PID 1708 wrote to memory of 2024	1708	{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe	129
PID 4900 wrote to memory of 1032	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	130
PID 4900 wrote to memory of 1032	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	130
PID 4900 wrote to memory of 1032	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	130
PID 4900 wrote to memory of 1040	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	131
PID 4900 wrote to memory of 1040	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	131
PID 4900 wrote to memory of 1040	4900	{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe	131
PID 1032 wrote to memory of 4536	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	132
PID 1032 wrote to memory of 4536	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	132
PID 1032 wrote to memory of 4536	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	132
PID 1032 wrote to memory of 2268	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	133
PID 1032 wrote to memory of 2268	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	133
PID 1032 wrote to memory of 2268	1032	{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe	133
PID 4536 wrote to memory of 4728	4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe	136
PID 4536 wrote to memory of 4728	4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe	136
PID 4536 wrote to memory of 4728	4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe	136
PID 4536 wrote to memory of 1824	4536	{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
  C:\Windows\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
    C:\Windows\{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
      C:\Windows\{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
        
        C:\Windows\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
      - C:\Windows\{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
        
        C:\Windows\{C7656166-5FEA-40f9-8C43-DB523729D405}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
        
        C:\Windows\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
        
        C:\Windows\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
        
        C:\Windows\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
        
        C:\Windows\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
        
        C:\Windows\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
        
        C:\Windows\{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\{02104F20-4144-4b71-A760-7276E843401F}.exe
        
        C:\Windows\{02104F20-4144-4b71-A760-7276E843401F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1052D~1.EXE > nul
        13⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2137D~1.EXE > nul
        12⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFB35~1.EXE > nul
        11⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F9B3~1.EXE > nul
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3495A~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F368E~1.EXE > nul
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7656~1.EXE > nul
        7⤵
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA4B2~1.EXE > nul
        6⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{930E7~1.EXE > nul
        5⤵
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AB9~1.EXE > nul
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4AED~1.EXE > nul
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02104F20-4144-4b71-A760-7276E843401F}.exe

Filesize
372KB

MD5
d9a04c8d87c2626cf7c344df9579a101

SHA1
aa1592428b4fb1cfb860e9a5c84f75915538a676

SHA256
ef9c2918b698fd7bda9c95e899a6f7bfbcfe2d42c3d7b30645bf8ff764f91fa2

SHA512
1f79e865de819606087ababf888dfa1f4c7d707a367bd22153f9d3ed6679fac22b26298ce66f0cdbcf00655a903dd22f0a810ef9f653a92b876f66f50b021d46

Download Submit
C:\Windows\{1052D647-B4C3-45ab-9C02-3E287DF793D9}.exe

Filesize
372KB

MD5
1bb9bba3bc0979004173692c330d7add

SHA1
717d9b3635e7ae6cae1a18cd15a536aace7661ae

SHA256
ed0b3cb3296fd06364fa58bc2b4d34a29fb27119aaeffb6aa64e00486da89983

SHA512
ffa0465c5702e78eed68b7d6c72562e98a73844aeea81c8f331daefcd68c9fcbc6b7868796ff43b3e051d47d4f7dab7233f44c2505edda7b622757453568eea0

Download Submit
C:\Windows\{2137D30E-118A-4a19-BD48-59AEC2BBE82C}.exe

Filesize
372KB

MD5
a1e6905b7910e140dd3346e77733cb5b

SHA1
f9e982b4a913a2a39ea299a21e822349d3cb5087

SHA256
8c8928c7fedadfc97b39c15db5add9a5cfca2b77fb37688b4790b27d3a2208dd

SHA512
9db00f0889532c14b8df788efe7882134f514a83d51c9e778fd8cd494fd11a2c9d3871b7f69fee7eafb9f02f97a4fbdfa627d171a590c571c6ce2565aed73c62

Download Submit
C:\Windows\{3495A0BE-098E-4f77-B4AF-530DE90CD8DB}.exe

Filesize
372KB

MD5
06a853772a2811b4911bf886d9349243

SHA1
e5ade9ef1b0d55fc9826b781f52db38e9d1a023f

SHA256
da13737060fd0ccb658c35c0d1433d9236f6dffe1b049f42cc7dd08a23cb81a9

SHA512
3a2dcdcba733753be79daebe5ebfd857329d89e5000b8fec69e4ec7ede152a529f60720ce7e1442afd898f7336d36dcfe7d20115cb9106af3d3a0c97fafee2cf

Download Submit
C:\Windows\{8F9B35B0-DCB8-412e-8AE1-702798DA8F93}.exe

Filesize
372KB

MD5
38570bda8af02456db7bc0a17d51c24c

SHA1
89f224c1fa09036d2f225cc6f325ce44303e65fe

SHA256
ac62ad85ff5d331fd6ed487a1087756d8e9806f9ffe9d04a8c5f51e8fb14dec6

SHA512
f6d6d883c4676bb8b812a7c7fd221e532e20d890d0a2ff2fbb588d0404634b45f4c89345463cd6f686d87f35bea2db6bf2f424ff651424cb2dec92b70041a34a

Download Submit
C:\Windows\{930E7B2C-DF48-4e15-A32B-B48034C602C5}.exe

Filesize
372KB

MD5
819260dd46296ba4ebb7b89d2ca432df

SHA1
910904b088ecff44f9992fbad22eb97452421082

SHA256
f993013f08614a687acd67982fa94e0c2543bded7779b9e73f435aa43c6c9f05

SHA512
be7ff46b1152c4b0b891b544025790dd8dc6207cb06947dce2171b059b14052c265885de97ffd724c51e25f05236b2b24c337e9ad7d28e314f96f47c5f418882

Download Submit
C:\Windows\{C7656166-5FEA-40f9-8C43-DB523729D405}.exe

Filesize
372KB

MD5
4aba4a5d013f30e172cda06cd909fbfb

SHA1
c18eed3d29319d60469c8db1fda0a82776f871ef

SHA256
8ccbb29192a8f8a2431d37fcdaf718728fb90a9cd834e17f4ff5873f9cef9215

SHA512
9df7a24d7e9de1b951c2faa7d2e249abd57ca839ea422cb6db01bb1ff3f89ebb2cf3ea5f37a1296ca2b4090d71a1992864c7f3906b1ed83297fab87d2c38c776

Download Submit
C:\Windows\{C8AB948F-ADBD-497d-A258-49F537DB3401}.exe

Filesize
372KB

MD5
42c2e2d6c3b02ea068dbfa58f0a0b93b

SHA1
fd146963c71a46ec40d99e9c616b1c75cbbe635f

SHA256
554ae038c6e32831e2dad51d7e8d3d4d41af8aff920d8737b839e830e018a164

SHA512
b81d118cfccbf396de1c87076cfb12d06c8a49e591f0f03d0e2d2fd5660dbb47c0c5682ad628d01dbcb6d75f1addcdf287a660f1f767e34e02be024de1d1d60d

Download Submit
C:\Windows\{CFB35A1F-66BA-4025-AA2D-190F7DB6A60C}.exe

Filesize
372KB

MD5
910056853c4ae98c361ac29ad7910f36

SHA1
d831269863179f2cbd6163f05779360ece84ac9c

SHA256
5f12bab9984ad70bdef570ff0eac3edb84f45570260dc0efc62717000d073d0e

SHA512
9f83e7c915d44044110a817676a77ddda82a38c0801d134e47c8d92f11d34cdff78d7d0733dba3c77c0ea1999119a07e946a925c759f561a733865f397f35d82

Download Submit
C:\Windows\{DA4B286E-81AC-495b-89BF-4A6E05CD7AF7}.exe

Filesize
372KB

MD5
5dfc4f03acd8387d3b3f3006e278ec47

SHA1
e701d350c93cac78c7e4ee697145743f629284b9

SHA256
de88891e1799a6d9d206064f9b0ced74d1bd9cc73c59eb63dd2005c1dd5b713f

SHA512
990259f5bfdad2068e21124ed4d1d3dd59bd61f35ffc37d1bbf69eff32ecc09db4f36f41fc0a65cbc2b60e0ea3e03afea7923b0f38d4246e28f192f5b3b05152

Download Submit
C:\Windows\{E4AEDEBB-85F5-4f9c-A5B5-960C403045F9}.exe

Filesize
372KB

MD5
f6b1b233d1261917b63b01e5c7f9ae13

SHA1
67543aebcb808b721d94d23f2e681375f6072302

SHA256
006965f8c09facd3cbe468b1936feaa9a8499e85c74be423b8acb2e060fe6b9a

SHA512
9e4dbedc28dcc20b2b277749a4bed5a4b8ab042309070f54015b5905432b0d79b52f2b41ea3f9bf1ee92e72f727b95ef3a91a3f91dda2410216ea2c90e23f405

Download Submit
C:\Windows\{F368EC1B-3D5F-40ad-928A-E509A4E3FC8E}.exe

Filesize
372KB

MD5
09dedc063c941078abe5ead0392f2c94

SHA1
992df4c59c767c6fc368eb97946934bbf783bf69

SHA256
ac5e74a518bfb10441b5c4af0a5e5cafe9a35246dfb9a48890ab8b23582ac046

SHA512
72c9a41cb528740ff290ff427a2b2687a9690e917d76eb75f02e272b6934a1c6a1928f58ddf94dd8c6ff9e0fba110723bb86de7ab8d89ca410e4882ce4409f7c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads