605e762fd6fd732bf7d34ea46f2d923748cc205f3574e4e518add14b8d75d7e6

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
Size

216KB
MD5

77c616e1c8e25a4c9234a851fabd7fb6
SHA1

ae77da10ad413d5a568e7410675b7ba9592a6e2e
SHA256

605e762fd6fd732bf7d34ea46f2d923748cc205f3574e4e518add14b8d75d7e6
SHA512

22c1e4872785982a70d539401ab057539a6be3f8054185c19dc85ef085583f60b48ab8e0a67d26990c7ad526295b9ec07f202fcea12be273cefcc7b2e76f1022
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGWlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233a5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233a6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fc-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233a6-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233fc-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000233a6-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233fc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000021ec4-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023422-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000021ec4-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023422-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233f7-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}	{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{688B62DA-B946-4335-AFED-C722FE877BBA}	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}\stubpath = "C:\\Windows\\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe"	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}\stubpath = "C:\\Windows\\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe"	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63DF0694-A181-4055-82DE-5267DABDDEE6}	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{688B62DA-B946-4335-AFED-C722FE877BBA}\stubpath = "C:\\Windows\\{688B62DA-B946-4335-AFED-C722FE877BBA}.exe"	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F938211-C0D6-4efb-9235-1700CB154E8F}\stubpath = "C:\\Windows\\{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe"	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}\stubpath = "C:\\Windows\\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe"	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63DF0694-A181-4055-82DE-5267DABDDEE6}\stubpath = "C:\\Windows\\{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe"	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}\stubpath = "C:\\Windows\\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe"	{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}\stubpath = "C:\\Windows\\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe"	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}\stubpath = "C:\\Windows\\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe"	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}\stubpath = "C:\\Windows\\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe"	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}\stubpath = "C:\\Windows\\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe"	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F938211-C0D6-4efb-9235-1700CB154E8F}	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}\stubpath = "C:\\Windows\\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe"	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe

Executes dropped EXE 12 IoCs

pid	Process
4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
5068	{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
1776	{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe	{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
File created	C:\Windows\{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
File created	C:\Windows\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
File created	C:\Windows\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
File created	C:\Windows\{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
File created	C:\Windows\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
File created	C:\Windows\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
File created	C:\Windows\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
File created	C:\Windows\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
File created	C:\Windows\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
File created	C:\Windows\{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
File created	C:\Windows\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
Token: SeIncBasePriorityPrivilege	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
Token: SeIncBasePriorityPrivilege	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
Token: SeIncBasePriorityPrivilege	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
Token: SeIncBasePriorityPrivilege	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
Token: SeIncBasePriorityPrivilege	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
Token: SeIncBasePriorityPrivilege	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
Token: SeIncBasePriorityPrivilege	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
Token: SeIncBasePriorityPrivilege	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
Token: SeIncBasePriorityPrivilege	3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
Token: SeIncBasePriorityPrivilege	5068	{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 4980	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	94
PID 828 wrote to memory of 4980	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	94
PID 828 wrote to memory of 4980	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	94
PID 828 wrote to memory of 4800	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	95
PID 828 wrote to memory of 4800	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	95
PID 828 wrote to memory of 4800	828	2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe	95
PID 4980 wrote to memory of 1648	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	96
PID 4980 wrote to memory of 1648	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	96
PID 4980 wrote to memory of 1648	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	96
PID 4980 wrote to memory of 1100	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	97
PID 4980 wrote to memory of 1100	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	97
PID 4980 wrote to memory of 1100	4980	{688B62DA-B946-4335-AFED-C722FE877BBA}.exe	97
PID 1648 wrote to memory of 4092	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	100
PID 1648 wrote to memory of 4092	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	100
PID 1648 wrote to memory of 4092	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	100
PID 1648 wrote to memory of 1624	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	101
PID 1648 wrote to memory of 1624	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	101
PID 1648 wrote to memory of 1624	1648	{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe	101
PID 4092 wrote to memory of 3012	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	102
PID 4092 wrote to memory of 3012	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	102
PID 4092 wrote to memory of 3012	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	102
PID 4092 wrote to memory of 4252	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	103
PID 4092 wrote to memory of 4252	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	103
PID 4092 wrote to memory of 4252	4092	{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe	103
PID 3012 wrote to memory of 1672	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	104
PID 3012 wrote to memory of 1672	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	104
PID 3012 wrote to memory of 1672	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	104
PID 3012 wrote to memory of 4312	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	105
PID 3012 wrote to memory of 4312	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	105
PID 3012 wrote to memory of 4312	3012	{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe	105
PID 1672 wrote to memory of 2652	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	107
PID 1672 wrote to memory of 2652	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	107
PID 1672 wrote to memory of 2652	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	107
PID 1672 wrote to memory of 4392	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	108
PID 1672 wrote to memory of 4392	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	108
PID 1672 wrote to memory of 4392	1672	{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe	108
PID 2652 wrote to memory of 4952	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	109
PID 2652 wrote to memory of 4952	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	109
PID 2652 wrote to memory of 4952	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	109
PID 2652 wrote to memory of 908	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	110
PID 2652 wrote to memory of 908	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	110
PID 2652 wrote to memory of 908	2652	{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe	110
PID 4952 wrote to memory of 4088	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	113
PID 4952 wrote to memory of 4088	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	113
PID 4952 wrote to memory of 4088	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	113
PID 4952 wrote to memory of 4980	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	114
PID 4952 wrote to memory of 4980	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	114
PID 4952 wrote to memory of 4980	4952	{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe	114
PID 4088 wrote to memory of 3332	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	119
PID 4088 wrote to memory of 3332	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	119
PID 4088 wrote to memory of 3332	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	119
PID 4088 wrote to memory of 3868	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	120
PID 4088 wrote to memory of 3868	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	120
PID 4088 wrote to memory of 3868	4088	{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe	120
PID 3332 wrote to memory of 3392	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	121
PID 3332 wrote to memory of 3392	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	121
PID 3332 wrote to memory of 3392	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	121
PID 3332 wrote to memory of 4404	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	122
PID 3332 wrote to memory of 4404	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	122
PID 3332 wrote to memory of 4404	3332	{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe	122
PID 3392 wrote to memory of 5068	3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe	123
PID 3392 wrote to memory of 5068	3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe	123
PID 3392 wrote to memory of 5068	3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe	123
PID 3392 wrote to memory of 2804	3392	{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_77c616e1c8e25a4c9234a851fabd7fb6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
  C:\Windows\{688B62DA-B946-4335-AFED-C722FE877BBA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
    C:\Windows\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
      C:\Windows\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
        
        C:\Windows\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
        
        C:\Windows\{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
        
        C:\Windows\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
        
        C:\Windows\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
        
        C:\Windows\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
        
        C:\Windows\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
        
        C:\Windows\{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
        
        C:\Windows\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe
        
        C:\Windows\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe
        13⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA46~1.EXE > nul
        13⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63DF0~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCA8D~1.EXE > nul
        11⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FD5~1.EXE > nul
        10⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72E0~1.EXE > nul
        9⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B1B8~1.EXE > nul
        8⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F938~1.EXE > nul
        7⤵
        
        PID:4392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E68~1.EXE > nul
        6⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A511F~1.EXE > nul
        5⤵
        
        PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A566C~1.EXE > nul
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{688B6~1.EXE > nul
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09E686C4-5F2A-4022-B46F-3DAA210BA3EE}.exe

Filesize
216KB

MD5
b47eb0114837193374683473424f8c25

SHA1
0aa5cf5456b24e99a13b7269c3b628ac95b13e38

SHA256
598204b8ff9d178785d0fb20ff3cce42601a951930b3ebc0ebf05c07623ec350

SHA512
f96e1062de40acea259d5878297451c638b7facf4c84333b359fe98bf6ee32600e4790b2e24144fb3f931a03c52a78dd04d4c3978b090e960bca70282f3aa5bf

Download Submit
C:\Windows\{0B1B8284-8881-4d93-9F00-6D22BE2DA443}.exe

Filesize
216KB

MD5
3d8ad5fb707a9f77b5867f35653c1d84

SHA1
51034cae6ddd36a1996943ec46fc752c00c29e36

SHA256
e0646b614ac4febf17832ebf4b998ae7c41afabb888364ea8d338ca6d760dc00

SHA512
974527d7d62a765bd8b3127264aee230bc76f56bdd4a43a26dcd70c99852fea18012da5433d37f2b611dd90248908997ab41091ce88d307db9bd55043c446a0c

Download Submit
C:\Windows\{5F938211-C0D6-4efb-9235-1700CB154E8F}.exe

Filesize
216KB

MD5
d63fd0388198dab3837abe0fe22bbfc7

SHA1
f89dffeb051b04704293b7e37e50dbf1325454ad

SHA256
1c1e982d894b79f8a2ae2810e2f24717b627f6d5075b3e12e3d27a26c383d228

SHA512
1f16ea33de6bdeb3bbeedb11718dca058ffad9cfd94e5973021157487d8af567c0f2c0fa079ac803e2320f5549984f008ad115683917bb93afcef96a2aec2820

Download Submit
C:\Windows\{63DF0694-A181-4055-82DE-5267DABDDEE6}.exe

Filesize
216KB

MD5
7e77cb9eca1899fe81a0b3a6f7afe979

SHA1
b633d6a5fcc6e6dabcf44919cef9d26c759ac9f2

SHA256
1c55d8ccd817c45c2dd85351863d34addff7792082d81746c84c47625086b936

SHA512
fa61d6649a87a076025e83dd656c5aacc3dd2d06c4cf99dd63949cf9f9302909773dadd213760f970f1c129930b905d4a065376b3a2983a9bb8c0f9bedabbb83

Download Submit
C:\Windows\{688B62DA-B946-4335-AFED-C722FE877BBA}.exe

Filesize
216KB

MD5
d1b618cf7d62bf42f55953b5732019d4

SHA1
870f1db46083167c062350ee91cb0abee9791a7f

SHA256
b3bfb54f6ef09c833c2c04447f4bac02527245d0452110c3a840a2d8b97f7302

SHA512
2280f79a8fecebb54446b7ece3122f0201850f68e9c5573645d637f39836716a6932075cde2456d8f92943e73694062c90f44ba2275d19b8b79c402276df8840

Download Submit
C:\Windows\{9CA46B4B-E38F-4c63-8C9A-AB360D6B4819}.exe

Filesize
216KB

MD5
f13d415a7a49f6e4cb84020e4a4869c6

SHA1
ad2be98c6971951723e21ca207964ce82a140e40

SHA256
53f4179c656efe3adeafe1282387e624d4b54aec095155eb2a646d8fb5097a04

SHA512
598950a9d2aaa6adf061dc6756b03c8db9ab026df8893a73d87a9e1fff567564706046dfc56f2975f58bcceb06e8a73b13825ae35da75f2a80e50cbefd8d98c9

Download Submit
C:\Windows\{A511FADB-9BCB-4e6e-B957-7E86916DEB0C}.exe

Filesize
216KB

MD5
50e9f5b5b7fa20752d7d8d5b1ec82b70

SHA1
c2fbdc9110b832f9fe95ae72c636a25270549579

SHA256
7b6ee733a6b5c3685506826d11cfc65923c06efa81f59cb415f4793a6002bf76

SHA512
362d4816dd9f2c13ef48be00db2dba46c6608072934c9d804aada4e9c01ec0463809c0b31fcc949d1d1b26873a69535a3c98260cf9bee538b98fbafcb90bf311

Download Submit
C:\Windows\{A566C8B8-3668-4f52-BDD9-BBE0A6B4BAB4}.exe

Filesize
216KB

MD5
689785c0c6cae4448545c214d7d7c6d4

SHA1
8ca84a3d78a32b78d869756a54ff7ebcb0b29d47

SHA256
876bfab5c34d12ccab9247aeefb19898697b45eb7918a8a1a0ffaceb1f778dea

SHA512
1d778ba2dbdcbbc1285064e4a134bdadfc4d77cdfb266c64eaca1ad3218cf5df49473031a8c50a7b001d7164d84332c7eb7a1292425f596bb891f111e37fc8f1

Download Submit
C:\Windows\{B72E0311-DBC5-431d-81EF-9D895B93F9B5}.exe

Filesize
216KB

MD5
b09f3b8d3cbf0fc999521e2eb6f8f9b1

SHA1
8ddeccf87358e125bcf2de491e24d002abdd510a

SHA256
bfc12b415501ec6573e29a8e985b8470273e48ed308c25d51f64da8876b43ea3

SHA512
6db1bdfe72b7511fb2fe5243557becf902ff17a5e1835e7bb6cb7b78e7e8d5df44de4d6a67ee1ad1ee4cf0c65ecb6c44e5d62422368715305118266c3abfa08d

Download Submit
C:\Windows\{CDB637FE-F0D6-4751-AB2D-071A3722CC06}.exe

Filesize
216KB

MD5
dc00338caf1f4f2d0f7bf972bd11240d

SHA1
bc7325bb69f06b084d12d61380c5d3bef063faac

SHA256
375488645866eb4d3011955b4ea7320b71947511a1e908089de823567b2847f0

SHA512
91f23bec8a887a1b104657390cc960316e3733b3fd9b106af735cdeacb8ce37a4776d29d1a5ff664c3f911f19f6c367ffa9ffb442b396402b3697c6a8d006bd0

Download Submit
C:\Windows\{D2FD5F80-D308-4dfa-B151-CDED30E56A01}.exe

Filesize
216KB

MD5
68e9042d09b5c73e7151d483da92de30

SHA1
3c6afc70332616685969ca971a06fff463cd6b61

SHA256
d92d72e5bef3c309fbe22c7835869e919f7ab4b2f946e26882ed45d029ab3729

SHA512
088d09008952016b7b11d745beef28399da565f9c6ab76fa702a14386d65091bb6ff5d54d935fe140eca50204c29f073ea6000086c10f70c0ef9b5f1d9b7abe0

Download Submit
C:\Windows\{DCA8D1EE-78D2-4437-92BA-886057C3CA9B}.exe

Filesize
216KB

MD5
5626f20bb402d3b4c4cfb7293d90282e

SHA1
503ef24ea928cab36dc1822c65f248262c08b027

SHA256
8d4c0cdd7b762d842fc9bfe33c680fa18622dc92e2700dcac36b9eddfd5e5a94

SHA512
0861bd902cd3c7ddce7af9cfd7b5659795f03360e6b6f92eb331accc9072f7c181b83f4f604e47d94eb6afd0fab17921dd98de63b3d4218bf115fe27b1bc2eb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads