742d44c132a4b39a77370733b4c1e8a8879f9fe8c9b3e2ea518e80176844db55

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
Size

408KB
MD5

ab4080cb965a44797266c15be64fa006
SHA1

f583cf901490ec282a2c228ad1ca1bf23112cec7
SHA256

742d44c132a4b39a77370733b4c1e8a8879f9fe8c9b3e2ea518e80176844db55
SHA512

9e76797d1ae800abdf0be726b1e6db4b0ace47fdc329d256eaf0b9fceb12b4e57f047f46b7d8652474e260398a3f63a5f57a47b6bf48aad6ea9cd89de69f5a97
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGzldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233fd-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233f2-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000021f67-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233f2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000021f67-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000233f2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000021f67-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022fca-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022e34-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022fca-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022e34-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000226ef-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5730B7F-AB33-4e04-8630-949671D5F668}\stubpath = "C:\\Windows\\{C5730B7F-AB33-4e04-8630-949671D5F668}.exe"	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D817B34-C8C0-4aa5-9611-257C629A49BB}\stubpath = "C:\\Windows\\{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe"	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}\stubpath = "C:\\Windows\\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe"	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5730B7F-AB33-4e04-8630-949671D5F668}	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A88045-F544-421f-BD33-6340AC6CFE76}\stubpath = "C:\\Windows\\{63A88045-F544-421f-BD33-6340AC6CFE76}.exe"	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}\stubpath = "C:\\Windows\\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe"	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}\stubpath = "C:\\Windows\\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe"	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D817B34-C8C0-4aa5-9611-257C629A49BB}	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A88045-F544-421f-BD33-6340AC6CFE76}	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}\stubpath = "C:\\Windows\\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe"	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}\stubpath = "C:\\Windows\\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe"	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195B7DCF-A373-4f21-9355-A1A179EFA092}	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195B7DCF-A373-4f21-9355-A1A179EFA092}\stubpath = "C:\\Windows\\{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe"	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}\stubpath = "C:\\Windows\\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe"	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}\stubpath = "C:\\Windows\\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe"	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DD26C1-8AE3-4312-A809-D44A2CB66347}	{63A88045-F544-421f-BD33-6340AC6CFE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DD26C1-8AE3-4312-A809-D44A2CB66347}\stubpath = "C:\\Windows\\{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe"	{63A88045-F544-421f-BD33-6340AC6CFE76}.exe

Executes dropped EXE 12 IoCs

pid	Process
4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
3484	{63A88045-F544-421f-BD33-6340AC6CFE76}.exe
4376	{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
File created	C:\Windows\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
File created	C:\Windows\{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
File created	C:\Windows\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
File created	C:\Windows\{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe	{63A88045-F544-421f-BD33-6340AC6CFE76}.exe
File created	C:\Windows\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
File created	C:\Windows\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
File created	C:\Windows\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
File created	C:\Windows\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
File created	C:\Windows\{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
File created	C:\Windows\{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
File created	C:\Windows\{63A88045-F544-421f-BD33-6340AC6CFE76}.exe	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
Token: SeIncBasePriorityPrivilege	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
Token: SeIncBasePriorityPrivilege	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
Token: SeIncBasePriorityPrivilege	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
Token: SeIncBasePriorityPrivilege	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
Token: SeIncBasePriorityPrivilege	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
Token: SeIncBasePriorityPrivilege	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
Token: SeIncBasePriorityPrivilege	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
Token: SeIncBasePriorityPrivilege	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
Token: SeIncBasePriorityPrivilege	2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
Token: SeIncBasePriorityPrivilege	3484	{63A88045-F544-421f-BD33-6340AC6CFE76}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4940	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	93
PID 1620 wrote to memory of 4940	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	93
PID 1620 wrote to memory of 4940	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	93
PID 1620 wrote to memory of 640	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	94
PID 1620 wrote to memory of 640	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	94
PID 1620 wrote to memory of 640	1620	2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe	94
PID 4940 wrote to memory of 4144	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	95
PID 4940 wrote to memory of 4144	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	95
PID 4940 wrote to memory of 4144	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	95
PID 4940 wrote to memory of 2256	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	96
PID 4940 wrote to memory of 2256	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	96
PID 4940 wrote to memory of 2256	4940	{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe	96
PID 4144 wrote to memory of 2088	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	99
PID 4144 wrote to memory of 2088	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	99
PID 4144 wrote to memory of 2088	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	99
PID 4144 wrote to memory of 4444	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	100
PID 4144 wrote to memory of 4444	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	100
PID 4144 wrote to memory of 4444	4144	{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe	100
PID 2088 wrote to memory of 1248	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	101
PID 2088 wrote to memory of 1248	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	101
PID 2088 wrote to memory of 1248	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	101
PID 2088 wrote to memory of 3088	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	102
PID 2088 wrote to memory of 3088	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	102
PID 2088 wrote to memory of 3088	2088	{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe	102
PID 1248 wrote to memory of 2804	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	103
PID 1248 wrote to memory of 2804	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	103
PID 1248 wrote to memory of 2804	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	103
PID 1248 wrote to memory of 4380	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	104
PID 1248 wrote to memory of 4380	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	104
PID 1248 wrote to memory of 4380	1248	{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe	104
PID 2804 wrote to memory of 1804	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	106
PID 2804 wrote to memory of 1804	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	106
PID 2804 wrote to memory of 1804	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	106
PID 2804 wrote to memory of 3792	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	107
PID 2804 wrote to memory of 3792	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	107
PID 2804 wrote to memory of 3792	2804	{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe	107
PID 1804 wrote to memory of 5104	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	108
PID 1804 wrote to memory of 5104	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	108
PID 1804 wrote to memory of 5104	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	108
PID 1804 wrote to memory of 4216	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	109
PID 1804 wrote to memory of 4216	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	109
PID 1804 wrote to memory of 4216	1804	{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe	109
PID 5104 wrote to memory of 412	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	112
PID 5104 wrote to memory of 412	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	112
PID 5104 wrote to memory of 412	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	112
PID 5104 wrote to memory of 4800	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	113
PID 5104 wrote to memory of 4800	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	113
PID 5104 wrote to memory of 4800	5104	{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe	113
PID 412 wrote to memory of 3496	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	119
PID 412 wrote to memory of 3496	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	119
PID 412 wrote to memory of 3496	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	119
PID 412 wrote to memory of 744	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	120
PID 412 wrote to memory of 744	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	120
PID 412 wrote to memory of 744	412	{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe	120
PID 3496 wrote to memory of 2940	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	121
PID 3496 wrote to memory of 2940	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	121
PID 3496 wrote to memory of 2940	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	121
PID 3496 wrote to memory of 4808	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	122
PID 3496 wrote to memory of 4808	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	122
PID 3496 wrote to memory of 4808	3496	{C5730B7F-AB33-4e04-8630-949671D5F668}.exe	122
PID 2940 wrote to memory of 3484	2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe	123
PID 2940 wrote to memory of 3484	2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe	123
PID 2940 wrote to memory of 3484	2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe	123
PID 2940 wrote to memory of 2220	2940	{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-07_ab4080cb965a44797266c15be64fa006_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
  C:\Windows\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
    C:\Windows\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
      C:\Windows\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
        
        C:\Windows\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
        
        C:\Windows\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
        
        C:\Windows\{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
        
        C:\Windows\{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
        
        C:\Windows\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
        
        C:\Windows\{C5730B7F-AB33-4e04-8630-949671D5F668}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
        
        C:\Windows\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{63A88045-F544-421f-BD33-6340AC6CFE76}.exe
        
        C:\Windows\{63A88045-F544-421f-BD33-6340AC6CFE76}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe
        
        C:\Windows\{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe
        13⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63A88~1.EXE > nul
        13⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DBD~1.EXE > nul
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5730~1.EXE > nul
        11⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9DB8~1.EXE > nul
        10⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D817~1.EXE > nul
        9⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{195B7~1.EXE > nul
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F9C0~1.EXE > nul
        7⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F25B9~1.EXE > nul
        6⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F997~1.EXE > nul
        5⤵
        
        PID:3088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C85~1.EXE > nul
      4⤵
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D63A~1.EXE > nul
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{195B7DCF-A373-4f21-9355-A1A179EFA092}.exe

Filesize
408KB

MD5
3e2c3068a4ceff21804f5fd374d4e491

SHA1
60518480504015b02c2115b1717b5cb7daeedc21

SHA256
aeca819f4110784747b44406344b1e415ec3d5b2945cd956a6daa65ef0aedc3e

SHA512
f2f65abf13075f7a7a8b5381ce5b060bac8fa522dfd09b0448033a075bab4a90ef50f021f41ec7e186f9bd1e451effbdf674f49b9540f6f1b0ce2ce038fff739

Download Submit
C:\Windows\{63A88045-F544-421f-BD33-6340AC6CFE76}.exe

Filesize
408KB

MD5
5da8ab09975f5549e71a219d8f8a7ac0

SHA1
4fa4d1d6c4e7716f103570a4aa8f9901d21f8861

SHA256
b1b694436c143f0564410fe833ffa7cc6d09ae77130468b2abe55acf0081ecaf

SHA512
0c804b9b862092b2865cc2afd3c3b069924fa85083bb6d3fa7d79b115b23cc7e000d650045c6619b9a1fd21d4dd578fda0930636a2c892ba9626de21f79c5dd8

Download Submit
C:\Windows\{6D63AD1A-3749-494d-8EE2-57C63ED85BCD}.exe

Filesize
408KB

MD5
b93884d89e1e619f77c83c0e5421c729

SHA1
0e5ba872d891cb10398fca3fd306d82339a41aae

SHA256
fbbd3488f5628fbe37ae31d5263af85d1d1744a3cc36683eba23025daf997343

SHA512
c22ec3fd24a003ef31a471af73805336aa5f4c6bdcb0d69c7eadf634ad9c35e18e97be4e07712c78eb4f0b1726ec8668e01dcf4ef5ac1750d99bd62e4d51036a

Download Submit
C:\Windows\{7D817B34-C8C0-4aa5-9611-257C629A49BB}.exe

Filesize
408KB

MD5
fd95c45097a84416f70525521f0fc668

SHA1
6e0f1b44fa8f16061896977c3b210d5ecae72d96

SHA256
e33437619c898c3fe9dfcc8d613a790b041d915e5149295183ed8b48b11ea64e

SHA512
aa8a3acf38f8786799857fd063cfef06b321501470173057baa518369d75acd28b16459f3814bc047b5fe11ea731ace79c75321ec43f0dd576a6abc1dca6516e

Download Submit
C:\Windows\{8F9C0B4E-9637-4315-BA77-46B3ABDBC95C}.exe

Filesize
408KB

MD5
c6cbdf49b5f95211e42e38ed68fe2cf6

SHA1
2a97ec62babcd718073124ab93418e55c4551071

SHA256
8e54286536a612f46d2256740e1d2d5c836548e270d47abbef4081ffbfd2ef23

SHA512
5df85a068d8455b5071fdd4f368e79750a964e51ef91aba080e29754ec9057c6a147e013063c426177a336c28242492f0fb08839709fdceae03ebcaa84f60353

Download Submit
C:\Windows\{92DD26C1-8AE3-4312-A809-D44A2CB66347}.exe

Filesize
408KB

MD5
a880ce3b45bc69545809db03f5634744

SHA1
9909aea1dafdee152787e3407a9c7981fcf7498a

SHA256
9bb0d54a027ab4de9fb8d03e3424f61011a22b851ded5f780bb68970d0119ac2

SHA512
5b75e20ecbb743faf2df6a9aea24c1798887970f69a13664cd054b942360af61294b826b000b20d9344e61241a97e28f487de87181b3160baab76892ba8a94b2

Download Submit
C:\Windows\{9F997DD9-0DFF-4cb0-A0BD-F0ABD251D565}.exe

Filesize
408KB

MD5
4e36b3df8cdfb0adbbf338f7d823c49f

SHA1
747ba7a44807b35b033110b4b6d02f00e5da497f

SHA256
54643be91cdc31eb4ed60f7e5d57a51d2ba5c5700f5cd914011c34f442e5028b

SHA512
f2091d8743edd25d5d56c1c1c805a6b9d2372db5c5027cd36bf907d17a7fea475e6f148f92973798e3a3a93ca7d1f29daa99df789493b4597deff7205ceae617

Download Submit
C:\Windows\{A9DB8FB0-40D1-4ac9-AB21-150CA11A39E6}.exe

Filesize
408KB

MD5
70fc954395eb6af4369f781a00d0cb2d

SHA1
ef97d470b93af89a7affc5a526b776c1448db8bc

SHA256
e94fc9d88d47b59b49a16e2691a862ee73461ac23dc8b9aba383c05075c88cac

SHA512
c991700a8c35be224c5f0ce66299cf5e3114de6f7fd7879075e9a83f2ea4bef8f9f86d6fc64bf0f26df18b5942f4ce02cb2bf526c62595a7f3d7ceac73ea5206

Download Submit
C:\Windows\{B5DBD511-3C4A-42de-ABDE-F60A71ED4B4C}.exe

Filesize
408KB

MD5
34050b1d4f080e1137a62aa6e29a101a

SHA1
6ac929a19bb10e847470cf157c51b2ed7b02e3b3

SHA256
55646f1a73a7c54fdb243277d44f5ad6d6de336f682e8e1a1f6ce1d57cac8aae

SHA512
ff243269e94712c6769e5f5e61440b33fa18bcb26499bbdcd0a7a4f2c478154b1eda73fa1626b886c80bd36c90693283e1c50d11b350e0462c9ccf3cd1b0de49

Download Submit
C:\Windows\{C5730B7F-AB33-4e04-8630-949671D5F668}.exe

Filesize
408KB

MD5
e816a9cadab7b55583def0becc7dd716

SHA1
81e621a1850b3ec17749feec8e9d7ff2ad950d14

SHA256
9526e685d74f124b097382b25a2a75ea8caf9227e5d18deba13eea30eac6b3ed

SHA512
9483cae9bb05d9127aa6a04003f592d5fd35f499fab3e4f6b70066f49c3c25809e685657dc29fd625904e52ccb66f98d964409fa6411e63d1d10e53041a8ea58

Download Submit
C:\Windows\{D3C85DA4-CF5B-4530-A3E7-ABB541C9F533}.exe

Filesize
408KB

MD5
d1bbdc05042ecd90d7d59fdfabcc29ce

SHA1
e45623964068a8c927a3e84e767c009b0c004882

SHA256
6a515d30c7e5e826c0f349905d277e7762c35b99498ba055377c53aef42bd51a

SHA512
5600d2b7ef0edf523c56781e3f3dd5d0e0446d69c0abb17c8f7418845757c282effee6522bb5f98677220b0353d9dfb20d59a4b66ec979c8ac8cc39d349b2b2a

Download Submit
C:\Windows\{F25B9DCF-6BDF-4cd8-9F65-B5EF1587B3EB}.exe

Filesize
408KB

MD5
ce9e9a3545a56572fbea136ba476e7fe

SHA1
9bdb0b28030f7855bb85fb38c49626d8f11e5a90

SHA256
79318d4b42995d0b0065e8ea0ae2a43df4ab790d9da692994885d11a702dd865

SHA512
2657d496ba986a052871cfccc74cef4eb996486b264b932279a75b237627dfb6eafcd597408f6136957f3e5081cde812ff9c867b7e0273725e51b207ab935c3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads