67d22dc5956a887ec721c2ae246813a1aa94388ddcf79a722fbb2332828ceabb

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 11:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
Size

344KB
MD5

237f2e8ad64b1e29f6843cbefb76feed
SHA1

e670afe81f59298e425c6be8eabfba6211779358
SHA256

67d22dc5956a887ec721c2ae246813a1aa94388ddcf79a722fbb2332828ceabb
SHA512

4315c0b5c4a74657ffc97be49ad25d650c8ae55b17ea5307ec06f18060eb117d85f69f3cf16dfdb7402628e7b6cf1612b3527d61cd2b830a5d8cd594768c11e8
SSDEEP

3072:mEGh0oKlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGklqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000500000002326f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233d0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233d7-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233d0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233d7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233d0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233d7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233d0-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233d7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233d0-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233d7-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233d0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FF7486-22B5-4b3f-9501-87B99F4ED399}\stubpath = "C:\\Windows\\{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe"	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F13FE0-0570-4421-9CAB-2E1DF6331622}	{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F13FE0-0570-4421-9CAB-2E1DF6331622}\stubpath = "C:\\Windows\\{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe"	{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}\stubpath = "C:\\Windows\\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe"	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FADFDE-A1FE-4766-9638-43E3126425A2}	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FF7486-22B5-4b3f-9501-87B99F4ED399}	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}\stubpath = "C:\\Windows\\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe"	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}\stubpath = "C:\\Windows\\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe"	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1257190-7363-4844-85CC-1055DF2E5DE3}\stubpath = "C:\\Windows\\{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe"	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}\stubpath = "C:\\Windows\\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe"	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}\stubpath = "C:\\Windows\\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe"	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8462E3D3-A96B-4058-8B55-3A9E10818E86}\stubpath = "C:\\Windows\\{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe"	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1257190-7363-4844-85CC-1055DF2E5DE3}	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48508C2-CE59-4103-B283-E7ABE3B90A02}\stubpath = "C:\\Windows\\{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe"	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}\stubpath = "C:\\Windows\\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe"	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48508C2-CE59-4103-B283-E7ABE3B90A02}	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FADFDE-A1FE-4766-9638-43E3126425A2}\stubpath = "C:\\Windows\\{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe"	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8462E3D3-A96B-4058-8B55-3A9E10818E86}	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe

Executes dropped EXE 12 IoCs

pid	Process
1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
1480	{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
3772	{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
File created	C:\Windows\{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
File created	C:\Windows\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
File created	C:\Windows\{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
File created	C:\Windows\{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe	{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
File created	C:\Windows\{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
File created	C:\Windows\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
File created	C:\Windows\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
File created	C:\Windows\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
File created	C:\Windows\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
File created	C:\Windows\{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
File created	C:\Windows\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
Token: SeIncBasePriorityPrivilege	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
Token: SeIncBasePriorityPrivilege	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
Token: SeIncBasePriorityPrivilege	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
Token: SeIncBasePriorityPrivilege	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
Token: SeIncBasePriorityPrivilege	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
Token: SeIncBasePriorityPrivilege	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
Token: SeIncBasePriorityPrivilege	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
Token: SeIncBasePriorityPrivilege	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
Token: SeIncBasePriorityPrivilege	5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
Token: SeIncBasePriorityPrivilege	1480	{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1004	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	79
PID 2684 wrote to memory of 1004	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	79
PID 2684 wrote to memory of 1004	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	79
PID 2684 wrote to memory of 4532	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	80
PID 2684 wrote to memory of 4532	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	80
PID 2684 wrote to memory of 4532	2684	2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe	80
PID 1004 wrote to memory of 4756	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	81
PID 1004 wrote to memory of 4756	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	81
PID 1004 wrote to memory of 4756	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	81
PID 1004 wrote to memory of 3464	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	82
PID 1004 wrote to memory of 3464	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	82
PID 1004 wrote to memory of 3464	1004	{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe	82
PID 4756 wrote to memory of 4784	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	85
PID 4756 wrote to memory of 4784	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	85
PID 4756 wrote to memory of 4784	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	85
PID 4756 wrote to memory of 2148	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	86
PID 4756 wrote to memory of 2148	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	86
PID 4756 wrote to memory of 2148	4756	{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe	86
PID 4784 wrote to memory of 1036	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	87
PID 4784 wrote to memory of 1036	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	87
PID 4784 wrote to memory of 1036	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	87
PID 4784 wrote to memory of 3756	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	88
PID 4784 wrote to memory of 3756	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	88
PID 4784 wrote to memory of 3756	4784	{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe	88
PID 1036 wrote to memory of 1464	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	89
PID 1036 wrote to memory of 1464	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	89
PID 1036 wrote to memory of 1464	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	89
PID 1036 wrote to memory of 2356	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	90
PID 1036 wrote to memory of 2356	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	90
PID 1036 wrote to memory of 2356	1036	{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe	90
PID 1464 wrote to memory of 1324	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	91
PID 1464 wrote to memory of 1324	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	91
PID 1464 wrote to memory of 1324	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	91
PID 1464 wrote to memory of 32	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	92
PID 1464 wrote to memory of 32	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	92
PID 1464 wrote to memory of 32	1464	{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe	92
PID 1324 wrote to memory of 4556	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	93
PID 1324 wrote to memory of 4556	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	93
PID 1324 wrote to memory of 4556	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	93
PID 1324 wrote to memory of 5092	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	94
PID 1324 wrote to memory of 5092	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	94
PID 1324 wrote to memory of 5092	1324	{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe	94
PID 4556 wrote to memory of 4044	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	95
PID 4556 wrote to memory of 4044	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	95
PID 4556 wrote to memory of 4044	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	95
PID 4556 wrote to memory of 1512	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	96
PID 4556 wrote to memory of 1512	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	96
PID 4556 wrote to memory of 1512	4556	{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe	96
PID 4044 wrote to memory of 3544	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	97
PID 4044 wrote to memory of 3544	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	97
PID 4044 wrote to memory of 3544	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	97
PID 4044 wrote to memory of 4868	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	98
PID 4044 wrote to memory of 4868	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	98
PID 4044 wrote to memory of 4868	4044	{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe	98
PID 3544 wrote to memory of 5040	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	99
PID 3544 wrote to memory of 5040	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	99
PID 3544 wrote to memory of 5040	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	99
PID 3544 wrote to memory of 3584	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	100
PID 3544 wrote to memory of 3584	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	100
PID 3544 wrote to memory of 3584	3544	{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe	100
PID 5040 wrote to memory of 1480	5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe	101
PID 5040 wrote to memory of 1480	5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe	101
PID 5040 wrote to memory of 1480	5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe	101
PID 5040 wrote to memory of 2712	5040	{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_237f2e8ad64b1e29f6843cbefb76feed_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
  C:\Windows\{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
    C:\Windows\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
      C:\Windows\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
        
        C:\Windows\{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
        
        C:\Windows\{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
        
        C:\Windows\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
        
        C:\Windows\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
        
        C:\Windows\{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
        
        C:\Windows\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
        
        C:\Windows\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
        
        C:\Windows\{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe
        
        C:\Windows\{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe
        13⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FF7~1.EXE > nul
        13⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6612~1.EXE > nul
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93F5E~1.EXE > nul
        11⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8462E~1.EXE > nul
        10⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A45C6~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89AD7~1.EXE > nul
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FAD~1.EXE > nul
        7⤵
        
        PID:32
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4850~1.EXE > nul
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F08F~1.EXE > nul
        5⤵
        
        PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2EAE~1.EXE > nul
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1257~1.EXE > nul
    3⤵
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F08F0CB-4E57-49af-BB77-64D99FE0CF99}.exe

Filesize
344KB

MD5
c3d9e9ed270c0576fd98d83dfe857cf1

SHA1
0d7720b8b459faef911dc077e58227e0d57dc131

SHA256
ac5b8c1d91e45a724c1b99e1467201ca479f51cf2353253c7f5bc91bc8df7277

SHA512
1b233f0d2693c9eea30ca63ad5a5d64a9a4b4a9a839157b2d8d98d6a84abf1164548cd87589cc98c3f8dbcaccd35e8437050bfce634197b99244f72abe63c921

Download Submit
C:\Windows\{74FF7486-22B5-4b3f-9501-87B99F4ED399}.exe

Filesize
344KB

MD5
eb3358e38c744c7548a84e42b1f3b0fe

SHA1
33448ada33eaff0e83f6baf564a90c938acfe656

SHA256
ebafddf084b6d7fa396511d3df430b954957eba931b4438f4fe4efa61d5880f8

SHA512
6d818841ab8b307246e1fbd15bf7b5613316d2c8de2735800f998850bb31a83ea046cfd7c12f49362eb7a3688eba33a818dc3776ff07aaea7c5051f525b5f76a

Download Submit
C:\Windows\{76F13FE0-0570-4421-9CAB-2E1DF6331622}.exe

Filesize
344KB

MD5
17a5fc7a24ed091868bf694eeb02e77d

SHA1
19bb1d31fcc1aff5b7bd4bb685a8042dc8b5a7cc

SHA256
97507afde94968dae00c8d07f1be559f6ac45bb5e0a75ab206eeed3dcc0b9d19

SHA512
bc006b47ef29f037fcb108296008a34501fcf5c305dc7543b42628c603b157b4e62520e2609e4fb580cb9335dbb68aa8811db1c57c7d1eb8156a8812e1a74ef9

Download Submit
C:\Windows\{8462E3D3-A96B-4058-8B55-3A9E10818E86}.exe

Filesize
344KB

MD5
01606324e21ae8e9ccaf160c9af1cda2

SHA1
32f41b6adc42c9a974981674d83b3b4ab0b132e5

SHA256
3f1e65998e0bfbd8a9873aaed2e64bb3050c880573634ae8f98e2c3da1230dec

SHA512
797b0aec53c22542b3f50fb39714635bd9c2cb38d2f9f1c78812040cd0f7340e1a9507add9ca8cbf85e6920a6db48a4f6ffbca12c03752f6e8010ed552398303

Download Submit
C:\Windows\{89AD74BE-6FF2-49a2-8CD1-CC0ACF2E13CD}.exe

Filesize
344KB

MD5
48a2a0bd969d13a10336de7688f93e47

SHA1
84f9f49d46afbaf0fc6c85d85166b0a8795bdcee

SHA256
bde5d442b8bdd43405a3c7c19bd3b497bfd2ce42c1a63b05be48bdb584d44390

SHA512
15ef632a74c094bc93d11d14c3e07feebd5a2a22d05994bc39d473589708953479d54fd957ed142b976371065ee4cb90a701b45bf9ace94c38f057f0ed83fecf

Download Submit
C:\Windows\{93F5EC56-F359-45cd-91EB-5CFDA4129B53}.exe

Filesize
344KB

MD5
3b51ee72615de0218fe28ef095746ddd

SHA1
c59fea265a9ec2a2d84c72cfebf2e6176b2ba88b

SHA256
83aa7215da844a45a56755fe0ddc890276be0bae946dd98eb49a76cfed2ab836

SHA512
971496bfd2cc6f6795023a14721a6dfaf8a358f23af9c56d6dd1f6a2000c18cc0d7ec3f07cba9355d2ebc182abe45d5e9271b522a18b8c1a1478144c504ce320

Download Submit
C:\Windows\{A2EAEA9A-811D-46b5-B51F-D691C8A23A64}.exe

Filesize
344KB

MD5
74ec3dcc887e20c518a64b64a3d79888

SHA1
5e485722992f94e20a310d1462e72c71e7395a7f

SHA256
022752274fe0b969ae92ad8f552f9e998191ee8ce5355278fa956831bec61006

SHA512
dec635a726d1c6d498be6409510a2f76fed26cdbe6059d74d53bb509caed76fd78c8f1c73210f63d0afd89271d0e9c9256bc1aceb6ccf56ffc26966bc612689f

Download Submit
C:\Windows\{A45C60D2-098C-4a18-955B-1D0E0F89C6A5}.exe

Filesize
344KB

MD5
602cf223c6d92cc569a88b8fd610e390

SHA1
5854d87f6a6d81b7dcb202b05769d81a314d0076

SHA256
3e4779075c6d4539333ba4746f62cdcfa01986bad2830e319a5d04171ec7a135

SHA512
404a188d3fc3a99bfd14c576aadd1162e43cdca45cbbdf07093c8e6851b9608ebad21dc5bf0e67dc9e4e971dc5ef45ee2dbda7074d5fd3356e60b672c223f8d0

Download Submit
C:\Windows\{C1FADFDE-A1FE-4766-9638-43E3126425A2}.exe

Filesize
344KB

MD5
b2befc272872f9db9301c4379553be4f

SHA1
e5eb133355f7eef2a0526e4d95fcb8b270570fa8

SHA256
8062e6b469e0f21ce2560bc64d2dbb98476c6d82962a36c8a80f7bdf515ab18c

SHA512
11999057e11810f2c5c9b6df3039c2bc3f88f3252330a5f5f9bfbc40e40364944153d0feeea345104429ec96f8751dddc78dc66300a7dd0f947c49673d33f9bb

Download Submit
C:\Windows\{D6612AAD-74D9-4e7d-BC62-BE98CD4C5D88}.exe

Filesize
344KB

MD5
830cea50ee850b76e33fee147b308182

SHA1
90339f873f33f2ab9cd3ef1bdf7007c0643b616a

SHA256
ec87431fa376f9e132d34964e3d6467d9cdf45db2c1e0b8fb6ee4b485264bc7e

SHA512
ae5d436d489344892fb65393537c0ec0035c95d0263fb5d014913c5a96b2ee418e1a18e17f9df51786c9c961f02e6c23a07b7dc9a76673f472bcfcb71a1ccc70

Download Submit
C:\Windows\{F1257190-7363-4844-85CC-1055DF2E5DE3}.exe

Filesize
344KB

MD5
d26b0d4e9189ccf54b7a6fc447543d84

SHA1
97b32be090e1f7508dd78975fcc15c967d5bada8

SHA256
777f52186ae1f7c1e2a50c4183745d34f334b6fe4181d1cd8bc2dfadec71532f

SHA512
066409327822d5c11f949a4adf20ac0f57c6acebf3282edc956db41e454f38776ca2560d94d0924e6221f243ce233fa78cb9d1b8d52c71aa35650189bbc90e84

Download Submit
C:\Windows\{F48508C2-CE59-4103-B283-E7ABE3B90A02}.exe

Filesize
344KB

MD5
324b274bc135049227dc49e0f219c13e

SHA1
8d94e2254efd218ecf5ef50d73ad73c8d698261f

SHA256
ff17bc0390ffd92f15d883cdbb431ead81f2e7648dda8fc5d7a3ad08a7ebef86

SHA512
47819af49b1cd79eaee7fd31a2dd9c4699cc578945f2b7088d5dd276c4d4e5c0203870f35d9acbd065090a6bce80d050048c6fe7d5bf43039088bd9aebdd50f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads