d843e9f6b4cae0a85b216e0138d8d190e98d329b138e9d2719abfc501fd456e0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Size

344KB
MD5

594102273ce136c3eea9ab11c0ff1d4f
SHA1

828465de7de4a6963053c42588c1e3f019987958
SHA256

d843e9f6b4cae0a85b216e0138d8d190e98d329b138e9d2719abfc501fd456e0
SHA512

d654da8eb6eec82e1c7f09910c47243849bcbf1dc32b3a9bd708d49ea8be87101e02611d8f6887eec0e15c26a5a846bb250337f9f2537122cd642b5e99b4c1d4
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGklqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000e0000000006c5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0016000000021f87-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002337b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002338a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002338d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002338a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002338d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002338a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002338d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002338a-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002338d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}\stubpath = "C:\\Windows\\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe"	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}\stubpath = "C:\\Windows\\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe"	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}\stubpath = "C:\\Windows\\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe"	{643FD846-A38F-489f-A437-8FF04D13482B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE0E17D2-157D-483e-B046-DC6208646D06}\stubpath = "C:\\Windows\\{DE0E17D2-157D-483e-B046-DC6208646D06}.exe"	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96608477-C3FF-4e44-93D5-AE4D973272B1}\stubpath = "C:\\Windows\\{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe"	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE0E17D2-157D-483e-B046-DC6208646D06}	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}\stubpath = "C:\\Windows\\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe"	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643FD846-A38F-489f-A437-8FF04D13482B}	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}\stubpath = "C:\\Windows\\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe"	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}\stubpath = "C:\\Windows\\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe"	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD9A0927-587A-441c-8692-201E51B0BC74}\stubpath = "C:\\Windows\\{FD9A0927-587A-441c-8692-201E51B0BC74}.exe"	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DE92C8-4B34-4521-AC8C-7C2707055811}	{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DE92C8-4B34-4521-AC8C-7C2707055811}\stubpath = "C:\\Windows\\{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe"	{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}	{643FD846-A38F-489f-A437-8FF04D13482B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96608477-C3FF-4e44-93D5-AE4D973272B1}	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD9A0927-587A-441c-8692-201E51B0BC74}	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}\stubpath = "C:\\Windows\\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe"	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643FD846-A38F-489f-A437-8FF04D13482B}\stubpath = "C:\\Windows\\{643FD846-A38F-489f-A437-8FF04D13482B}.exe"	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe
3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
4880	{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
4308	{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{643FD846-A38F-489f-A437-8FF04D13482B}.exe	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
File created	C:\Windows\{DE0E17D2-157D-483e-B046-DC6208646D06}.exe	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
File created	C:\Windows\{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
File created	C:\Windows\{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe	{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
File created	C:\Windows\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
File created	C:\Windows\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
File created	C:\Windows\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
File created	C:\Windows\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
File created	C:\Windows\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
File created	C:\Windows\{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
File created	C:\Windows\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
File created	C:\Windows\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	{643FD846-A38F-489f-A437-8FF04D13482B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
Token: SeIncBasePriorityPrivilege	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
Token: SeIncBasePriorityPrivilege	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
Token: SeIncBasePriorityPrivilege	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
Token: SeIncBasePriorityPrivilege	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
Token: SeIncBasePriorityPrivilege	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
Token: SeIncBasePriorityPrivilege	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
Token: SeIncBasePriorityPrivilege	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe
Token: SeIncBasePriorityPrivilege	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
Token: SeIncBasePriorityPrivilege	4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
Token: SeIncBasePriorityPrivilege	4880	{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3528	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	87
PID 764 wrote to memory of 3528	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	87
PID 764 wrote to memory of 3528	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	87
PID 764 wrote to memory of 1432	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	88
PID 764 wrote to memory of 1432	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	88
PID 764 wrote to memory of 1432	764	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	88
PID 3528 wrote to memory of 3400	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	89
PID 3528 wrote to memory of 3400	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	89
PID 3528 wrote to memory of 3400	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	89
PID 3528 wrote to memory of 3128	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	90
PID 3528 wrote to memory of 3128	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	90
PID 3528 wrote to memory of 3128	3528	{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe	90
PID 3400 wrote to memory of 888	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	94
PID 3400 wrote to memory of 888	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	94
PID 3400 wrote to memory of 888	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	94
PID 3400 wrote to memory of 540	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	95
PID 3400 wrote to memory of 540	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	95
PID 3400 wrote to memory of 540	3400	{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe	95
PID 888 wrote to memory of 3940	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	96
PID 888 wrote to memory of 3940	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	96
PID 888 wrote to memory of 3940	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	96
PID 888 wrote to memory of 2944	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	97
PID 888 wrote to memory of 2944	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	97
PID 888 wrote to memory of 2944	888	{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe	97
PID 3940 wrote to memory of 4936	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	98
PID 3940 wrote to memory of 4936	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	98
PID 3940 wrote to memory of 4936	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	98
PID 3940 wrote to memory of 2732	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	99
PID 3940 wrote to memory of 2732	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	99
PID 3940 wrote to memory of 2732	3940	{FD9A0927-587A-441c-8692-201E51B0BC74}.exe	99
PID 4936 wrote to memory of 1208	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	100
PID 4936 wrote to memory of 1208	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	100
PID 4936 wrote to memory of 1208	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	100
PID 4936 wrote to memory of 3584	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	101
PID 4936 wrote to memory of 3584	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	101
PID 4936 wrote to memory of 3584	4936	{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe	101
PID 1208 wrote to memory of 2068	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	102
PID 1208 wrote to memory of 2068	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	102
PID 1208 wrote to memory of 2068	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	102
PID 1208 wrote to memory of 4188	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	103
PID 1208 wrote to memory of 4188	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	103
PID 1208 wrote to memory of 4188	1208	{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe	103
PID 2068 wrote to memory of 3136	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	104
PID 2068 wrote to memory of 3136	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	104
PID 2068 wrote to memory of 3136	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	104
PID 2068 wrote to memory of 1936	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	105
PID 2068 wrote to memory of 1936	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	105
PID 2068 wrote to memory of 1936	2068	{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe	105
PID 3136 wrote to memory of 3424	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	106
PID 3136 wrote to memory of 3424	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	106
PID 3136 wrote to memory of 3424	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	106
PID 3136 wrote to memory of 968	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	107
PID 3136 wrote to memory of 968	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	107
PID 3136 wrote to memory of 968	3136	{643FD846-A38F-489f-A437-8FF04D13482B}.exe	107
PID 3424 wrote to memory of 4728	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	108
PID 3424 wrote to memory of 4728	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	108
PID 3424 wrote to memory of 4728	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	108
PID 3424 wrote to memory of 64	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	109
PID 3424 wrote to memory of 64	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	109
PID 3424 wrote to memory of 64	3424	{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe	109
PID 4728 wrote to memory of 4880	4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe	110
PID 4728 wrote to memory of 4880	4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe	110
PID 4728 wrote to memory of 4880	4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe	110
PID 4728 wrote to memory of 5052	4728	{DE0E17D2-157D-483e-B046-DC6208646D06}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
  C:\Windows\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
    C:\Windows\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
      C:\Windows\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
        
        C:\Windows\{FD9A0927-587A-441c-8692-201E51B0BC74}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
        
        C:\Windows\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
        
        C:\Windows\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
        
        C:\Windows\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{643FD846-A38F-489f-A437-8FF04D13482B}.exe
        
        C:\Windows\{643FD846-A38F-489f-A437-8FF04D13482B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
        
        C:\Windows\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
        
        C:\Windows\{DE0E17D2-157D-483e-B046-DC6208646D06}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
        
        C:\Windows\{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe
        
        C:\Windows\{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe
        13⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96608~1.EXE > nul
        13⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE0E1~1.EXE > nul
        12⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B1C2~1.EXE > nul
        11⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{643FD~1.EXE > nul
        10⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C59F5~1.EXE > nul
        9⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5FBC~1.EXE > nul
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0C92~1.EXE > nul
        7⤵
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD9A0~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA63~1.EXE > nul
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A70B~1.EXE > nul
      4⤵
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C434E~1.EXE > nul
    3⤵
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5B1C2EA9-7F91-4a55-B9E5-09541E067D2D}.exe

Filesize
344KB

MD5
f9e4b860c9d7c456a452d1b84b521bd4

SHA1
8c564ec9e5c465c910dcbf4fd0fee9be5e876c7d

SHA256
e0fd3c679011c0ab5d79eb70ee1c559c478998c986c726506670784af9965d3e

SHA512
f1dc9c56178484346365e8f316822088e6f765a953af764615477c9ebd2c3fd83f6c6e40d335eb4b52256a2af270fff615d5f9849314bd009eae4bab50611ef1

Download Submit
C:\Windows\{643FD846-A38F-489f-A437-8FF04D13482B}.exe

Filesize
344KB

MD5
a45762366ec42c358b03be5f5d8ad2c1

SHA1
10827b613a1cd566d9ee58c559e8cdb1b497daca

SHA256
f639d3ebec5dee5808af08053a854bb91c11351c7fb835f6c526971b8c0765a0

SHA512
87acdbfbcd654d00e0d9368f2300fc75de86603d04c450cdb73da3e7cc1c4cff0fcc64c9422bdf61d297350ac2cca3797034a3597aa48237197c471ec1c949e2

Download Submit
C:\Windows\{7A70BA1C-5AB0-4ced-90ED-E822DA9888E3}.exe

Filesize
344KB

MD5
a93e20c44cc6e775b51ef7758bbbe4f1

SHA1
da6a5ae6403f5ccf872996dcc8a43760dbae6a55

SHA256
3112770ad7881807263e9f34db80e141d2457867199202ef0c3932ae5b493a00

SHA512
f7208c2838a9498457fc3625b6a136da453fc4d4fc946c1bed9077cdc55233b815c59dc0a3fd2fb1dd36310ba84812834eb2fc9df7cc67b968116d3b7e66ba2a

Download Submit
C:\Windows\{95DE92C8-4B34-4521-AC8C-7C2707055811}.exe

Filesize
344KB

MD5
e47d02f44f63663606c5dff971c82eb2

SHA1
797b03b7ad7376324fed9e2292f202f5dfea87ea

SHA256
7e16f976decd79f904a666f2b0c79b0a2fd184a8bfd6967fcf0374a16812a8d5

SHA512
da30c2a1a73c314ef6d5073ffcc8b1053b0dbc3969457429fe46cf38e217d33c0841c191bf3f11fa089270f8aa9042e0cf92646756bb81879f2c525233120b92

Download Submit
C:\Windows\{96608477-C3FF-4e44-93D5-AE4D973272B1}.exe

Filesize
344KB

MD5
a27efa0cf488bf1a4ef77ea9524ef9d5

SHA1
e35e73d9f344fe3991acf8b50adec9a5d84148b2

SHA256
5381bafc80afae64e80e6f956834282ab9d8ae1c92e63884a77efbcff80129da

SHA512
71e4e8b00651bb71a5384bd56f51a3995fec7a40ec145173fad580634fd0d25658c2c4ee99cbbab16eeba856148c458b7cb5044658026b6b0cb9f851e2d985f2

Download Submit
C:\Windows\{A0C92AEC-1155-47cd-8085-19CEBE9B8056}.exe

Filesize
344KB

MD5
344acf0b581c2e52394c846c2029ca8f

SHA1
1eadd7c6b3609e0e9ab847a78196d5d21fa40b28

SHA256
f892d4b406b7865c01897a8a3d3356cc143738190a10002a5cb68b17d36711ca

SHA512
ced8ceb592bf86cedf9ce7a345c39160d8b7ad4ae90dc1695d42674d2888ae29cba296a7e36b42d7b254ec98dfe2e76818322653d35f4e89a0098ad37d6cfad2

Download Submit
C:\Windows\{B5FBC7E5-A739-4ed8-89C6-2A1DC371D151}.exe

Filesize
344KB

MD5
d8fd29a8865d7e385f4ba705ed9b1e79

SHA1
701d41fac3c68f3ffaa46271e20452e1ba4f9193

SHA256
9a724b2db775e4f6aa96a59ac75f5ce994865daabf0e66f8220f291d2a496d1a

SHA512
aa4e55a04cd59a7c74ff32a050a49c276e04802547444ff2fe83cee43da0915ef04c5a9534055cd603524ef50b5234b3bfd56f415073b75c04a178a3cfbf04e4

Download Submit
C:\Windows\{C434E39F-BF88-4416-9FFC-ECF2B5A1AFEA}.exe

Filesize
344KB

MD5
4a7d6480b77cb4c13bab791c5f5c2b63

SHA1
5f7cc5c3ee87b5e32aaa6d5044eb23de471efca3

SHA256
14440c6bce3a4d34086996be1e7079a0a92fe2604ee5d5963fa7ee2d3b4aa8c6

SHA512
17d05d0cfd69f70fb79e2cc26f17ac349e8f8eec7c1fed59d0c784c2f1c7569255a18e298261be4cd883d31c9112ac58a9f51998292b4dd215cd4111b3c7c760

Download Submit
C:\Windows\{C59F5163-2B90-4190-9DA4-E67496B2C6A1}.exe

Filesize
344KB

MD5
68a1185323fe9b08bed4aa12e57c1c2a

SHA1
685f6062001f583f37a72de7f78334f4d47e890b

SHA256
2fe4504a0632ccc26786009e3d1149485e78c90ace7ad49dcf2929b1cb46fbd1

SHA512
a737a2921f9d5f7e4331cee9fb10bf2ab7b1f27cee36e340ccbff6ffe20a08d1f352061879e59ea0fe511cf39ba4fd4187577cca31ebdf95cbaac05d0f40d535

Download Submit
C:\Windows\{DE0E17D2-157D-483e-B046-DC6208646D06}.exe

Filesize
344KB

MD5
e6f6d0e2eb6282003366ec08db3e0b5b

SHA1
7e1b8112f00487cd968be8d7c3fcad432fda64c2

SHA256
f44b53d8f5ce67d1a5ce802b5c5cb442677bddbdc2930363fd5db3f4d6ea5cc2

SHA512
d19ec898e4713a3c5c78ae6535f3e4a82ce7b6cca7aa3d999a5d80f9a18fbe01b5289635476d3d1a720f5147ecacf11dec5aa9c32e874f0d0aed45a2a987a8a1

Download Submit
C:\Windows\{FBA632D4-5617-4b58-AC4A-F0F5E0FF8860}.exe

Filesize
344KB

MD5
765ca1687db4afdd2ce2bfb020b49bba

SHA1
c4a84ea1d73257d0bf827a802cc350f40a5876b6

SHA256
bc1416c29e69cc579bec6781074b458ffa4d00e608144cb3f10fa3b18a86d7c7

SHA512
b2bb40fe3bf109bf3644041949ba04f7106a4fd7cf5d98989cefe98ff6c9f45556e7598f1d4abe2b5661c586093556051c54558eddd714444d0c29b26088eec7

Download Submit
C:\Windows\{FD9A0927-587A-441c-8692-201E51B0BC74}.exe

Filesize
344KB

MD5
ecb955096278a4eb0f16d2b0beda8eb2

SHA1
ddc0fec34446b0462475a4e9e064b3b10f222816

SHA256
2a2a837367aa25b3aa29f83770de49c64ba17cfadb42ce67bd85ae376e6ff6eb

SHA512
0cd489086e19db7a25f7722dd3a67a3af66d8822221b60a8d5c02dc35b079d7390c2463b99c6de152157dea7d26b472540ea32719aa66375626c54172fbe9ea6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads