343cf76d81bd99a068554f914a429089bbfc8c446fc5056a47bd213349141586

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Size

408KB
MD5

51bd6199a4651fe230a0d039083f0ef2
SHA1

76c091f72d0ddbf1862fc7b03054d6a0be696c2b
SHA256

343cf76d81bd99a068554f914a429089bbfc8c446fc5056a47bd213349141586
SHA512

54b1f7e0f424eb55617b672a08770bc4bc321acfd7fb7e1ab4bb8f0e4b8b6cbd278d384a58f8891e31dc82c09a28e55e7bf5172a99d3bc1fc2d782d2c03abe49
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGCldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023429-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023430-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023439-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023430-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023439-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023430-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023439-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022ad6-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022ae4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022ad6-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022ae4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022ae3-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}\stubpath = "C:\\Windows\\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe"	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D86E8B81-2107-40e3-8E64-C932790A7FC1}\stubpath = "C:\\Windows\\{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe"	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12771364-AD59-4a92-AF23-A14699B0F36B}	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}\stubpath = "C:\\Windows\\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe"	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94727C3D-7506-47a2-BFCB-42AC406940D8}\stubpath = "C:\\Windows\\{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe"	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9016D855-F3A4-42d8-91A6-708A945C3DD9}	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9016D855-F3A4-42d8-91A6-708A945C3DD9}\stubpath = "C:\\Windows\\{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe"	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}\stubpath = "C:\\Windows\\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe"	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94727C3D-7506-47a2-BFCB-42AC406940D8}	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D86E8B81-2107-40e3-8E64-C932790A7FC1}	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}	{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}\stubpath = "C:\\Windows\\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe"	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}\stubpath = "C:\\Windows\\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe"	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}\stubpath = "C:\\Windows\\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe"	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12771364-AD59-4a92-AF23-A14699B0F36B}\stubpath = "C:\\Windows\\{12771364-AD59-4a92-AF23-A14699B0F36B}.exe"	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}\stubpath = "C:\\Windows\\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe"	{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40A487D-B130-49dd-94BF-3B46BE1F0354}	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40A487D-B130-49dd-94BF-3B46BE1F0354}\stubpath = "C:\\Windows\\{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe"	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
2028	{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
3272	{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
File created	C:\Windows\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe	{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
File created	C:\Windows\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
File created	C:\Windows\{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
File created	C:\Windows\{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
File created	C:\Windows\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
File created	C:\Windows\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
File created	C:\Windows\{12771364-AD59-4a92-AF23-A14699B0F36B}.exe	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
File created	C:\Windows\{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
File created	C:\Windows\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
File created	C:\Windows\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
File created	C:\Windows\{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
Token: SeIncBasePriorityPrivilege	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
Token: SeIncBasePriorityPrivilege	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
Token: SeIncBasePriorityPrivilege	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
Token: SeIncBasePriorityPrivilege	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
Token: SeIncBasePriorityPrivilege	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
Token: SeIncBasePriorityPrivilege	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
Token: SeIncBasePriorityPrivilege	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
Token: SeIncBasePriorityPrivilege	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
Token: SeIncBasePriorityPrivilege	2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
Token: SeIncBasePriorityPrivilege	2028	{12771364-AD59-4a92-AF23-A14699B0F36B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3644	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	91
PID 4772 wrote to memory of 3644	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	91
PID 4772 wrote to memory of 3644	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	91
PID 4772 wrote to memory of 4716	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	92
PID 4772 wrote to memory of 4716	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	92
PID 4772 wrote to memory of 4716	4772	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	92
PID 3644 wrote to memory of 1672	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	94
PID 3644 wrote to memory of 1672	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	94
PID 3644 wrote to memory of 1672	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	94
PID 3644 wrote to memory of 2436	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	95
PID 3644 wrote to memory of 2436	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	95
PID 3644 wrote to memory of 2436	3644	{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe	95
PID 1672 wrote to memory of 4052	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	98
PID 1672 wrote to memory of 4052	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	98
PID 1672 wrote to memory of 4052	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	98
PID 1672 wrote to memory of 644	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	99
PID 1672 wrote to memory of 644	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	99
PID 1672 wrote to memory of 644	1672	{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe	99
PID 4052 wrote to memory of 4088	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	100
PID 4052 wrote to memory of 4088	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	100
PID 4052 wrote to memory of 4088	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	100
PID 4052 wrote to memory of 1180	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	101
PID 4052 wrote to memory of 1180	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	101
PID 4052 wrote to memory of 1180	4052	{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe	101
PID 4088 wrote to memory of 3964	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	102
PID 4088 wrote to memory of 3964	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	102
PID 4088 wrote to memory of 3964	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	102
PID 4088 wrote to memory of 4524	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	103
PID 4088 wrote to memory of 4524	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	103
PID 4088 wrote to memory of 4524	4088	{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe	103
PID 3964 wrote to memory of 2540	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	105
PID 3964 wrote to memory of 2540	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	105
PID 3964 wrote to memory of 2540	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	105
PID 3964 wrote to memory of 2504	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	106
PID 3964 wrote to memory of 2504	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	106
PID 3964 wrote to memory of 2504	3964	{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe	106
PID 2540 wrote to memory of 4016	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	107
PID 2540 wrote to memory of 4016	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	107
PID 2540 wrote to memory of 4016	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	107
PID 2540 wrote to memory of 916	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	108
PID 2540 wrote to memory of 916	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	108
PID 2540 wrote to memory of 916	2540	{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe	108
PID 4016 wrote to memory of 1756	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	116
PID 4016 wrote to memory of 1756	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	116
PID 4016 wrote to memory of 1756	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	116
PID 4016 wrote to memory of 2060	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	117
PID 4016 wrote to memory of 2060	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	117
PID 4016 wrote to memory of 2060	4016	{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe	117
PID 1756 wrote to memory of 4508	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	118
PID 1756 wrote to memory of 4508	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	118
PID 1756 wrote to memory of 4508	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	118
PID 1756 wrote to memory of 1168	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	119
PID 1756 wrote to memory of 1168	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	119
PID 1756 wrote to memory of 1168	1756	{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe	119
PID 4508 wrote to memory of 2932	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	120
PID 4508 wrote to memory of 2932	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	120
PID 4508 wrote to memory of 2932	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	120
PID 4508 wrote to memory of 3868	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	121
PID 4508 wrote to memory of 3868	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	121
PID 4508 wrote to memory of 3868	4508	{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe	121
PID 2932 wrote to memory of 2028	2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe	122
PID 2932 wrote to memory of 2028	2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe	122
PID 2932 wrote to memory of 2028	2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe	122
PID 2932 wrote to memory of 4072	2932	{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
  C:\Windows\{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
    C:\Windows\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
      C:\Windows\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
        
        C:\Windows\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
        
        C:\Windows\{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
        
        C:\Windows\{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
        
        C:\Windows\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
        
        C:\Windows\{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
        
        C:\Windows\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
        
        C:\Windows\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
        
        C:\Windows\{12771364-AD59-4a92-AF23-A14699B0F36B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe
        
        C:\Windows\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe
        13⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12771~1.EXE > nul
        13⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BBB8~1.EXE > nul
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{262C2~1.EXE > nul
        11⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D86E8~1.EXE > nul
        10⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36DE9~1.EXE > nul
        9⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9016D~1.EXE > nul
        8⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94727~1.EXE > nul
        7⤵
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB7EF~1.EXE > nul
        6⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D487C~1.EXE > nul
        5⤵
        
        PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{76C9C~1.EXE > nul
      4⤵
      PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D40A4~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12771364-AD59-4a92-AF23-A14699B0F36B}.exe

Filesize
408KB

MD5
bde923f8244ef5d930d5df4a9e20c09e

SHA1
efb18f9e8327f07445fe6cfa26e5ad45f57d18d1

SHA256
009fb06b89fe2a2a5e73f4a18648d82b4fda634e8f062e3655493068bdd1e6eb

SHA512
76994836a435e2e537df991042cfafd3a8a332480699d10f8b3bb0acf3cf304c9ccf59d8761dd302a5331eca954d0c9581bb10607f217e11e81f08d9f73147fd

Download Submit
C:\Windows\{262C2FE4-3D0B-4cbc-9D9C-464939624C1D}.exe

Filesize
408KB

MD5
92067f15a42a388391806921e5c9dab8

SHA1
d071e35fde3ad6ffd4e5b1374fadc9686fe70ee0

SHA256
f1e27d8e19477433f56e114808403f5c42debc2e2bf4d31a247624450de109a0

SHA512
323f42ec2dbce362061a7a344ca58cd9baaa6bd3302322bbfd3530bb24caad67dc277792e3f8b506a54113b18fcf79b8219ee5736f98cb4afdda526e01d11e39

Download Submit
C:\Windows\{36DE95DB-C229-4217-A32E-A9A14DE6EF41}.exe

Filesize
408KB

MD5
409a496031d491d219881697757d7a67

SHA1
901307e0ebf3416db840a1af2f75311d4589278d

SHA256
7a79b069248a77b38b8111967b7dec942e2fe71257a2c1fceec19d154affb7c9

SHA512
cfcd12c098dc2aefea776d47942b9f322bc174c8e9ffbf04f46fda324de56f563eccebe16a2a806bd2935faba98496c73140a4e2b1d67ba95aba23ec5a4dfd22

Download Submit
C:\Windows\{38ED5004-247E-43e4-8C3C-5FBAAC4B2956}.exe

Filesize
408KB

MD5
bcb7759470f14f8f5fe0ac2f5dc4ec77

SHA1
9ab50e8daa9e25272e530c74f47e8c887c08bd3b

SHA256
288574e94d31f67b47f02b975abad0ffa309646ac64b3aa3789946d572f2aac2

SHA512
a38bde3787c95d7330642db308af6e83ec21935024591b03f9f0de836f305484f4387e9252df2f8c668643367306ed2ec89e5e38fdc20ef5e5716c4ad82113a8

Download Submit
C:\Windows\{5BBB879C-3942-47aa-A7B8-C75CBCAABCC6}.exe

Filesize
408KB

MD5
8e101fc088e6ba63824d50f208b813de

SHA1
faef966facf6c508f57507cd3f42f8f87f780717

SHA256
77b436d3941ed178bb7a160d38b03ce4f81749e3e2fa955e3e4eec83e4f38a41

SHA512
47bd5c10413c6b8cbb95a723b93da95d65acc795db1612c9e2e975435abbc9d1d2150da5c4a5c628185b8b721ad14a0d1b45c57e7c996734f7aa7571d9c82774

Download Submit
C:\Windows\{76C9CE6F-955D-4ffa-94D9-9C3D5E23780F}.exe

Filesize
408KB

MD5
a6eff04a6cd5e2c91d25b1fc44068c0e

SHA1
13a626738e8ed4c7ad6ed2ddd954b4a2a334b55a

SHA256
e19c0255ad197766abf3336e5b2bde9507d3dab81805f6ac37722f0f10ecdbd9

SHA512
9da9e20af97820d9d954259db4e1e57c0b64f3a1c18dac2361b28d88f9ee5d9e49b4e6538ae8b36ef2f0191f3a856a8e9e3e0e0b6567932d3af4b81506ccbc1c

Download Submit
C:\Windows\{9016D855-F3A4-42d8-91A6-708A945C3DD9}.exe

Filesize
408KB

MD5
94cb0d8ac732945a67c4cf3743804b13

SHA1
569a60ad4f93ebb6fcbd70d6e426d46caf352f63

SHA256
1e61366213d0bc35557c53284e78a60f2408ec1685ac92fef689a6ddc1220b5a

SHA512
c37e90de7407e1d8c70b7d991a66c72082e82ff693835b063df726409f905748117dee476bc3a01cd3fe5b8fa4e67e9a5485224e944a60722949eb807e63c2cd

Download Submit
C:\Windows\{94727C3D-7506-47a2-BFCB-42AC406940D8}.exe

Filesize
408KB

MD5
1700ef3396e5474908afc5186fb8a295

SHA1
f501097bf4cff1fa0ce0752c578b8d03d301d1ed

SHA256
d9599f398971fce3e1f290640092d5d2ef4aac11e66c7da81caa9332da148047

SHA512
04946a32d26391943afa85b8ae83aa3d51f20a45d3d5f02dffff9cbcb6f428fbc2d3c3b3d49bb7b312d2f26be95c1441ca3b85193d35aeed8ebb662cad385289

Download Submit
C:\Windows\{D40A487D-B130-49dd-94BF-3B46BE1F0354}.exe

Filesize
408KB

MD5
33634b1025355f46108cbf6572add5cf

SHA1
a04fd8dc04a41c30f8f373063251ec4202248db5

SHA256
3039988ac00cab0059ab388b4eaa674ebc3d4e3916210dffcad9947b207f49af

SHA512
7e68f6dac09751cc4ca953f8cc5ade59db9b09147ed531910830e98722c35a313d7143a0e7f7bad82e13050723f51e9a66c1123802c266afbb25c891dfbefbf4

Download Submit
C:\Windows\{D487CB6F-DDF9-4482-A55A-4760AFC8F3C1}.exe

Filesize
408KB

MD5
51a069204292f49c7556875782dd135c

SHA1
208aa47ec6c45a77f7d449fa5f80375438bf93e1

SHA256
6b0353485ef1cdb894e5a57ec90b7deca979e0ac0307d0c6021069c301b1dbab

SHA512
810069654cd8e6cbfdf7ff4c4cc5fa0299d0b1639f5ae74a44cad42ccd4df74c7e984ca65e843ca7d5d0e9c1fdd38c2195ad5908d84f000e967615f931fefd70

Download Submit
C:\Windows\{D86E8B81-2107-40e3-8E64-C932790A7FC1}.exe

Filesize
408KB

MD5
af72711c14bcac5a7887be37bc70d6d7

SHA1
68939784d759bb94ec4c5dccf1336bfec1f721c0

SHA256
77719216cb9359d184a09f80f45e9ad7500f707fe9540bc147aa37fc35a19808

SHA512
523ff350aa115513fee5d538d2430760882d289c0f60fdc437667ef673cc63d772ee309d743e6bd1d88c81db15ba66718a24b34c9f45390adbdeeef5a1fbfeb7

Download Submit
C:\Windows\{DB7EFC58-8ABB-4bdb-A051-F040032DAC37}.exe

Filesize
408KB

MD5
b1b1fff774b6b12ce45402cf54e860a9

SHA1
71d179fcca592d3d7cc6d4cb91a727203c434315

SHA256
4f28c58a005c4f70e49c88bcee16e29661915eb50c421193ee398195bed693af

SHA512
7738033a2407d0d213340912cba12e6a50a24fe9c8981b8068d41932ab28214c6283c56b963acef3836042f161aea9742c6d658c759f58b3ee73eb00279f887a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads