cd54edc1841d2b1868e2813c19b92f1b50d02736946c22aa7be49b33b79ff482

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Size

344KB
MD5

8f83612f0b6ffb1f4dca2d21d75840d8
SHA1

ef7482b5855b3c1c3f7a155fba7309516e835c6e
SHA256

cd54edc1841d2b1868e2813c19b92f1b50d02736946c22aa7be49b33b79ff482
SHA512

9160f41d14d537a9d8aa9662ba15fa4930f0ce715b7c9e550a0eaf51f6637591b728486d2675d9b90995c25f30cc70358b9ec4fbbeed8b9f2192ddcd5932a7e9
SSDEEP

3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ac-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233ae-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023427-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233ae-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023427-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000233ae-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023427-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00170000000233ae-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023430-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00180000000233ae-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023430-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002338e-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCFB2B86-A12C-4643-AFC0-B246B8504751}\stubpath = "C:\\Windows\\{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe"	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}\stubpath = "C:\\Windows\\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe"	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}\stubpath = "C:\\Windows\\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe"	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F745BB5-80DC-45f3-A003-075F4B72BD20}\stubpath = "C:\\Windows\\{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe"	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}\stubpath = "C:\\Windows\\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe"	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0E126B-458E-4177-9C1E-4FC9FE028733}	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCFB2B86-A12C-4643-AFC0-B246B8504751}	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}\stubpath = "C:\\Windows\\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe"	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F745BB5-80DC-45f3-A003-075F4B72BD20}	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}\stubpath = "C:\\Windows\\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe"	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140D82DE-BC28-4d9c-871B-6AB7837D7644}\stubpath = "C:\\Windows\\{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe"	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C537049-7A0D-45bb-B14F-21F11BEB8919}\stubpath = "C:\\Windows\\{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe"	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140D82DE-BC28-4d9c-871B-6AB7837D7644}	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4EFE21-24F2-4a51-9728-B675026EE529}	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4EFE21-24F2-4a51-9728-B675026EE529}\stubpath = "C:\\Windows\\{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe"	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0E126B-458E-4177-9C1E-4FC9FE028733}\stubpath = "C:\\Windows\\{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe"	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760BCF78-4A73-470a-8000-CAD400581BA1}	{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C537049-7A0D-45bb-B14F-21F11BEB8919}	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760BCF78-4A73-470a-8000-CAD400581BA1}\stubpath = "C:\\Windows\\{760BCF78-4A73-470a-8000-CAD400581BA1}.exe"	{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
4564	{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
1900	{760BCF78-4A73-470a-8000-CAD400581BA1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{760BCF78-4A73-470a-8000-CAD400581BA1}.exe	{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
File created	C:\Windows\{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
File created	C:\Windows\{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
File created	C:\Windows\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
File created	C:\Windows\{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
File created	C:\Windows\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
File created	C:\Windows\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
File created	C:\Windows\{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
File created	C:\Windows\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
File created	C:\Windows\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
File created	C:\Windows\{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
File created	C:\Windows\{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
Token: SeIncBasePriorityPrivilege	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
Token: SeIncBasePriorityPrivilege	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
Token: SeIncBasePriorityPrivilege	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
Token: SeIncBasePriorityPrivilege	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
Token: SeIncBasePriorityPrivilege	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
Token: SeIncBasePriorityPrivilege	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
Token: SeIncBasePriorityPrivilege	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
Token: SeIncBasePriorityPrivilege	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
Token: SeIncBasePriorityPrivilege	3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
Token: SeIncBasePriorityPrivilege	4564	{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3380	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	94
PID 4356 wrote to memory of 3380	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	94
PID 4356 wrote to memory of 3380	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	94
PID 4356 wrote to memory of 2536	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	95
PID 4356 wrote to memory of 2536	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	95
PID 4356 wrote to memory of 2536	4356	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	95
PID 3380 wrote to memory of 2184	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	96
PID 3380 wrote to memory of 2184	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	96
PID 3380 wrote to memory of 2184	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	96
PID 3380 wrote to memory of 1152	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	97
PID 3380 wrote to memory of 1152	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	97
PID 3380 wrote to memory of 1152	3380	{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe	97
PID 2184 wrote to memory of 3844	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	100
PID 2184 wrote to memory of 3844	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	100
PID 2184 wrote to memory of 3844	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	100
PID 2184 wrote to memory of 1624	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	101
PID 2184 wrote to memory of 1624	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	101
PID 2184 wrote to memory of 1624	2184	{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe	101
PID 3844 wrote to memory of 1828	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	102
PID 3844 wrote to memory of 1828	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	102
PID 3844 wrote to memory of 1828	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	102
PID 3844 wrote to memory of 3088	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	103
PID 3844 wrote to memory of 3088	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	103
PID 3844 wrote to memory of 3088	3844	{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe	103
PID 1828 wrote to memory of 4196	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	104
PID 1828 wrote to memory of 4196	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	104
PID 1828 wrote to memory of 4196	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	104
PID 1828 wrote to memory of 4724	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	105
PID 1828 wrote to memory of 4724	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	105
PID 1828 wrote to memory of 4724	1828	{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe	105
PID 4196 wrote to memory of 4276	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	107
PID 4196 wrote to memory of 4276	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	107
PID 4196 wrote to memory of 4276	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	107
PID 4196 wrote to memory of 384	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	108
PID 4196 wrote to memory of 384	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	108
PID 4196 wrote to memory of 384	4196	{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe	108
PID 4276 wrote to memory of 2288	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	109
PID 4276 wrote to memory of 2288	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	109
PID 4276 wrote to memory of 2288	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	109
PID 4276 wrote to memory of 3692	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	110
PID 4276 wrote to memory of 3692	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	110
PID 4276 wrote to memory of 3692	4276	{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe	110
PID 2288 wrote to memory of 4268	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	112
PID 2288 wrote to memory of 4268	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	112
PID 2288 wrote to memory of 4268	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	112
PID 2288 wrote to memory of 1816	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	113
PID 2288 wrote to memory of 1816	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	113
PID 2288 wrote to memory of 1816	2288	{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe	113
PID 4268 wrote to memory of 3960	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	119
PID 4268 wrote to memory of 3960	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	119
PID 4268 wrote to memory of 3960	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	119
PID 4268 wrote to memory of 3360	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	120
PID 4268 wrote to memory of 3360	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	120
PID 4268 wrote to memory of 3360	4268	{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe	120
PID 3960 wrote to memory of 3664	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	121
PID 3960 wrote to memory of 3664	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	121
PID 3960 wrote to memory of 3664	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	121
PID 3960 wrote to memory of 3200	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	122
PID 3960 wrote to memory of 3200	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	122
PID 3960 wrote to memory of 3200	3960	{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe	122
PID 3664 wrote to memory of 4564	3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe	123
PID 3664 wrote to memory of 4564	3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe	123
PID 3664 wrote to memory of 4564	3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe	123
PID 3664 wrote to memory of 4976	3664	{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
  C:\Windows\{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
    C:\Windows\{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
      C:\Windows\{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
        
        C:\Windows\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
        
        C:\Windows\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
        
        C:\Windows\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
        
        C:\Windows\{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
        
        C:\Windows\{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
        
        C:\Windows\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
        
        C:\Windows\{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
        
        C:\Windows\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\{760BCF78-4A73-470a-8000-CAD400581BA1}.exe
        
        C:\Windows\{760BCF78-4A73-470a-8000-CAD400581BA1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D460~1.EXE > nul
        13⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E0E1~1.EXE > nul
        12⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE67~1.EXE > nul
        11⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC4EF~1.EXE > nul
        10⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F745~1.EXE > nul
        9⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B1E8~1.EXE > nul
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BF1C~1.EXE > nul
        7⤵
        
        PID:384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A99FF~1.EXE > nul
        6⤵
        
        PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCFB2~1.EXE > nul
        5⤵
        
        PID:3088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{140D8~1.EXE > nul
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C537~1.EXE > nul
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{140D82DE-BC28-4d9c-871B-6AB7837D7644}.exe

Filesize
344KB

MD5
b315a5b1ed7d2fae5db87584682e7f87

SHA1
4c0033313d0e28c796b9c9c25fc5f1e574cf996b

SHA256
984ac13e9859adbadfbc2d7c802929f88962e40d5142bf0585406d7fee69942b

SHA512
664f1db9d3ca259e049d2ef2fa3f5b37b5d7253a17632f69a5d5ff1717d10923c00a0d88bc861b3b0b21f5737cb9d7623fca5c2a63fb7ca33b0a30f8382beed9

Download Submit
C:\Windows\{1E0E126B-458E-4177-9C1E-4FC9FE028733}.exe

Filesize
344KB

MD5
aa89f0a62dde83ff8fd7ebeaf144aa92

SHA1
0d833429d5ae9e301e302bb746080a706c93d478

SHA256
5269071b655a3895a70dcd113000c6065ace5966043712610ffbef7cb76697a1

SHA512
c3bb466624f1a9b36ee10a0b8c7ed991762f40f65e380e762d74b68499bb9626bcdccdbf325657d647a80c9952b2f7e2913586cda99cebbce91405025ce976f9

Download Submit
C:\Windows\{2D4609F2-249F-4e12-978B-F4DA3FEC6E4B}.exe

Filesize
344KB

MD5
45f56c49e2e492ae7073cc1d52d427d2

SHA1
c40129c096b640c0dbcb0dc0d6d3b716ceea8b03

SHA256
c0932dea0f19973a4f83020bb6ec504c630efc91c9751c3d445b8690a9794fc1

SHA512
4a4dc47e7a71b5a8094671a1caa6768cd198b6e63609507f5ef33efb434b74feeee595ee8f67a42369838ed64b793fa8ebda9bb7938dc7ff044520cfae772380

Download Submit
C:\Windows\{6BF1CB83-78B7-4c38-BE0B-0391D9F81CA7}.exe

Filesize
344KB

MD5
f71130f40b41b0b6c0098f7b41c780c7

SHA1
29930e37d0c51438209ab883683b1ac80aad6ddd

SHA256
ab0c57ed021e86762e47c0ef482ce0a616cc176b1783408c28cc4ad8e77a7c2c

SHA512
49f921538b54394f634f9f33bb9f4ddd77b19697efa5f16557d232291fd544272c4c95366550dea201e9888595d0573e388373232292b708eb0b435aa710415d

Download Submit
C:\Windows\{6C537049-7A0D-45bb-B14F-21F11BEB8919}.exe

Filesize
344KB

MD5
7e38615530c054014ad2d16a28d73df0

SHA1
2f321a5780732e703a60bb469f8ef75c60f49e0d

SHA256
1f11b267c177d2d91d6a404f1b9bfdae968ade108fb8400c6559937a816392a4

SHA512
e00458cbf4a90f3160fdc73ff4e8399eededd9cba6caec6190e1e0b3fb43e20c5894dd908a8012c7a364af2a19e55e09e5c2c9155d4e07a6219c68994df8fd59

Download Submit
C:\Windows\{6F745BB5-80DC-45f3-A003-075F4B72BD20}.exe

Filesize
344KB

MD5
db6b2330657bd28b9b0dbfce79137aa6

SHA1
b67d475b26354f5806d04ea53b53b0df98c69235

SHA256
40b68210633112e4526fd48373c1c5f5e4a33709708a62f08c00e2a2a085870f

SHA512
58282afbab4456c3f543f4e83b3d590139f38f5b7284710b06c6ea9fb4f3f0e61dd5226df6d665021feecc6e592017f4f7f4075ee8960f715dfc59be83f0b2ab

Download Submit
C:\Windows\{760BCF78-4A73-470a-8000-CAD400581BA1}.exe

Filesize
344KB

MD5
664bc20504122ae75c0281f9149babb9

SHA1
a4d5f9a034b9e44372d923b0dd0542f6e4f779db

SHA256
a17a5dc05c7fe42a688e562213c402f48c4876b09800884cbebeec8ddc24e723

SHA512
3af413c2a7dfa4c35822a8929f8540df8018ce51cf91ed1d39de5537d1f11bcecdcba45d9fdcf0c614cc3d541125da7a80c76173376ed4bb375f65a6a5f86166

Download Submit
C:\Windows\{7B1E8D37-6ACE-44d3-993E-B9A801E23F5F}.exe

Filesize
344KB

MD5
2a69ac47d5ef7cd74446eebb21f7779b

SHA1
307afc3bced5baa142b384bab164b28e3b90d36a

SHA256
030f7ba403a067a077a24daec13acaff88044504e89f393b375eb552a03ecd72

SHA512
dd3704f0930606f0bb173236efe87ac45f1ad4fbf43b052868985e2043f04567bc1eb61c55ac28e49354e6d1db0e34f4050535b6cb24e42a42bad5028ae9c997

Download Submit
C:\Windows\{A99FF363-5624-467a-A1D5-EDA6B141BCA4}.exe

Filesize
344KB

MD5
5ea4d318be733896ff6b54f7746c280e

SHA1
d48c7856ac32b3488d2fde9cd0cdacdeb05b7362

SHA256
a41274c09085c88309665217f1d4440304c0d37af104d46147dfb2be2f4b910d

SHA512
66acf9f93bb4785d2226d1c1f48f479fb7e7c6e9979a3bd4af67a2fc38b3b62c86ffd5c8f2d1c582a81a9587473ccfb08fbd779843c24bcc39ddf5b1f58e3d25

Download Submit
C:\Windows\{ACE67F39-3150-4ec8-B00D-CBA5F887794D}.exe

Filesize
344KB

MD5
124b95d90786297ddc4ed4062a5f9fc8

SHA1
7035d3a8bf550f4afbab2ecfed70f7ceb87388f5

SHA256
bd546355b0c1a77ade26bb10125c26d2dbb3b7dcf3987fe2c226260a2f75beeb

SHA512
8fea1c171f30321816825515b348e22ee7de0ae8dcd84274f5fe73782dad9699127b69c892e9c5ed264e8f8171eba2996d5cf07d343561b663bdaf0a4d782831

Download Submit
C:\Windows\{DC4EFE21-24F2-4a51-9728-B675026EE529}.exe

Filesize
344KB

MD5
110f6f5c24aee3a6a5b8c62ff4cba368

SHA1
5daec93f32be971992e0830174933462938c52ae

SHA256
7d9ed9291cfda731cceb855fae9fe254c52a6eb5e70c6f988a6ebcbd8acf4b24

SHA512
8d39d0a79c0b5f49098018b714987374212d23f6a4a09263aa198e19e329850e024f4989adb179929f7f2e5b256520f2f91cbada1cce043815659eeb7dbb954c

Download Submit
C:\Windows\{DCFB2B86-A12C-4643-AFC0-B246B8504751}.exe

Filesize
344KB

MD5
6bb0247ce7dff1471774dfc534492e83

SHA1
b6f3d6e352c00c3c45914f65d8a94d0a5f62ffbd

SHA256
99f94e051f6a26cb167b6b77dd2399c4073a945cea7fa27d6f809022cb5f2424

SHA512
a4caeb27724636c52521390f9e9af67af78ccda9f1a67aa229496eee0b155458b6505341b143b3c655c9d399dfcf9a98f9390623feec5fca9288d213dba104c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads