cf7ae9d063e8bc17be1265b8e20e57e3af095194f479678813668dbb00f39dfa

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Size

344KB
MD5

acfa508c3acb9ee8e6ff23c9902563e0
SHA1

604e966f35234e1d4e48a82904ad4ad696c1f3b6
SHA256

cf7ae9d063e8bc17be1265b8e20e57e3af095194f479678813668dbb00f39dfa
SHA512

b6a251b2efe71906697928832ddfebabd66dac6a49186e790860891ad7df475ba283f5476f074834c7e23b9d97d5788df802210ca866383a14272245c20db52d
SSDEEP

3072:mEGh0o8lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023384-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001500000002338d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023398-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002338d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023398-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023379-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023398-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002341d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023398-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002341d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023398-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023420-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}\stubpath = "C:\\Windows\\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe"	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}\stubpath = "C:\\Windows\\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe"	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}\stubpath = "C:\\Windows\\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe"	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}\stubpath = "C:\\Windows\\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe"	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{846E176D-41F3-4e81-8E49-28B0478E1431}	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}\stubpath = "C:\\Windows\\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe"	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}\stubpath = "C:\\Windows\\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe"	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}\stubpath = "C:\\Windows\\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe"	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}\stubpath = "C:\\Windows\\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe"	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}\stubpath = "C:\\Windows\\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe"	{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{846E176D-41F3-4e81-8E49-28B0478E1431}\stubpath = "C:\\Windows\\{846E176D-41F3-4e81-8E49-28B0478E1431}.exe"	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}\stubpath = "C:\\Windows\\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe"	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}\stubpath = "C:\\Windows\\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe"	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}	{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe

Executes dropped EXE 12 IoCs

pid	Process
4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
4440	{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
440	{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
File created	C:\Windows\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
File created	C:\Windows\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
File created	C:\Windows\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
File created	C:\Windows\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe	{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
File created	C:\Windows\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
File created	C:\Windows\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
File created	C:\Windows\{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
File created	C:\Windows\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
File created	C:\Windows\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
File created	C:\Windows\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
File created	C:\Windows\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
Token: SeIncBasePriorityPrivilege	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
Token: SeIncBasePriorityPrivilege	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
Token: SeIncBasePriorityPrivilege	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
Token: SeIncBasePriorityPrivilege	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
Token: SeIncBasePriorityPrivilege	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
Token: SeIncBasePriorityPrivilege	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
Token: SeIncBasePriorityPrivilege	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
Token: SeIncBasePriorityPrivilege	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
Token: SeIncBasePriorityPrivilege	4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
Token: SeIncBasePriorityPrivilege	4440	{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4892	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	95
PID 4888 wrote to memory of 4892	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	95
PID 4888 wrote to memory of 4892	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	95
PID 4888 wrote to memory of 1896	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	96
PID 4888 wrote to memory of 1896	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	96
PID 4888 wrote to memory of 1896	4888	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	96
PID 4892 wrote to memory of 3092	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	97
PID 4892 wrote to memory of 3092	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	97
PID 4892 wrote to memory of 3092	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	97
PID 4892 wrote to memory of 4676	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	98
PID 4892 wrote to memory of 4676	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	98
PID 4892 wrote to memory of 4676	4892	{846E176D-41F3-4e81-8E49-28B0478E1431}.exe	98
PID 3092 wrote to memory of 1184	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	101
PID 3092 wrote to memory of 1184	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	101
PID 3092 wrote to memory of 1184	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	101
PID 3092 wrote to memory of 3484	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	102
PID 3092 wrote to memory of 3484	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	102
PID 3092 wrote to memory of 3484	3092	{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe	102
PID 1184 wrote to memory of 1680	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	103
PID 1184 wrote to memory of 1680	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	103
PID 1184 wrote to memory of 1680	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	103
PID 1184 wrote to memory of 4572	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	104
PID 1184 wrote to memory of 4572	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	104
PID 1184 wrote to memory of 4572	1184	{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe	104
PID 1680 wrote to memory of 2348	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	105
PID 1680 wrote to memory of 2348	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	105
PID 1680 wrote to memory of 2348	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	105
PID 1680 wrote to memory of 4936	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	106
PID 1680 wrote to memory of 4936	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	106
PID 1680 wrote to memory of 4936	1680	{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe	106
PID 2348 wrote to memory of 5044	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	108
PID 2348 wrote to memory of 5044	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	108
PID 2348 wrote to memory of 5044	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	108
PID 2348 wrote to memory of 540	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	109
PID 2348 wrote to memory of 540	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	109
PID 2348 wrote to memory of 540	2348	{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe	109
PID 5044 wrote to memory of 3652	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	110
PID 5044 wrote to memory of 3652	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	110
PID 5044 wrote to memory of 3652	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	110
PID 5044 wrote to memory of 1704	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	111
PID 5044 wrote to memory of 1704	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	111
PID 5044 wrote to memory of 1704	5044	{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe	111
PID 3652 wrote to memory of 3196	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	118
PID 3652 wrote to memory of 3196	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	118
PID 3652 wrote to memory of 3196	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	118
PID 3652 wrote to memory of 5072	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	119
PID 3652 wrote to memory of 5072	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	119
PID 3652 wrote to memory of 5072	3652	{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe	119
PID 3196 wrote to memory of 628	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	120
PID 3196 wrote to memory of 628	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	120
PID 3196 wrote to memory of 628	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	120
PID 3196 wrote to memory of 2744	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	121
PID 3196 wrote to memory of 2744	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	121
PID 3196 wrote to memory of 2744	3196	{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe	121
PID 628 wrote to memory of 4744	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	122
PID 628 wrote to memory of 4744	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	122
PID 628 wrote to memory of 4744	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	122
PID 628 wrote to memory of 2408	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	123
PID 628 wrote to memory of 2408	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	123
PID 628 wrote to memory of 2408	628	{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe	123
PID 4744 wrote to memory of 4440	4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe	124
PID 4744 wrote to memory of 4440	4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe	124
PID 4744 wrote to memory of 4440	4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe	124
PID 4744 wrote to memory of 4372	4744	{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
  C:\Windows\{846E176D-41F3-4e81-8E49-28B0478E1431}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
    C:\Windows\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
      C:\Windows\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
        
        C:\Windows\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
        
        C:\Windows\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
        
        C:\Windows\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
        
        C:\Windows\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
        
        C:\Windows\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
        
        C:\Windows\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
        
        C:\Windows\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
        
        C:\Windows\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe
        
        C:\Windows\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe
        13⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE29~1.EXE > nul
        13⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC42F~1.EXE > nul
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC1F~1.EXE > nul
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BA6~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64BE~1.EXE > nul
        9⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD6DD~1.EXE > nul
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDD64~1.EXE > nul
        7⤵
        
        PID:540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3C2~1.EXE > nul
        6⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83BBF~1.EXE > nul
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8D4A~1.EXE > nul
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{846E1~1.EXE > nul
    3⤵
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FC1F08E-45B2-41ff-AFDF-9D43B91234EE}.exe

Filesize
344KB

MD5
da462199434dc2d516a29dd713f8621d

SHA1
6a04c3c84648bff59fb91a4be9c8f3880195733b

SHA256
1d9f5c9e7bb0a5534633430f32c12bbfb20bfab0364b263b8078769209cd4b04

SHA512
82f6a26e164cfc8c770bdeb9243610917f36df285404e313381b5af9e6b27a8baca2133ceff0b291a69f9cb4d9f50a54451d077f65494b9f288ef159646844ae

Download Submit
C:\Windows\{3AE2965C-CD83-412b-8C8E-5D6626BDE3E7}.exe

Filesize
344KB

MD5
e8bc5c59c2407e32f3a912c4703227f6

SHA1
3b9a43e2d561696cd7a5a00fe621885c0b0c4485

SHA256
3bb036f877c24782c0342a624a54b45fd81d59d05686462273cc5c2907bb8d0b

SHA512
876ce0b4336bca0709c1fadbc64f637e98199efbec458d3e0d41ffe7e56753c4cb502cbb13a8543464b21247a9016cbaa5e4ac6e8615655c47aee6e1a4153849

Download Submit
C:\Windows\{6E3C25BB-CE74-4ffe-90AC-10C57B417C33}.exe

Filesize
344KB

MD5
e44775e99547385781b9d56b2dc96a14

SHA1
7694fa55807cddbbed5e6e779229fee0435daa8b

SHA256
6de114428f77b30c270eb2f277761670bc00529bea3f8443e61adce9eff2222f

SHA512
8d392465dd0dc9ba8e63ee410c751190f34dac9cd6bb23ec50d4e3342f1caf5eb7f2aef978a4a568fbfa917a82470b8dac65b804a53b878a9a1ec5c00b703c5f

Download Submit
C:\Windows\{83BBFD09-5B9B-4fab-8138-7C1B38052FCA}.exe

Filesize
344KB

MD5
ae3b8e34cc7407cee8e3d9cd71a01202

SHA1
3ea294fb2ed578abcc3af55623144d4c5d4748ac

SHA256
ed06bc310a79a0d2a173285c919c595b4fde03fe253110b97e99c22c812ebd75

SHA512
1ce82090f701769876af419ec3e4d476a34790475de70807dcad8ba8b4c407756bef23aa477d12d90ba20ba5d11014b1ca7e2d15a0d6a6bb109520447a3fbd94

Download Submit
C:\Windows\{846E176D-41F3-4e81-8E49-28B0478E1431}.exe

Filesize
344KB

MD5
c8bd1cfa916dce437dcf7bfdcd14272d

SHA1
b8bc4f0a1f69d5c44720558882d6ede3c59c83a7

SHA256
4852c30ba17a02c5c324ba9a0366766ee54006e3a1f31de95ecf7e1b5cb3b55d

SHA512
120bef0c38e36ad9def54564552518cdc5399111f815ea998d8d39b2b94de2bca198e77507847f75c2b1bd731710b0560c82e6a24134c91cc0522a8d6ab9be43

Download Submit
C:\Windows\{8B87F1E4-22DB-4493-ACC6-ECA197B2D909}.exe

Filesize
344KB

MD5
d5a5fff1ef59aa6bd6c4744455af4123

SHA1
3986d3dce5f1b743b6729ff910f2b1cc966a7a23

SHA256
2cbe163b6722cab000040a412c219fdcb2b19cd8fa278bffbbc44e373d0f8ca7

SHA512
ccc3a63ac7fb76ea0981b86e9caa61fd1367ca29b8b3cf10e6aa2db6865dba285c6f8fc17115d04895164d0f225502a6c151acdfa533ace538e99e5a1d33a75c

Download Submit
C:\Windows\{BDD644DC-F1A4-49bc-8763-89EC71597EF1}.exe

Filesize
344KB

MD5
28100cc4c55131b96a4dbe1c9839d61b

SHA1
3efa488737f5f9da31202949280dada315e7f83f

SHA256
c3a8196c58c6bb23c031e6092ce1a84802ec66497e0f0a0751a134ba36f79e6d

SHA512
15b979c008bb180159b1e31cad349a5374a69b46f4815a084ae3d8b09f1bf848ed1a17941b1828b525368096cd872b5186c712f4bc8bf64f8371ab3763c608e5

Download Submit
C:\Windows\{D64BEBD0-0F79-4eb9-A537-49CF14C7B920}.exe

Filesize
344KB

MD5
256c5e923136eec5c3d100cc2446ada1

SHA1
9ed55a33e0bfb19990fdd823ef5ce618ce5847dc

SHA256
8be13cc64bec209d0602e82fd211ee75e54bbdf639c8547c411915a95d9357e7

SHA512
e46ba876dcff801d2ca733c3924bfeb332fd2efd2ae22dd76720f72d368d6cfe9f615034624590c8d3bc3adb6408606ea7399f754689971c4af3b2c85e1fd77d

Download Submit
C:\Windows\{D6BA63E5-8A14-4b85-BD0B-1DD658738384}.exe

Filesize
344KB

MD5
37e3d246e1b919db922b8f958258d4a4

SHA1
8a0ae1f25848273101df83740cc9653a2eb207de

SHA256
7139cb3c846f76980a544a3a79e0a9b321f029ae46b9b6f35f2cf1ecd6867da3

SHA512
7d4f8823d13961080a5945212fca37c5559f6ada6921216afbe3d5b3b686c2559ace60da6a684fbf08bac2a91a914ed3e1d3b548890542f898fd9b1fe3a38f24

Download Submit
C:\Windows\{D8D4AA2A-5DFB-489d-8EFB-9945DD53D0C9}.exe

Filesize
344KB

MD5
7b1d3f29e5e32a3ecce99a61ea9b93fd

SHA1
1ccfa3a9ebec15845462008e09ea2e3f0f4adfbb

SHA256
e4a931a57506be3721bf702da3a4bf8f02b53344d5068980a550d3243a80aa72

SHA512
aa93c46c34d90a0d2c446903720fc08cc079525735c4b57279f83d531ab965f1dd966f1cc258aec690bffac4768602e2336f5230d7bb5b1509b687d71db7dd32

Download Submit
C:\Windows\{EC42FC40-AB44-4cd8-9B51-B3820009E1FC}.exe

Filesize
344KB

MD5
197e978c3f77668e27ee6da201cd8be2

SHA1
fdd0f8a053cc167d360cc5dab78c27b6a9f694b0

SHA256
ca2a64ccdebc1e574e4408d82c044fbd98ff0eee104dc1b985c7da0284408bf2

SHA512
e87e99a98f3d92b5709e5100dc612f4ac32419ec0ca7f0e4e34142fdbb007ec70e47248b020225ce7992bb5451f360d980d589e7d798a8a65575382e7fb2e146

Download Submit
C:\Windows\{FD6DD1DE-934C-4e7b-95F0-766B631C1A29}.exe

Filesize
344KB

MD5
237cde5032eb31a228514b46ddc9bb98

SHA1
d524742f943e4dc5b75fabaf6fd7d130dc167243

SHA256
5259e64504e2d5a9f694e006e596c6d161bd1abfbe2e73f938013289637d83a9

SHA512
3fb1bac22de6f70d937ca404ffd47f6fa0099d6b9c55a0f5253d73aa5e726c325bcc20478a9f9e91ab912a06ee277647ac08322ca2c6b84bd8a395128e805cb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads