ff12976a1169418732511afc0a1c16e08f5f3b51a008e8a752dba255770011d9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Size

216KB
MD5

02cee40891f0ec895fee7ec2e24c90e3
SHA1

7743bda3774f8af185c52a078fd12e46467ac500
SHA256

ff12976a1169418732511afc0a1c16e08f5f3b51a008e8a752dba255770011d9
SHA512

f479598a28cecbf455048d211dd1fac3d4e15180eba2d709f71f25f1e0c045ed5bd5e61d46a7989d2a956330bb0ae5273637aa1bca77bc3d5fd389a2124c0b26
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ad-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233af-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233bf-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233af-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233c8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233c4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233b1-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233b3-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233b1-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233b1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5054B1E-F50D-4674-9225-B08E8DBD4149}\stubpath = "C:\\Windows\\{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe"	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}\stubpath = "C:\\Windows\\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe"	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}\stubpath = "C:\\Windows\\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe"	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}\stubpath = "C:\\Windows\\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe"	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5054B1E-F50D-4674-9225-B08E8DBD4149}	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A7F257-8159-4f54-8277-7627CD6B6975}\stubpath = "C:\\Windows\\{77A7F257-8159-4f54-8277-7627CD6B6975}.exe"	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEA489F-BCA1-498f-A502-301382A2F0FC}	{44FE016F-FA13-4568-8765-D14F57EB563E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}\stubpath = "C:\\Windows\\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe"	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A7F257-8159-4f54-8277-7627CD6B6975}	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE016F-FA13-4568-8765-D14F57EB563E}	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}\stubpath = "C:\\Windows\\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe"	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}\stubpath = "C:\\Windows\\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe"	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE016F-FA13-4568-8765-D14F57EB563E}\stubpath = "C:\\Windows\\{44FE016F-FA13-4568-8765-D14F57EB563E}.exe"	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEA489F-BCA1-498f-A502-301382A2F0FC}\stubpath = "C:\\Windows\\{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe"	{44FE016F-FA13-4568-8765-D14F57EB563E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535614F5-B70A-4c73-8FD1-2255A762EA1D}	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535614F5-B70A-4c73-8FD1-2255A762EA1D}\stubpath = "C:\\Windows\\{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe"	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}\stubpath = "C:\\Windows\\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe"	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe

Executes dropped EXE 12 IoCs

pid	Process
1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
1568	{44FE016F-FA13-4568-8765-D14F57EB563E}.exe
4208	{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
File created	C:\Windows\{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
File created	C:\Windows\{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
File created	C:\Windows\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
File created	C:\Windows\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
File created	C:\Windows\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
File created	C:\Windows\{44FE016F-FA13-4568-8765-D14F57EB563E}.exe	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
File created	C:\Windows\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
File created	C:\Windows\{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
File created	C:\Windows\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
File created	C:\Windows\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
File created	C:\Windows\{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe	{44FE016F-FA13-4568-8765-D14F57EB563E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
Token: SeIncBasePriorityPrivilege	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
Token: SeIncBasePriorityPrivilege	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
Token: SeIncBasePriorityPrivilege	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
Token: SeIncBasePriorityPrivilege	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
Token: SeIncBasePriorityPrivilege	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
Token: SeIncBasePriorityPrivilege	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
Token: SeIncBasePriorityPrivilege	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
Token: SeIncBasePriorityPrivilege	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
Token: SeIncBasePriorityPrivilege	4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
Token: SeIncBasePriorityPrivilege	1568	{44FE016F-FA13-4568-8765-D14F57EB563E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 1884	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	102
PID 3844 wrote to memory of 1884	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	102
PID 3844 wrote to memory of 1884	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	102
PID 3844 wrote to memory of 4332	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	103
PID 3844 wrote to memory of 4332	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	103
PID 3844 wrote to memory of 4332	3844	2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe	103
PID 1884 wrote to memory of 3140	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	104
PID 1884 wrote to memory of 3140	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	104
PID 1884 wrote to memory of 3140	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	104
PID 1884 wrote to memory of 4324	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	105
PID 1884 wrote to memory of 4324	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	105
PID 1884 wrote to memory of 4324	1884	{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe	105
PID 3140 wrote to memory of 4260	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	109
PID 3140 wrote to memory of 4260	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	109
PID 3140 wrote to memory of 4260	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	109
PID 3140 wrote to memory of 3040	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	110
PID 3140 wrote to memory of 3040	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	110
PID 3140 wrote to memory of 3040	3140	{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe	110
PID 4260 wrote to memory of 2084	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	111
PID 4260 wrote to memory of 2084	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	111
PID 4260 wrote to memory of 2084	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	111
PID 4260 wrote to memory of 2716	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	112
PID 4260 wrote to memory of 2716	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	112
PID 4260 wrote to memory of 2716	4260	{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe	112
PID 2084 wrote to memory of 1916	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	114
PID 2084 wrote to memory of 1916	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	114
PID 2084 wrote to memory of 1916	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	114
PID 2084 wrote to memory of 2828	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	115
PID 2084 wrote to memory of 2828	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	115
PID 2084 wrote to memory of 2828	2084	{77A7F257-8159-4f54-8277-7627CD6B6975}.exe	115
PID 1916 wrote to memory of 444	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	117
PID 1916 wrote to memory of 444	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	117
PID 1916 wrote to memory of 444	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	117
PID 1916 wrote to memory of 4888	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	118
PID 1916 wrote to memory of 4888	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	118
PID 1916 wrote to memory of 4888	1916	{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe	118
PID 444 wrote to memory of 3520	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	119
PID 444 wrote to memory of 3520	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	119
PID 444 wrote to memory of 3520	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	119
PID 444 wrote to memory of 3876	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	120
PID 444 wrote to memory of 3876	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	120
PID 444 wrote to memory of 3876	444	{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe	120
PID 3520 wrote to memory of 4652	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	129
PID 3520 wrote to memory of 4652	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	129
PID 3520 wrote to memory of 4652	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	129
PID 3520 wrote to memory of 1588	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	130
PID 3520 wrote to memory of 1588	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	130
PID 3520 wrote to memory of 1588	3520	{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe	130
PID 4652 wrote to memory of 4500	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	131
PID 4652 wrote to memory of 4500	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	131
PID 4652 wrote to memory of 4500	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	131
PID 4652 wrote to memory of 4072	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	132
PID 4652 wrote to memory of 4072	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	132
PID 4652 wrote to memory of 4072	4652	{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe	132
PID 4500 wrote to memory of 4464	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	133
PID 4500 wrote to memory of 4464	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	133
PID 4500 wrote to memory of 4464	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	133
PID 4500 wrote to memory of 2164	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	134
PID 4500 wrote to memory of 2164	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	134
PID 4500 wrote to memory of 2164	4500	{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe	134
PID 4464 wrote to memory of 1568	4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe	137
PID 4464 wrote to memory of 1568	4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe	137
PID 4464 wrote to memory of 1568	4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe	137
PID 4464 wrote to memory of 1520	4464	{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
  C:\Windows\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
    C:\Windows\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
      C:\Windows\{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
        
        C:\Windows\{77A7F257-8159-4f54-8277-7627CD6B6975}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
        
        C:\Windows\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
        
        C:\Windows\{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
        
        C:\Windows\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
        
        C:\Windows\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
        
        C:\Windows\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
        
        C:\Windows\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{44FE016F-FA13-4568-8765-D14F57EB563E}.exe
        
        C:\Windows\{44FE016F-FA13-4568-8765-D14F57EB563E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe
        
        C:\Windows\{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44FE0~1.EXE > nul
        13⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7304~1.EXE > nul
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC7E~1.EXE > nul
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F5D2~1.EXE > nul
        10⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4A8~1.EXE > nul
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5054~1.EXE > nul
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB023~1.EXE > nul
        7⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77A7F~1.EXE > nul
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53561~1.EXE > nul
        5⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3740F~1.EXE > nul
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97FF4~1.EXE > nul
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3740FF5E-F790-4c82-A012-F4AA75DF4C10}.exe

Filesize
216KB

MD5
d69290e080f68095ad5e55cf4709ee96

SHA1
dbb5860a9bf6ca9866634e2cc540871dd980df75

SHA256
bf2c9609fd986bcdae5c2e2fb555a05179d8b49b2b04b66ba9560c0a93091d4a

SHA512
e378908b215a44978e98ca33e3bfdcf0f9f18124e542f18639c6b63e9a5d17ddf8917618953033d51f58bdc1983a47b2845a6cc700f54489bba357328381f1ec

Download Submit
C:\Windows\{44FE016F-FA13-4568-8765-D14F57EB563E}.exe

Filesize
216KB

MD5
2a5fae8ad0558b287d02048e6de06c13

SHA1
f85ac061659b224d482ec3af9f16081ca15eb1d3

SHA256
e3c4026c3cb1e95dde3c429b0868001f2daacdb556f5646c7a558cc298898eab

SHA512
08be8d96382235114fe9fed0273f2e59c3ef2ff9c5554b958ab1f40211a2833cb0b31dd089f9eef8426ab1a975d8338dbcef02b90dd5016e36ab0d67165c621d

Download Submit
C:\Windows\{4DC7EC3D-5081-4ae2-8EE6-5A76E7164DAA}.exe

Filesize
216KB

MD5
48195ce260a8de741c0105f20366b299

SHA1
a996eadcd5b68fccc7d8f34577f6210e6d46316d

SHA256
9232cb8503890557cc8556a9a8f6073919db69dd746c234429487736ed873be4

SHA512
d814ffe23b5ffed5eaef9d4175cd6d3c7e6ffc43c8a4b369b973db62785b9c09e823562dbc945e2a155001914b27afb29a2ab7a64112fff57c42c384dbdbf4b1

Download Submit
C:\Windows\{535614F5-B70A-4c73-8FD1-2255A762EA1D}.exe

Filesize
216KB

MD5
d4c2c3ab0dfd2457603fe5758fd2fa52

SHA1
3749fb3e28623ece7cf754d487ab0ea0d51eeb99

SHA256
951142909bc3cefb82d22a684a0dda54ff321f0c9a421ae23d08e000783a8395

SHA512
a4969e6e244d6c517593d4e6006c45ca384215c44662279815fc9cb23073e8bb78586b74fb7ea7036bf6cd14a8859421cde1c7c88294e489f0dedbfb8e136fae

Download Submit
C:\Windows\{77A7F257-8159-4f54-8277-7627CD6B6975}.exe

Filesize
216KB

MD5
8ead4a0729423b72ca5e3cfc10cab4e5

SHA1
6ac1c7007f6e497fce182e8826b55b2860e4054c

SHA256
813449a7ce5ac03ffd634df6072dec0293cbd2bedb729f1d98b7fc2f357ad804

SHA512
b133690b0d7684ca5fdba7ace3a474b9e6934637eff89a5e1cbe7849df92e9c025f0626c17a1ff29b76deab2de08b8550ab3da1b933e74bbe648f0baa7335b6e

Download Submit
C:\Windows\{7AEA489F-BCA1-498f-A502-301382A2F0FC}.exe

Filesize
216KB

MD5
64dc32dab67c6a939765aa80516a5711

SHA1
428931229f27d31a6fd39dfc7e897744d4750ab0

SHA256
caf4c6ffb78cc3c2b7b2ce3ce47236007f7c311689eb04551cd8b96f920aabb6

SHA512
7102dd046689fd14e18eb2e74fd3bc63cd43355c22811bf814b4702e57deb80e703b80c03f01103fc628f5f2bc22aa3fb2fea809c05d5525ad4037117fb737be

Download Submit
C:\Windows\{8D4A8E0F-8EE8-42cf-A166-6E439CC2D120}.exe

Filesize
216KB

MD5
181b655d1457f423e49d26549e648106

SHA1
6a8f217f30bc78f21c2bb30574f707a102746074

SHA256
b6a32e2193eccada79aa8eeb3d007608fb054dfd840beab500a31dd93eb0186f

SHA512
181495eba9adf51651da5cf46dee1ce4429c46441aeb99490d378f83b37eb6abb5040dcea9e94979d95571d0fa75d26b336b950291336ee9397177ead5e19b2b

Download Submit
C:\Windows\{8F5D20A8-FFC3-4e09-9060-32D3E66FF5EE}.exe

Filesize
216KB

MD5
7345983ae1656bfc240f500081988126

SHA1
957ad5b70288cc9c52b65696dcce06269ff5891c

SHA256
cba9b5c7c47129813399805fd24e6f4fd469752dd575941fedcdf6efb12969b7

SHA512
166ef1d889820f2b9ea7a7bdceb175664fd46c0f06da80cdc4af0660e68d22d61f0fca525bbdeb34f9ce9d8c11aee9c5b628e31444fa12dca4f14bae054a3732

Download Submit
C:\Windows\{97FF48AE-BC1A-43bb-9FC9-0DE8545DF3C4}.exe

Filesize
216KB

MD5
8911ccb9f23df2498952fe4c5beca1aa

SHA1
cd9b94927354913c5b74bb4d0bea8fb0fb745486

SHA256
566e21b8572eb68b54c915d683adf0662b9d1d3d272a051174c877b579dc17ff

SHA512
a22e5783d531eb3c2f260acc194fc0f7a428c1c1dede4fa299d5e68082a731e52b308a2e775013c438738d3d4d4cde51d6c99de9a0bb28c7d02175faf0eb360a

Download Submit
C:\Windows\{AB02361F-82B6-4fe6-8FDC-52BF8DA8DEEE}.exe

Filesize
216KB

MD5
492143ee32e212c0132286d51d00b520

SHA1
61f377bad2181a6be9c9e1cb88f9ba92b6905abe

SHA256
742e0d877db8c8630b492d8bc290a5f475d90eca8acb1b9567ee0dda3acddf56

SHA512
818999efe13472c6650638b11d0a29d2c87de3d572e733683d8b8cc0594c7b994f443e1b20cb862f52c9345fb9ecd601e5c4f9b5cdbb6e09078c5c9f809b9ad0

Download Submit
C:\Windows\{C73048B7-25D8-49eb-96A8-3A126E7B63EC}.exe

Filesize
216KB

MD5
2f08ad0549e11d46f3e0706dfd76e457

SHA1
f8935cee7108a8fc39820f3d5002219dc3992ce7

SHA256
48397def6c876ac59ed332fc77ff743bb9093585d8d01655ad2ece1cdac7f671

SHA512
6c8bc2cb81bf085cbabad65ffede0ba15cfdbccaa64d07bf4a7dc22382bfc168bbfade8679e4ba19fdab41a01ee7019492ccd4d0eed888011ddedb986912d114

Download Submit
C:\Windows\{D5054B1E-F50D-4674-9225-B08E8DBD4149}.exe

Filesize
216KB

MD5
bc3e40e6993aceda6fbddac6d86afcc3

SHA1
dcd5049658642b5c727afe41a7a180b8383bd20c

SHA256
92d021e257ed60014adfb77be567f37a6900b2f04b4ee0014ffc64acdda79717

SHA512
b2197761729320b810c7052a5609c306489a51065f071794d0c36863e7502d61c588aabdf247ea08a18b09aba546e4b0101831c5b7406555aebad217224ca504

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads