e1f7b2bb0d646204d14ca0f1e313c4ccb7be6acc6755a095dd89153d8e77d8d1

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
Size

180KB
MD5

c0d85563429873aed4792bf8e410cf0a
SHA1

a3ec535d02fb032aa326d99dfa5f5c44371dff56
SHA256

e1f7b2bb0d646204d14ca0f1e313c4ccb7be6acc6755a095dd89153d8e77d8d1
SHA512

7d8e14b575584673280de8b86b27a806ba291c069248495fb9a02cc1cce459ff4a034d817c4f25420ae2fab77e71005a6f4d3cfac085172fd980112a59ed9424
SSDEEP

3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGml5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002337e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002337f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002338d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002337f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002337f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002338d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023414-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002338d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023405-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023405-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E569EBC0-5966-433e-9E45-D4F0D23B386C}	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134C1BFB-9572-4362-90A8-E029DEC8BE65}	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}\stubpath = "C:\\Windows\\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe"	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}\stubpath = "C:\\Windows\\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe"	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134C1BFB-9572-4362-90A8-E029DEC8BE65}\stubpath = "C:\\Windows\\{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe"	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}	{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}\stubpath = "C:\\Windows\\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe"	{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BB6F59-96FC-4a13-B456-897EBB076202}\stubpath = "C:\\Windows\\{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe"	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}\stubpath = "C:\\Windows\\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe"	{D04698CC-D786-426a-933B-24F1C329F747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}\stubpath = "C:\\Windows\\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe"	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D04698CC-D786-426a-933B-24F1C329F747}	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}	{D04698CC-D786-426a-933B-24F1C329F747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E569EBC0-5966-433e-9E45-D4F0D23B386C}\stubpath = "C:\\Windows\\{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe"	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}\stubpath = "C:\\Windows\\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe"	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}\stubpath = "C:\\Windows\\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe"	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}\stubpath = "C:\\Windows\\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe"	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BB6F59-96FC-4a13-B456-897EBB076202}	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D04698CC-D786-426a-933B-24F1C329F747}\stubpath = "C:\\Windows\\{D04698CC-D786-426a-933B-24F1C329F747}.exe"	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe

Executes dropped EXE 12 IoCs

pid	Process
552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe
2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
3196	{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
2324	{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
File created	C:\Windows\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
File created	C:\Windows\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
File created	C:\Windows\{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
File created	C:\Windows\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe	{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
File created	C:\Windows\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
File created	C:\Windows\{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
File created	C:\Windows\{D04698CC-D786-426a-933B-24F1C329F747}.exe	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
File created	C:\Windows\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	{D04698CC-D786-426a-933B-24F1C329F747}.exe
File created	C:\Windows\{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
File created	C:\Windows\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
File created	C:\Windows\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
Token: SeIncBasePriorityPrivilege	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
Token: SeIncBasePriorityPrivilege	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
Token: SeIncBasePriorityPrivilege	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe
Token: SeIncBasePriorityPrivilege	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
Token: SeIncBasePriorityPrivilege	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
Token: SeIncBasePriorityPrivilege	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
Token: SeIncBasePriorityPrivilege	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
Token: SeIncBasePriorityPrivilege	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
Token: SeIncBasePriorityPrivilege	2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
Token: SeIncBasePriorityPrivilege	3196	{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 552	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	94
PID 3208 wrote to memory of 552	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	94
PID 3208 wrote to memory of 552	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	94
PID 3208 wrote to memory of 4452	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	95
PID 3208 wrote to memory of 4452	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	95
PID 3208 wrote to memory of 4452	3208	2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe	95
PID 552 wrote to memory of 1168	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	96
PID 552 wrote to memory of 1168	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	96
PID 552 wrote to memory of 1168	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	96
PID 552 wrote to memory of 1216	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	97
PID 552 wrote to memory of 1216	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	97
PID 552 wrote to memory of 1216	552	{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe	97
PID 1168 wrote to memory of 1256	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	100
PID 1168 wrote to memory of 1256	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	100
PID 1168 wrote to memory of 1256	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	100
PID 1168 wrote to memory of 2288	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	101
PID 1168 wrote to memory of 2288	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	101
PID 1168 wrote to memory of 2288	1168	{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe	101
PID 1256 wrote to memory of 2956	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	102
PID 1256 wrote to memory of 2956	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	102
PID 1256 wrote to memory of 2956	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	102
PID 1256 wrote to memory of 2952	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	103
PID 1256 wrote to memory of 2952	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	103
PID 1256 wrote to memory of 2952	1256	{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe	103
PID 2956 wrote to memory of 2844	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	104
PID 2956 wrote to memory of 2844	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	104
PID 2956 wrote to memory of 2844	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	104
PID 2956 wrote to memory of 4240	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	105
PID 2956 wrote to memory of 4240	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	105
PID 2956 wrote to memory of 4240	2956	{D04698CC-D786-426a-933B-24F1C329F747}.exe	105
PID 2844 wrote to memory of 4000	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	107
PID 2844 wrote to memory of 4000	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	107
PID 2844 wrote to memory of 4000	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	107
PID 2844 wrote to memory of 3036	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	108
PID 2844 wrote to memory of 3036	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	108
PID 2844 wrote to memory of 3036	2844	{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe	108
PID 4000 wrote to memory of 3468	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	109
PID 4000 wrote to memory of 3468	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	109
PID 4000 wrote to memory of 3468	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	109
PID 4000 wrote to memory of 2096	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	110
PID 4000 wrote to memory of 2096	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	110
PID 4000 wrote to memory of 2096	4000	{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe	110
PID 3468 wrote to memory of 3188	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	114
PID 3468 wrote to memory of 3188	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	114
PID 3468 wrote to memory of 3188	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	114
PID 3468 wrote to memory of 4708	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	115
PID 3468 wrote to memory of 4708	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	115
PID 3468 wrote to memory of 4708	3468	{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe	115
PID 3188 wrote to memory of 2840	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	119
PID 3188 wrote to memory of 2840	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	119
PID 3188 wrote to memory of 2840	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	119
PID 3188 wrote to memory of 4412	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	120
PID 3188 wrote to memory of 4412	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	120
PID 3188 wrote to memory of 4412	3188	{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe	120
PID 2840 wrote to memory of 2000	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	121
PID 2840 wrote to memory of 2000	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	121
PID 2840 wrote to memory of 2000	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	121
PID 2840 wrote to memory of 2164	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	122
PID 2840 wrote to memory of 2164	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	122
PID 2840 wrote to memory of 2164	2840	{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe	122
PID 2000 wrote to memory of 3196	2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe	125
PID 2000 wrote to memory of 3196	2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe	125
PID 2000 wrote to memory of 3196	2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe	125
PID 2000 wrote to memory of 940	2000	{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_c0d85563429873aed4792bf8e410cf0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
  C:\Windows\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
    C:\Windows\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
      C:\Windows\{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\{D04698CC-D786-426a-933B-24F1C329F747}.exe
        
        C:\Windows\{D04698CC-D786-426a-933B-24F1C329F747}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
        
        C:\Windows\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
        
        C:\Windows\{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
        
        C:\Windows\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
        
        C:\Windows\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
        
        C:\Windows\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
        
        C:\Windows\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
        
        C:\Windows\{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe
        
        C:\Windows\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe
        13⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{134C1~1.EXE > nul
        13⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21C9E~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{616D3~1.EXE > nul
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B353C~1.EXE > nul
        10⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01264~1.EXE > nul
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E569E~1.EXE > nul
        8⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88BA1~1.EXE > nul
        7⤵
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0469~1.EXE > nul
        6⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BB6~1.EXE > nul
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FA5F~1.EXE > nul
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0162C~1.EXE > nul
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01264591-26C0-43c2-8B4F-0C7B2B78E2E7}.exe

Filesize
180KB

MD5
4861783cd9b55affc81a1bc70b560133

SHA1
78dfba429b8fa0ea16eb59f7116cf34c1c5a4427

SHA256
819b0ca195c2f682912b84853d070c0dd985f531c918e5ba1e5d497172a74c7c

SHA512
42d1d50d120fa73e83ff59f8fe496829b13542ca3ccbf1be9d46178210f15ccb7c2501038790c662738cc17478e6ecdb5347282f96e7c800ae583eeaffd8f3d5

Download Submit
C:\Windows\{0162CFD1-A759-42e8-BA11-EDE9676A73F5}.exe

Filesize
180KB

MD5
a1239b3a2a7da4a42f489692705c11ba

SHA1
bba5b0d4d74eb99dba6e5cc2bee88e75375b2863

SHA256
2bf533b63237aa7d79ccd924d472c3d3f56262e724479027d24dc5ad6152c87e

SHA512
fe21a7db865300d8039d0e55ee98a193faacd0b89a992131d8ce43da8cdcaaf54fc55c2c25dd7970988f7af2b9e4a1cd00f961c50bd7859021edcb34ccbedd5e

Download Submit
C:\Windows\{134C1BFB-9572-4362-90A8-E029DEC8BE65}.exe

Filesize
180KB

MD5
57c816cc9a0664ad19dfc651ac8be5b6

SHA1
a1d7e303768cb05b43b160f4634310c2912722d0

SHA256
daa3614dd31101e1e915e8d337b2eabdf35f6b7451489c5c0615ee9332bd214c

SHA512
cc17639cc26376dccd8648138d1898d4cff092e8db051763ce9ed83c032245d1e3310751c99fdbd6b4d9946bf2a58af8a7792e8449ea4b20ea64216105a247e0

Download Submit
C:\Windows\{21C9E08C-9A40-4a46-9815-7E0F358D68DC}.exe

Filesize
180KB

MD5
c6c92c5d8728d2f1daa1fb94c0d497a1

SHA1
3399e6566d31fb7c6cbd8adb9c48eb176c2a68e1

SHA256
db4ef54512d9438112eb2475873bc6b53bd791f078f322b9afad5ad5a497ada4

SHA512
d48a513c19cb48a6bfbd2ccf940dd95dce57dd4e9a72a1f277d1c15d34dee69ae96a16db384485e7b58e4ad7c7931b490b13adac5078639b3f0441dd47dd543b

Download Submit
C:\Windows\{5BDE0F13-A4BE-4262-9053-1F48B5D7FAF1}.exe

Filesize
180KB

MD5
957fe05aeb3b11ad28f3a8107c3c38c8

SHA1
af8e5fd9c7598039b3fe99a36244267205d3a774

SHA256
83ecb8a2dbfb9ddcad3b04657e55225768287c67272b491101a690115db38751

SHA512
15c631f974a32ed5a9b5dfc2eb831c1f915cd3eb397b7c48f47fccb7e0ef361e2f85c2b07a9834c902b9fcb517181fb93986b3cbcf4a9a3967c4683fc32088c4

Download Submit
C:\Windows\{616D3EAA-6B63-4043-BEC3-C5CDBD9D9673}.exe

Filesize
180KB

MD5
3df8488d6aeab6280dde4781b89e5609

SHA1
ad235c5a6a2b916581f5c51215460a0ad242b281

SHA256
16f013773d3e547c90d4fa5b1550d6c25357499758c0866061ffa1b4a909125d

SHA512
70e459153aaab4f6a4372e7aff596bfbd32f752c396de68904982f70efedc951beac8a534da728d2a8bd5555852c0be8222ebf3ba09498f7046a928c8b73eeb0

Download Submit
C:\Windows\{7FA5F0AB-D074-4272-B06C-77D49D9B9EF9}.exe

Filesize
180KB

MD5
db7af72d01c547ac3e0f873947e80f64

SHA1
a98a4caca84c49480473e9deeebfca5529a1c0ef

SHA256
e21d3ac392806d8dd9cb06cce2bbe6f765d7fc4b5a96e2a57b1fbefdbb241113

SHA512
b21d7ca5c9224b42068443ca71f4ae7734bffbf00ed17f235cb91924cb017197b9706eb7f163a8259f532c81c89f05dabf80d6317207359677a098b90ba21090

Download Submit
C:\Windows\{88BA1DFD-A982-4d5b-86D1-2B8439A09CAA}.exe

Filesize
180KB

MD5
18e97ef3e2edc7763184394fc4c456a2

SHA1
5468519e7dc421183accbba9d1c797b55de7985a

SHA256
fceff424381d0e4ce40bd338c52eb0c6d24f309e67ee323047af003f91c6b0b3

SHA512
b48a50c310da97cf04dbc0f46def7138e95ea1ccccff6a8c5fc06aaa15759c2eeb6bfaa9c6ee0cd0e86391e007388c0bd0e05fa4c00006eaa9fb631773a7fc25

Download Submit
C:\Windows\{B353C1DD-1BC6-4d1f-82E8-7A1C44EA9947}.exe

Filesize
180KB

MD5
cc7087eb49f8bfd624cc77e2dbdf48b2

SHA1
46937edb935c39624fcd4bf4bce9fe3c53ab6410

SHA256
31b8473dd9349d5b923a8977830fce674987187a6c13c4601a6440d543a51811

SHA512
087535076de361f2217d989012588793faaf3933486c1b3404c662a09c90e6d8bee2bda553133519201ac4aaaae63b0c566be39a4327dd4ab7d798fe19581b26

Download Submit
C:\Windows\{D04698CC-D786-426a-933B-24F1C329F747}.exe

Filesize
180KB

MD5
fffd733525aa56152cf7dc72991a17bf

SHA1
35c02d629a3988c605a8e9ff4193623deb8e79b7

SHA256
3426040594fff46f208b961c30031d8c6641b8240a1448dd277f7719c7116fb1

SHA512
ed915c86c9f8e063daffb4273d75489256ecb41c345abdaa17832eb177885d975b2177a7433c96f119cc407ad63d17f0756175e2c1c30452ecef7d3f62416d4e

Download Submit
C:\Windows\{E569EBC0-5966-433e-9E45-D4F0D23B386C}.exe

Filesize
180KB

MD5
7f80f453229a8fff226941eef31f8b24

SHA1
de7c429bdb8c1add29463cdf3cd821c1394d2bac

SHA256
90fa822528d0388b0eff5498b03db22bfcc42807bfca979973f7045a898ddcc3

SHA512
c6e89e98f2d5edccc79c3a656f240ee0c30e7da2f0a3b4735732a368d8ba294a153db45d7fd9092bb84160abe3888edc022b33fd5b6a9a8ffb1b197e349b33b2

Download Submit
C:\Windows\{F7BB6F59-96FC-4a13-B456-897EBB076202}.exe

Filesize
180KB

MD5
b3462fa9803127df4679c221b1d7ed47

SHA1
8af816d81b982636a75f363871b335a1b813b5f6

SHA256
215196593fd5d07493c1596be975918d4aceba43a60ce3b0550e08ae1a477c1e

SHA512
45c71c822f5edf0ead6e60ff08399f553076900655ee3a93d784807d1a76a7dbef7c0ffc34dc96b20bd6b895069c248f6644c4789def6637d8853bcc125725d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads