ab86e7ce5153f89c5a013c73f6a178cc7e57992122808988e7040b89980ca48b

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
Size

180KB
MD5

7344d2557331bf42def3b7afde750590
SHA1

67799b24fdeaac3f4b617bacf9d27d0f8afe7a3a
SHA256

ab86e7ce5153f89c5a013c73f6a178cc7e57992122808988e7040b89980ca48b
SHA512

977997340848407ca26ff3308fc9db32a1b786874e003924d7423e4619a9feefa8ab212222b6102e4e69103ffcda794e01067a937fd10c750a76eef4963c975b
SSDEEP

3072:jEGh0oqlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x001200000002343f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023445-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002344b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023445-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002344b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023445-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002344b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006dd-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}\stubpath = "C:\\Windows\\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe"	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}\stubpath = "C:\\Windows\\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe"	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}	{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}\stubpath = "C:\\Windows\\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe"	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}\stubpath = "C:\\Windows\\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe"	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4116A99-2962-4ef4-89FA-642CB273A682}\stubpath = "C:\\Windows\\{F4116A99-2962-4ef4-89FA-642CB273A682}.exe"	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}\stubpath = "C:\\Windows\\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe"	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}\stubpath = "C:\\Windows\\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe"	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}\stubpath = "C:\\Windows\\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe"	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166BE535-5A83-4f15-91E7-F89113AD5A99}	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7927A663-E604-4d8a-A46D-B43B8CBC2367}	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7927A663-E604-4d8a-A46D-B43B8CBC2367}\stubpath = "C:\\Windows\\{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe"	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4116A99-2962-4ef4-89FA-642CB273A682}	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166BE535-5A83-4f15-91E7-F89113AD5A99}\stubpath = "C:\\Windows\\{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe"	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}\stubpath = "C:\\Windows\\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe"	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}\stubpath = "C:\\Windows\\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe"	{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe

Executes dropped EXE 12 IoCs

pid	Process
4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
3368	{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe
1396	{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
File created	C:\Windows\{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
File created	C:\Windows\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
File created	C:\Windows\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
File created	C:\Windows\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
File created	C:\Windows\{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
File created	C:\Windows\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
File created	C:\Windows\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe	{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe
File created	C:\Windows\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
File created	C:\Windows\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
File created	C:\Windows\{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
File created	C:\Windows\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
Token: SeIncBasePriorityPrivilege	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
Token: SeIncBasePriorityPrivilege	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
Token: SeIncBasePriorityPrivilege	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
Token: SeIncBasePriorityPrivilege	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
Token: SeIncBasePriorityPrivilege	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
Token: SeIncBasePriorityPrivilege	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
Token: SeIncBasePriorityPrivilege	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
Token: SeIncBasePriorityPrivilege	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
Token: SeIncBasePriorityPrivilege	3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
Token: SeIncBasePriorityPrivilege	3368	{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4920	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	95
PID 2176 wrote to memory of 4920	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	95
PID 2176 wrote to memory of 4920	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	95
PID 2176 wrote to memory of 4104	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	96
PID 2176 wrote to memory of 4104	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	96
PID 2176 wrote to memory of 4104	2176	2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe	96
PID 4920 wrote to memory of 3828	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	97
PID 4920 wrote to memory of 3828	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	97
PID 4920 wrote to memory of 3828	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	97
PID 4920 wrote to memory of 1516	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	98
PID 4920 wrote to memory of 1516	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	98
PID 4920 wrote to memory of 1516	4920	{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe	98
PID 3828 wrote to memory of 4992	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	100
PID 3828 wrote to memory of 4992	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	100
PID 3828 wrote to memory of 4992	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	100
PID 3828 wrote to memory of 1036	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	101
PID 3828 wrote to memory of 1036	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	101
PID 3828 wrote to memory of 1036	3828	{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe	101
PID 4992 wrote to memory of 2544	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	102
PID 4992 wrote to memory of 2544	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	102
PID 4992 wrote to memory of 2544	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	102
PID 4992 wrote to memory of 1128	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	103
PID 4992 wrote to memory of 1128	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	103
PID 4992 wrote to memory of 1128	4992	{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe	103
PID 2544 wrote to memory of 3344	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	104
PID 2544 wrote to memory of 3344	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	104
PID 2544 wrote to memory of 3344	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	104
PID 2544 wrote to memory of 2740	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	105
PID 2544 wrote to memory of 2740	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	105
PID 2544 wrote to memory of 2740	2544	{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe	105
PID 3344 wrote to memory of 4280	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	106
PID 3344 wrote to memory of 4280	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	106
PID 3344 wrote to memory of 4280	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	106
PID 3344 wrote to memory of 392	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	107
PID 3344 wrote to memory of 392	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	107
PID 3344 wrote to memory of 392	3344	{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe	107
PID 4280 wrote to memory of 956	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	108
PID 4280 wrote to memory of 956	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	108
PID 4280 wrote to memory of 956	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	108
PID 4280 wrote to memory of 3556	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	109
PID 4280 wrote to memory of 3556	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	109
PID 4280 wrote to memory of 3556	4280	{F4116A99-2962-4ef4-89FA-642CB273A682}.exe	109
PID 956 wrote to memory of 2956	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	110
PID 956 wrote to memory of 2956	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	110
PID 956 wrote to memory of 2956	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	110
PID 956 wrote to memory of 1176	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	111
PID 956 wrote to memory of 1176	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	111
PID 956 wrote to memory of 1176	956	{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe	111
PID 2956 wrote to memory of 5100	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	112
PID 2956 wrote to memory of 5100	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	112
PID 2956 wrote to memory of 5100	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	112
PID 2956 wrote to memory of 1840	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	113
PID 2956 wrote to memory of 1840	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	113
PID 2956 wrote to memory of 1840	2956	{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe	113
PID 5100 wrote to memory of 3864	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	114
PID 5100 wrote to memory of 3864	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	114
PID 5100 wrote to memory of 3864	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	114
PID 5100 wrote to memory of 1500	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	115
PID 5100 wrote to memory of 1500	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	115
PID 5100 wrote to memory of 1500	5100	{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe	115
PID 3864 wrote to memory of 3368	3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe	116
PID 3864 wrote to memory of 3368	3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe	116
PID 3864 wrote to memory of 3368	3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe	116
PID 3864 wrote to memory of 2400	3864	{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7344d2557331bf42def3b7afde750590_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
  C:\Windows\{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
    C:\Windows\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
      C:\Windows\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
        
        C:\Windows\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
        
        C:\Windows\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
        
        C:\Windows\{F4116A99-2962-4ef4-89FA-642CB273A682}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
        
        C:\Windows\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
        
        C:\Windows\{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
        
        C:\Windows\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
        
        C:\Windows\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe
        
        C:\Windows\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe
        
        C:\Windows\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC8A~1.EXE > nul
        13⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA1C4~1.EXE > nul
        12⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C0F5~1.EXE > nul
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{166BE~1.EXE > nul
        10⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85CCB~1.EXE > nul
        9⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4116~1.EXE > nul
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A947D~1.EXE > nul
        7⤵
        
        PID:392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE4D~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA8D5~1.EXE > nul
        5⤵
        
        PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CDBC~1.EXE > nul
      4⤵
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7927A~1.EXE > nul
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{166BE535-5A83-4f15-91E7-F89113AD5A99}.exe

Filesize
180KB

MD5
3adfa5dce0b42ea8730680072dfc1c6d

SHA1
1ddb957acac8bfa2c69debd3d2c9e01c110ff080

SHA256
f2b8bc67c6006b390b6cfd90c6b3c71498f07617e1a69f41958a918cbe42397a

SHA512
1fec0a96889824e1c303cd44db36373316fc70d8254a2e51a8eb3b71b17124f83569297c2ffcda8720f4db5473fc4459146788452332079195ce7ad4c38520cf

Download Submit
C:\Windows\{3CDBCE89-9091-44da-8AE8-6AC8B914F2CC}.exe

Filesize
180KB

MD5
4bd517199470a5f08458425cc4631de0

SHA1
447b28d550a23864f3764fdd1e7f52d74e1d1d15

SHA256
70d26c5ae86afbe54946c93fc3d1cb37bb03f7c9a061d3043965039f09d5864a

SHA512
f755d04ae97090dad5341642ada4e08dd325a0e104ba4613953440a4d08a7842f62346fa69883be666aecc9ec7c8bc41e31b615716c32c4d42343e1fa591552b

Download Submit
C:\Windows\{6C0F577D-BA02-4267-B1B2-B989D2AAE8D4}.exe

Filesize
180KB

MD5
1fe7ff972aef8347aaf349816e00e00a

SHA1
7b7de00e8cf934ba34cb090d3bd5d097307b7303

SHA256
52bfba0af02c72cb84afe91ac52df45091fce0c34fc5b40913288b3518f496b5

SHA512
06757cb3085c7679972e4dcb79ecdf93a2eaa47f091013e29bb58d4ea1399b56b37826845f7c5bfca4289883179251236d3717917b776efe2b4807092bac31b1

Download Submit
C:\Windows\{6DE4DC19-C06D-442d-AB75-9E2CDADE4E66}.exe

Filesize
180KB

MD5
38f615927122d145e67c1b650c1b5d79

SHA1
6be8cfac1f533e5aee804895e63f2ba09dcad76f

SHA256
bbf9961bedaad9b2ae3e79bc2e2659f5a0d145ab96eb679353b5ed0269cd9702

SHA512
aa79e34dba23009572147a29a89e271bdb987d9320a0f5595dd9ee8db394bd1b7f517fbc5f868eb9aa280c843c78f06f78ea994aceb89b2690e7ef82f4c43dd2

Download Submit
C:\Windows\{7927A663-E604-4d8a-A46D-B43B8CBC2367}.exe

Filesize
180KB

MD5
f72da1b0d1fa19b02de02d19643bf7db

SHA1
d49a0fcd1de4a37ec9502c58e3df3108d786d69d

SHA256
66ee4fec1fe76d18b44f4eb75db1dd48c55595239962b56e4542eb70f366fbf6

SHA512
15e4013e8030a9dc58d2bfe6c4de572dd5261d67728f161a5bcf886b9d86305d16ff45573a778c39eaf0586e5da1017597903a6e14ba7b0b8764b9e693457eb5

Download Submit
C:\Windows\{85CCB100-1FAB-4eaf-A714-06DBD53DDE24}.exe

Filesize
180KB

MD5
a287e8792c7f7413a937b0406ff0b3d4

SHA1
5f4eaf2aa79b828ac2e11fdaec69349433861bc0

SHA256
a562673c692ec819dc3f71d79e7ccce7ad7f15de10eb197c5bdfa4844d17b129

SHA512
a49264d2c4862cc8fbdde6c59cbad2eb1e9749824640eea25e3b0492402858058b87a60caa2bf80c3867d5542b7782949e865a1b40a36f5ae64f2862bc1421d1

Download Submit
C:\Windows\{A947DD6C-F59A-42bb-9AE3-33FA34EB59AE}.exe

Filesize
180KB

MD5
4d123a1fb98a6103c0dfeaec1a936b63

SHA1
8cf93443ba921f3fe675e6d3ca86a02630a546db

SHA256
85b190b62e8370fc0cd094b90bbc7e9e0d8eedf0f4d997472fb5cee54eb184ef

SHA512
a5d848efb0d9c247351b43a5c18f0f5d0d94b951c23d8e05740ab08f82e0f1bfd53e8b3dd00e7dec6eaef0467c1e27507d07e4164f5c6b39f0c719f1265aa59b

Download Submit
C:\Windows\{C94F6CBF-6A01-44fa-9468-AB7F4A5100F6}.exe

Filesize
180KB

MD5
ac4fff873a32355a0d09942b10ac50a1

SHA1
aa8b8d9f179571e8a97725c4bddae4a6b8731719

SHA256
3cc02ab09a88a3382ff1f50c9010076e6d8166fa96c17c004c54391cd50b6c4f

SHA512
9520e873aa957fa8148e5e7cb15269c13de6dbc28793f7c19bae4bb02ab7ba2299b5d16721378c9d1905151a87b69d983a24d1e4e8a85b300bf654e7e2f7eb20

Download Submit
C:\Windows\{CA8D5B1C-10E7-44ce-9EE9-9E54CD6A743A}.exe

Filesize
180KB

MD5
6e8dc5383ad6688cf707edeab99e4cc8

SHA1
070d9bf71ff93b48d6a8e58b70302799537ea2b7

SHA256
e18851670677bce43e90d70f6e896990c1a9518d88a1519ab75379c2cf1f73f1

SHA512
903ba1a50a1e87fb621720cc979b8207217c58309bffbc96d7cbf0bdeacf61c4f4d7f209c2e59be5c2f2c0a8c9629541fdac05fdd9f361b38b7f9a40bf699d04

Download Submit
C:\Windows\{EA1C4DDE-9B86-43ef-A636-DD6AE9E09AC6}.exe

Filesize
180KB

MD5
d36b4c5c7ae87447b039af78abe32cca

SHA1
40d10a7cf2121ce6d6bab533500547fec15863dd

SHA256
c28986eda66c1db77a0917e71cf31e719e88c1e9fa910a3b2bb2ee94e60827ef

SHA512
5262927b652e2bba967e00450a3eb585c587a14a8b361f25a060ee10e4f2ff4dbf8a2c8db82523c2fa40539965b4849a0892270bba48bf172b038b0f7e72cfa1

Download Submit
C:\Windows\{EDC8A47D-88FF-4f43-8DF8-A0CA8A597577}.exe

Filesize
180KB

MD5
da3ccb2bab8ac950255df8a9fc1ea640

SHA1
bd0f783704e7016db3a338989ad00fcb131c99a2

SHA256
ca3fa6bbff671eaf88ec0532b8164e5520b4f981a8bf32084482f42c1b65ed21

SHA512
aee79edddfa1d73eda524dad0eb668ff6e8226b91bb1ffa88f9eb2d87a80f9ebd2b3f46e6e0966bd640c1ca027e083f9a915b8f179f5c0442a32e44544c9c9ee

Download Submit
C:\Windows\{F4116A99-2962-4ef4-89FA-642CB273A682}.exe

Filesize
180KB

MD5
062dd84f8b52ed3a7fdb8a97fa736465

SHA1
b4846c42a6b6accb0dd422983332b88bc17b46b8

SHA256
74093287fe4a2b23f270676dd5616223006119a9440b41bf68207e246629ee41

SHA512
2d7a2c85b9d4eea72af350d561a8a85e0dc28e63a9375527c64b4a5f1cf57c3fc55a34ae07bc89c6e731f8948273aa2aa3ab307b9445c61a340a3dd56ecb8e91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads