ea99ec7c2043a0aae92a7d8f86c15d43d3bb3cc2632aa61d6e4ebd130db275d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Size

204KB
MD5

a1d3aa2aedb1ae1218434f3358c415dc
SHA1

ec55cb7b1c4d568638587d4822872b891f723e3c
SHA256

ea99ec7c2043a0aae92a7d8f86c15d43d3bb3cc2632aa61d6e4ebd130db275d7
SHA512

bb4b6d2a9cbf8d62ee94173f94c17a49562ea56378b07ec9dfe4b748c99b3d6e6b424dc10863e694f34371e3ccbacea122ae5689989bcedccf24f7b3f59ca1fd
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0012000000023465-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023467-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023472-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023467-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023472-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023467-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023472-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000731-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92BCB68B-4972-46c6-AAC9-BF059908425F}	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}\stubpath = "C:\\Windows\\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe"	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}\stubpath = "C:\\Windows\\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe"	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}\stubpath = "C:\\Windows\\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe"	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}	{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07B9F713-1330-45ea-853E-711372DD3503}	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B367574B-D49F-452f-BE65-7FFB887482AB}\stubpath = "C:\\Windows\\{B367574B-D49F-452f-BE65-7FFB887482AB}.exe"	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B367574B-D49F-452f-BE65-7FFB887482AB}	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92BCB68B-4972-46c6-AAC9-BF059908425F}\stubpath = "C:\\Windows\\{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe"	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA559A5-135F-4596-B895-389DE3E35B4C}	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}\stubpath = "C:\\Windows\\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe"	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}	{07B9F713-1330-45ea-853E-711372DD3503}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}\stubpath = "C:\\Windows\\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe"	{07B9F713-1330-45ea-853E-711372DD3503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}\stubpath = "C:\\Windows\\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe"	{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA559A5-135F-4596-B895-389DE3E35B4C}\stubpath = "C:\\Windows\\{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe"	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07B9F713-1330-45ea-853E-711372DD3503}\stubpath = "C:\\Windows\\{07B9F713-1330-45ea-853E-711372DD3503}.exe"	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}\stubpath = "C:\\Windows\\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe"	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}\stubpath = "C:\\Windows\\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe"	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe
4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
4724	{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
4120	{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
File created	C:\Windows\{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
File created	C:\Windows\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
File created	C:\Windows\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe	{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
File created	C:\Windows\{07B9F713-1330-45ea-853E-711372DD3503}.exe	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
File created	C:\Windows\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
File created	C:\Windows\{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
File created	C:\Windows\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
File created	C:\Windows\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
File created	C:\Windows\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	{07B9F713-1330-45ea-853E-711372DD3503}.exe
File created	C:\Windows\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
File created	C:\Windows\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe
Token: SeIncBasePriorityPrivilege	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
Token: SeIncBasePriorityPrivilege	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
Token: SeIncBasePriorityPrivilege	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
Token: SeIncBasePriorityPrivilege	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
Token: SeIncBasePriorityPrivilege	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
Token: SeIncBasePriorityPrivilege	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
Token: SeIncBasePriorityPrivilege	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
Token: SeIncBasePriorityPrivilege	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
Token: SeIncBasePriorityPrivilege	3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
Token: SeIncBasePriorityPrivilege	4724	{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1820	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	92
PID 4396 wrote to memory of 1820	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	92
PID 4396 wrote to memory of 1820	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	92
PID 4396 wrote to memory of 4768	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	93
PID 4396 wrote to memory of 4768	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	93
PID 4396 wrote to memory of 4768	4396	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	93
PID 1820 wrote to memory of 4864	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	94
PID 1820 wrote to memory of 4864	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	94
PID 1820 wrote to memory of 4864	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	94
PID 1820 wrote to memory of 544	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	95
PID 1820 wrote to memory of 544	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	95
PID 1820 wrote to memory of 544	1820	{07B9F713-1330-45ea-853E-711372DD3503}.exe	95
PID 4864 wrote to memory of 4616	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	97
PID 4864 wrote to memory of 4616	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	97
PID 4864 wrote to memory of 4616	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	97
PID 4864 wrote to memory of 4656	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	98
PID 4864 wrote to memory of 4656	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	98
PID 4864 wrote to memory of 4656	4864	{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe	98
PID 4616 wrote to memory of 2768	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	99
PID 4616 wrote to memory of 2768	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	99
PID 4616 wrote to memory of 2768	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	99
PID 4616 wrote to memory of 3436	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	100
PID 4616 wrote to memory of 3436	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	100
PID 4616 wrote to memory of 3436	4616	{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe	100
PID 2768 wrote to memory of 1300	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	101
PID 2768 wrote to memory of 1300	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	101
PID 2768 wrote to memory of 1300	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	101
PID 2768 wrote to memory of 1788	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	102
PID 2768 wrote to memory of 1788	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	102
PID 2768 wrote to memory of 1788	2768	{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe	102
PID 1300 wrote to memory of 2604	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	103
PID 1300 wrote to memory of 2604	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	103
PID 1300 wrote to memory of 2604	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	103
PID 1300 wrote to memory of 2376	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	104
PID 1300 wrote to memory of 2376	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	104
PID 1300 wrote to memory of 2376	1300	{B367574B-D49F-452f-BE65-7FFB887482AB}.exe	104
PID 2604 wrote to memory of 5072	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	105
PID 2604 wrote to memory of 5072	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	105
PID 2604 wrote to memory of 5072	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	105
PID 2604 wrote to memory of 372	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	106
PID 2604 wrote to memory of 372	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	106
PID 2604 wrote to memory of 372	2604	{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe	106
PID 5072 wrote to memory of 3968	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	107
PID 5072 wrote to memory of 3968	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	107
PID 5072 wrote to memory of 3968	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	107
PID 5072 wrote to memory of 4260	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	108
PID 5072 wrote to memory of 4260	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	108
PID 5072 wrote to memory of 4260	5072	{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe	108
PID 3968 wrote to memory of 3820	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	109
PID 3968 wrote to memory of 3820	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	109
PID 3968 wrote to memory of 3820	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	109
PID 3968 wrote to memory of 2732	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	110
PID 3968 wrote to memory of 2732	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	110
PID 3968 wrote to memory of 2732	3968	{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe	110
PID 3820 wrote to memory of 3128	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	111
PID 3820 wrote to memory of 3128	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	111
PID 3820 wrote to memory of 3128	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	111
PID 3820 wrote to memory of 2552	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	112
PID 3820 wrote to memory of 2552	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	112
PID 3820 wrote to memory of 2552	3820	{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe	112
PID 3128 wrote to memory of 4724	3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe	113
PID 3128 wrote to memory of 4724	3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe	113
PID 3128 wrote to memory of 4724	3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe	113
PID 3128 wrote to memory of 864	3128	{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\{07B9F713-1330-45ea-853E-711372DD3503}.exe
  C:\Windows\{07B9F713-1330-45ea-853E-711372DD3503}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
    C:\Windows\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
      C:\Windows\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
        
        C:\Windows\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
        
        C:\Windows\{B367574B-D49F-452f-BE65-7FFB887482AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
        
        C:\Windows\{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
        
        C:\Windows\{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
        
        C:\Windows\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
        
        C:\Windows\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
        
        C:\Windows\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
        
        C:\Windows\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe
        
        C:\Windows\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe
        13⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5614~1.EXE > nul
        13⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D72C8~1.EXE > nul
        12⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10675~1.EXE > nul
        11⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E35~1.EXE > nul
        10⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA55~1.EXE > nul
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92BCB~1.EXE > nul
        8⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3675~1.EXE > nul
        7⤵
        
        PID:2376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A81F~1.EXE > nul
        6⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52B47~1.EXE > nul
        5⤵
        
        PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56294~1.EXE > nul
      4⤵
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{07B9F~1.EXE > nul
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07B9F713-1330-45ea-853E-711372DD3503}.exe

Filesize
204KB

MD5
f6c285408c92ae0da8e57cba9bf90606

SHA1
73c5f9bd9d078209d785b60fbf74d107b0997bcb

SHA256
145c808c3613e54ace0242be68a696b0984caefceade97c526cf4b71111ebd17

SHA512
6e64591c4e226591b9b9c9c6568fa3549e9f7c6c43e262fc758bb31403e6f1d7905b12925bb8f7440f4b1b2e2bf106405911e81434c096e5ce7cd79bef44e249

Download Submit
C:\Windows\{106753AA-B81D-4629-ACCC-C6CFECBF4BFA}.exe

Filesize
204KB

MD5
be53a78a2e3c09426f10fdc3ff6c80a5

SHA1
dc60c818793646f35e7e0ca20c4d8d66a2a3be12

SHA256
468c8707f4d20766ebedbdea62babbf9ca941eee486e7dbbe862d8b33de27979

SHA512
9240fb579835dc1ea8ad51a542293d02eebde31539174bddc50b3e1cb2eb993c0b5788a3b20cc5bd8bdf7fd4f69d083178ceb088eb38e9f47b83052578f44dc1

Download Submit
C:\Windows\{52B47ABE-52B4-448b-B396-30D2ED89D3D1}.exe

Filesize
204KB

MD5
610b9db94a08ba0a673bf5363cf0c307

SHA1
f6efd7656249437253f1ea342d5d05fd27a9dc07

SHA256
09b998c40ec304b8db6a9785b99d32939cba42f8fa26583d6b4e5feca42a00dd

SHA512
611e3731eedc5ed8674fbad43813f57247e6e61f9719c5a7c7452ca7f1d75cb2cb34b2171b728785166fa36770c77b04d0829db3b1d91fb9f11c9b94895265e0

Download Submit
C:\Windows\{56294E30-EDF3-47d3-BFF0-6517EDF04B69}.exe

Filesize
204KB

MD5
78319ac2c77a571eb7704b7cbbc9584f

SHA1
1fc0b27b4913f32e12ca64dacb9b55157eaaf660

SHA256
5c6dda27e07fb3a50c374843ed28b475897bad2c4d2813589df254cbd6d88bee

SHA512
4650bf00bbfdeb17d3b4c36a9397030f2417b89a148ccf141a0ff22866af63ad917beeffa932f73194b056fb5ce2af7fb1cac9021ab71c0aceb7cbabcd02ad82

Download Submit
C:\Windows\{6A81F5B5-C88A-4114-8CCA-EA7CF2DCDCDA}.exe

Filesize
204KB

MD5
9b848bcf82649812fe04249fe3de5647

SHA1
4fb106cb10062f42c17948205ecf9940380962ff

SHA256
dd7baf05ebf7dc820ab382424f44a0ac66b543c2564b0d53c00f135c91f7f287

SHA512
937fef3279694c385919e9004a97c45dcc76c6ad7bf0568a6d33c3f86e94c611d88bc6d4b2803ba6e5355bfdd765acb28f862ed14273c763199da01bd15ac50d

Download Submit
C:\Windows\{92BCB68B-4972-46c6-AAC9-BF059908425F}.exe

Filesize
204KB

MD5
cd4ff4c0ee253295b9e467685499c657

SHA1
f2105de046fb323b5c4b884dbf16154ace402190

SHA256
f5cc5e6707ed55f65671f69064daf162b3bf95c1581e2d74c1ca52abbb8b9928

SHA512
a70cf2848b9b4e07175f640209d36e725b0aafc608f5ea21fa451b8cd212f1f4a6b1b55e8ba6955be88507ab5acaca7e825ee567d0f6e8f81a31969b0bf9cff1

Download Submit
C:\Windows\{B367574B-D49F-452f-BE65-7FFB887482AB}.exe

Filesize
204KB

MD5
c598c9163601cb3386bb5c74b4788fa0

SHA1
34575b500eb02d5a922f73fb699a8c35e53f6b8e

SHA256
c6dc56bfd0c18e50324f5deaab05a1cb0bd07ce7598f580de96996140bef5add

SHA512
726ed1da6dbc2b66d035326f34d429a74c0f8d155a1afef7055f52f9793a678e6549b528d13ae39afd75d8c96b9f916c2091e6b2869f07bbfa9122fd11f94431

Download Submit
C:\Windows\{C4E35C0E-1B22-43b3-BDEF-6CEB0EEF5EDA}.exe

Filesize
204KB

MD5
3482ba85edd36cba199272bb2c36f268

SHA1
cc872a697a2d398a09f12077b764c9c54409e4b8

SHA256
d92f68a6b1897789cf9128b6de1016d8ffa5e252194a234177db14e0f2f2f73f

SHA512
2612a66d937d154a1f69510c9bdf8f7854442df7e5ef7508d1881ce5a9fe958fa53ea147da2fbcb4d64109297dc31b95737816db6410de766bf747e1b29ba154

Download Submit
C:\Windows\{D72C8A6B-175D-4f6f-803E-5E971AEB3D9A}.exe

Filesize
204KB

MD5
2f14b2ec485e5d37628dd72668415112

SHA1
89ddd7aa0fdf0104cb9748a0522f305b2fe6831c

SHA256
adf218bd25e4308f7cbab27563f62af501d70ca76565b3b703ac909e922e305d

SHA512
23f76f5afb456e04cbfb5621a8cf6a8a8250b7e6646120a096b7216931be8da35b005fe9229711e38556b15f31eba776320531542df26eb540cbd75887ba8053

Download Submit
C:\Windows\{EAA559A5-135F-4596-B895-389DE3E35B4C}.exe

Filesize
204KB

MD5
422a8f5c6d9ef6be6a5976e6e9f08767

SHA1
909beed1d395acc3811b80bea6ca5b5eaf51da09

SHA256
53e67f67edd19d84c04b0e04d43ce491ed07b85872947fb8717cad4b17f8e54c

SHA512
b328c0055446087f90b57d447f82b966a1c48a48b73784286f4f8c1b10186777d8299a3c732f9c8560b91bb62cfd4ef536654836616a2db187b3a8e6008a7384

Download Submit
C:\Windows\{EEB966EF-2E1C-42bf-9B27-CBB03860FA64}.exe

Filesize
204KB

MD5
ad0b0acc03afd1d3174283cf99784208

SHA1
19ce839efd58fabbbd42c0f805ae91882d08f531

SHA256
032aae81b8a74b44f5420d3348a86a0321bf5c92f390042c5f543546b704b403

SHA512
29980d2245436ff19e6c2cbd8722607ea45817b9f65fa9db697b3569e49d3e4bdecb418fa33b7d83731ad2128193df23b8bebc58494a8495d7ec863e17b61c68

Download Submit
C:\Windows\{F56140D1-B8B4-42b1-9B54-FB93A3A7B190}.exe

Filesize
204KB

MD5
3ed44bf1c8fbe09b020cd971aa6c9258

SHA1
f42533937a45731be524952c5c8a7237f2d171f8

SHA256
ce467a0bdc51f68879e3d8ae12811ed2290b3fa1227bc58494f7a7816a1d3299

SHA512
ce87ca7da2a658e2abcf3109d66d7cd427138937d2e643a8aec155063eb5f470dff4cd6a8b720b313d0f54137482e431b336ddac5a1516554e1be4945dec7960

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads