bfaa12495cfe62f46041b8f92517c70be41886bf8738497d8a85170e5826db79

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
Size

180KB
MD5

f7ece9b98c71764d8e1a32b1a7bf84c0
SHA1

0fc6c19851c028ac328a98b03e979eeed60a4430
SHA256

bfaa12495cfe62f46041b8f92517c70be41886bf8738497d8a85170e5826db79
SHA512

b6b42127755750c5f3b6d259c1c17e9e1f65b97f6800f2ebf5ddd988b5566e97cab67398ea2c4dc906dd8af421a1aa1422b0c29dbd38fe4367f0914fddaba5ff
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023417-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002341c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023422-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021793-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021797-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021793-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}\stubpath = "C:\\Windows\\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe"	{619C8110-A092-4cfd-9C38-269079627062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}\stubpath = "C:\\Windows\\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe"	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29850F18-65A3-40f9-84B1-1A86BC9850F1}	{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619C8110-A092-4cfd-9C38-269079627062}	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}\stubpath = "C:\\Windows\\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe"	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}	{619C8110-A092-4cfd-9C38-269079627062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}\stubpath = "C:\\Windows\\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe"	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}\stubpath = "C:\\Windows\\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe"	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9012B9D6-6B47-4b56-B709-26C75859883A}\stubpath = "C:\\Windows\\{9012B9D6-6B47-4b56-B709-26C75859883A}.exe"	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}\stubpath = "C:\\Windows\\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe"	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619C8110-A092-4cfd-9C38-269079627062}\stubpath = "C:\\Windows\\{619C8110-A092-4cfd-9C38-269079627062}.exe"	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}\stubpath = "C:\\Windows\\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe"	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}\stubpath = "C:\\Windows\\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe"	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29850F18-65A3-40f9-84B1-1A86BC9850F1}\stubpath = "C:\\Windows\\{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe"	{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}\stubpath = "C:\\Windows\\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe"	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9012B9D6-6B47-4b56-B709-26C75859883A}	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
4560	{619C8110-A092-4cfd-9C38-269079627062}.exe
3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
2796	{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe
1816	{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	{619C8110-A092-4cfd-9C38-269079627062}.exe
File created	C:\Windows\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
File created	C:\Windows\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
File created	C:\Windows\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
File created	C:\Windows\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
File created	C:\Windows\{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
File created	C:\Windows\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
File created	C:\Windows\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
File created	C:\Windows\{619C8110-A092-4cfd-9C38-269079627062}.exe	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
File created	C:\Windows\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
File created	C:\Windows\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
File created	C:\Windows\{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe	{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
Token: SeIncBasePriorityPrivilege	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
Token: SeIncBasePriorityPrivilege	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
Token: SeIncBasePriorityPrivilege	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
Token: SeIncBasePriorityPrivilege	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe
Token: SeIncBasePriorityPrivilege	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
Token: SeIncBasePriorityPrivilege	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
Token: SeIncBasePriorityPrivilege	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
Token: SeIncBasePriorityPrivilege	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
Token: SeIncBasePriorityPrivilege	4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
Token: SeIncBasePriorityPrivilege	2796	{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1152	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	92
PID 4872 wrote to memory of 1152	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	92
PID 4872 wrote to memory of 1152	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	92
PID 4872 wrote to memory of 3264	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	93
PID 4872 wrote to memory of 3264	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	93
PID 4872 wrote to memory of 3264	4872	2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe	93
PID 1152 wrote to memory of 2344	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	94
PID 1152 wrote to memory of 2344	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	94
PID 1152 wrote to memory of 2344	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	94
PID 1152 wrote to memory of 2140	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	95
PID 1152 wrote to memory of 2140	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	95
PID 1152 wrote to memory of 2140	1152	{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe	95
PID 2344 wrote to memory of 4896	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	97
PID 2344 wrote to memory of 4896	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	97
PID 2344 wrote to memory of 4896	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	97
PID 2344 wrote to memory of 3416	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	98
PID 2344 wrote to memory of 3416	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	98
PID 2344 wrote to memory of 3416	2344	{9012B9D6-6B47-4b56-B709-26C75859883A}.exe	98
PID 4896 wrote to memory of 4680	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	99
PID 4896 wrote to memory of 4680	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	99
PID 4896 wrote to memory of 4680	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	99
PID 4896 wrote to memory of 3536	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	100
PID 4896 wrote to memory of 3536	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	100
PID 4896 wrote to memory of 3536	4896	{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe	100
PID 4680 wrote to memory of 4560	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	101
PID 4680 wrote to memory of 4560	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	101
PID 4680 wrote to memory of 4560	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	101
PID 4680 wrote to memory of 1488	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	102
PID 4680 wrote to memory of 1488	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	102
PID 4680 wrote to memory of 1488	4680	{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe	102
PID 4560 wrote to memory of 3552	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	103
PID 4560 wrote to memory of 3552	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	103
PID 4560 wrote to memory of 3552	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	103
PID 4560 wrote to memory of 2744	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	104
PID 4560 wrote to memory of 2744	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	104
PID 4560 wrote to memory of 2744	4560	{619C8110-A092-4cfd-9C38-269079627062}.exe	104
PID 3552 wrote to memory of 860	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	105
PID 3552 wrote to memory of 860	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	105
PID 3552 wrote to memory of 860	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	105
PID 3552 wrote to memory of 2692	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	106
PID 3552 wrote to memory of 2692	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	106
PID 3552 wrote to memory of 2692	3552	{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe	106
PID 860 wrote to memory of 2492	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	107
PID 860 wrote to memory of 2492	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	107
PID 860 wrote to memory of 2492	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	107
PID 860 wrote to memory of 1284	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	108
PID 860 wrote to memory of 1284	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	108
PID 860 wrote to memory of 1284	860	{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe	108
PID 2492 wrote to memory of 2304	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	109
PID 2492 wrote to memory of 2304	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	109
PID 2492 wrote to memory of 2304	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	109
PID 2492 wrote to memory of 2348	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	110
PID 2492 wrote to memory of 2348	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	110
PID 2492 wrote to memory of 2348	2492	{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe	110
PID 2304 wrote to memory of 4732	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	111
PID 2304 wrote to memory of 4732	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	111
PID 2304 wrote to memory of 4732	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	111
PID 2304 wrote to memory of 2472	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	112
PID 2304 wrote to memory of 2472	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	112
PID 2304 wrote to memory of 2472	2304	{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe	112
PID 4732 wrote to memory of 2796	4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe	113
PID 4732 wrote to memory of 2796	4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe	113
PID 4732 wrote to memory of 2796	4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe	113
PID 4732 wrote to memory of 3488	4732	{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_f7ece9b98c71764d8e1a32b1a7bf84c0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
  C:\Windows\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
    C:\Windows\{9012B9D6-6B47-4b56-B709-26C75859883A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
      C:\Windows\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
        
        C:\Windows\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\{619C8110-A092-4cfd-9C38-269079627062}.exe
        
        C:\Windows\{619C8110-A092-4cfd-9C38-269079627062}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
        
        C:\Windows\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
        
        C:\Windows\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
        
        C:\Windows\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
        
        C:\Windows\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
        
        C:\Windows\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe
        
        C:\Windows\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe
        
        C:\Windows\{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58AF8~1.EXE > nul
        13⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83BB3~1.EXE > nul
        12⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50C23~1.EXE > nul
        11⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B1B1~1.EXE > nul
        10⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0914A~1.EXE > nul
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F5A~1.EXE > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{619C8~1.EXE > nul
        7⤵
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A6CD~1.EXE > nul
        6⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{351D2~1.EXE > nul
        5⤵
        
        PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9012B~1.EXE > nul
      4⤵
      PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DCEE5~1.EXE > nul
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0914A9F1-6A6B-47ef-B7ED-8A432FD64C64}.exe

Filesize
180KB

MD5
57f7eeccb3052ebb62c7615c3f76416c

SHA1
c247e67104df1a723d4378a4d4f6b7545a150bda

SHA256
d35b6319eec2d0a308b0f3342290f779d18186604d5d310900b8e8523239e583

SHA512
d1d6c08287606efe12f39a07d9863b4502eaeecbad7f992c6a897937d820fee8534fccbdb2c571b643c59e71d844eb1f8db9237c4aecc360b2239c08253c76bf

Download Submit
C:\Windows\{29850F18-65A3-40f9-84B1-1A86BC9850F1}.exe

Filesize
180KB

MD5
5c0858fd46c0e96f882aaadfafaff092

SHA1
fcf6a92f699abf0413c83ac03fb5338a12ee136f

SHA256
6787b02dfdb7db2352eced3e078b77045952f2943e66a24ab4e4d8c561bc42a6

SHA512
939e9a67b3e3a13fde047ae684a6baf964fbcb19d5ce1b5149cc9f14f0caf39d5d78f88e51f802ad89f748d0e972283fb76a43c52d1f68b780ab385df84dbf7b

Download Submit
C:\Windows\{351D2F34-76A0-44e2-86EB-E19C63FEAFD7}.exe

Filesize
180KB

MD5
8d03f95bc069b249c6215d9e820fba62

SHA1
0b9040e19f057a622dc7033332a0b6bb752d13bf

SHA256
790654e88cdccbd36894fbd9c32ba76cc88ced42faa3c65839a1d9890113d30c

SHA512
5562ef3019ad37e0a1b6b1d9e2db43399edbc8eb19eba225bbef46cc5f431c2cbcf1d27cc88c79bf47edae89ac0e594e3a66ae7a74d663c866d1a2ad3bb14cfc

Download Submit
C:\Windows\{50C23221-4AC4-424f-B8E7-70AB7B675F5A}.exe

Filesize
180KB

MD5
ba8e4082393a50ea445e913553b38175

SHA1
4121c2617ab733d86e803c30821a07b43f75e913

SHA256
ca39b2c504215c5c920acc9d7bece73a259bf814441ef1462fd7bc758f9a9bb3

SHA512
ac3a596bf46b4e7e278ea82fa65c1908e33d59bba310cb5737549ae891c2e9ee1652e3062224bed0b80881a601556c259807fa186c1225ddbad7448f47b049d1

Download Submit
C:\Windows\{58AF8B50-5691-4cba-95D1-6C3C3A8D52A8}.exe

Filesize
180KB

MD5
ee82fb8e4a897f9f8f5ef63bf8bc8d09

SHA1
8818aa30f4fe8fa0c55f61a3d4177c6a65166895

SHA256
50a7ee55555a31fe7907eb13be03d9d31b61f3ebc3b93e65826360bba9305d4e

SHA512
ebfb45e4ffccd7045a980ac3c1fd0883f0d2b8cd45dc63348c854895cc63392b2343cb4d8510667712848040accd046423fbb12351d34ee5e430de647a6dd643

Download Submit
C:\Windows\{619C8110-A092-4cfd-9C38-269079627062}.exe

Filesize
180KB

MD5
a3885f315af05a1998f801925508bd45

SHA1
7290d88476e8785d195091d967dc37827c358ae6

SHA256
4af5e71690bcf47050c4445940eda5f4df0f4b36b3c3eb483688bb1eab366fa6

SHA512
127985561fc8c1c0f707dc3c2aee7ecc094abdbf11a381f44f2c76558b8cb815dc2d07c82c9220d2a7820f57a80d4ba1261ad7d02f5b24a94018de52b69119b9

Download Submit
C:\Windows\{83BB315C-4BFE-4c32-B674-3E293F43E0B2}.exe

Filesize
180KB

MD5
59d378a17882984a1182106a02461a88

SHA1
1507a17280d9744514c0d4be5e25cec43d464d6c

SHA256
aa89a6059248f211de2cbb9053cb50e3a484636cbf1e9965262b0100d107964c

SHA512
671365811fdcbe60aba821c25ecd184fcc0f5a75293445b5a90269be2b8007205243ed9bfc8462c18e0aab109d1fc45848f15d73135e89c2b2b0acf87d1e6ceb

Download Submit
C:\Windows\{8A6CD0D1-8B58-4157-9CE3-60C687547EA8}.exe

Filesize
180KB

MD5
48a48ca09d4bc0f3ec7d09f97bfec5a7

SHA1
ee1012b9b97aabac9a00f62e67ac4242c72b7e23

SHA256
158f9985182556e78c8e7c88719d658ca6082d8c9d6d827e646d4f64957371c0

SHA512
815af6135e188e761b8b47d81342f1f93837e4cdcc8b1febd8bf2fe7468e1a18c0d91fe3b1942c2ffd48fbaf25b79feb258a31d47877632cd7b7a65a2c6cd672

Download Submit
C:\Windows\{8B1B1C17-7F1C-47bd-9D1A-1E6474BF35C4}.exe

Filesize
180KB

MD5
b04667509a47e78197a8e92905b497bb

SHA1
2239d92041124126b93e891e5a6f7bcb181f6636

SHA256
6bed2045ae770835cc97e1e9bf332f919e473fd2522cf2edde59f9d45fcaa168

SHA512
33f8318be2ab90198cc4b4dde3a19681a88d1a4f3c264d061eed433b06d2269d2c28ec279834f1b4b64f6e00574f33c7aa5089fd6774aff373139b1beafc9c52

Download Submit
C:\Windows\{9012B9D6-6B47-4b56-B709-26C75859883A}.exe

Filesize
180KB

MD5
1d59d4381760d4253f680c94edcdbf91

SHA1
cd1de3f2caac8b0296293ea9335a3e1a598bfdfd

SHA256
ebb340a40a48eabfa8561d92e33336bacc8f9c75556a8e56d39e5c7bc97a3f64

SHA512
fa7672fba43c2aae9d5a60463ae3f569c22b3b19bdce4e8d3ce2d5232cb6ad4369a2c1e7ac752082f8d8ba216b9b3fe1855e7e7d60e58d9d1ec76243a181318d

Download Submit
C:\Windows\{DCEE50E2-98D5-4e12-8F1B-B1BE7627C06A}.exe

Filesize
180KB

MD5
2f10c0634460d13e2ebdb7f557f5f95f

SHA1
eb145e62d50aa07f0fa24ff5827a3e8eb59480d7

SHA256
659340acc1b798dbf7c68c09b74dbdb0c4178c90496f5745142e9a15eb5da378

SHA512
5fd3565fed9975c042bf0515c40ad0e6edcde0ea3278e55d956875ba6d207c4150aee312c4a407eb7dec801c4593573864df01f2278f5c8ab20dadf3021453fe

Download Submit
C:\Windows\{E6F5ABEC-A3A5-46c2-A8FE-A4103111A906}.exe

Filesize
180KB

MD5
5aa79d8728b7e8bf355ada1f4b5493f1

SHA1
f88f93efbe775edd7e4ee42e900dcbdc96d0af58

SHA256
ddd4546896699b718c3ae91e01daf423543e54562e51558d5ac29fb0026c6faa

SHA512
42e78a9643888b5802cbed5cbdefd6106eeb59e8d6ef14e075f2392ba244dfce7e0c7669f0fa292a58d1db271e0d0e99536cbfab946bc938a421c0cee04d87bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads