20f2b14cf8e1427b0cf75e87d6174fbaf1235cc98eca1eacd805c56774c1f433

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
Size

344KB
MD5

57a36226fa578947489c80ae163aa9a6
SHA1

1229c580f2aa536cce3f10e67ffd588b80cc9669
SHA256

20f2b14cf8e1427b0cf75e87d6174fbaf1235cc98eca1eacd805c56774c1f433
SHA512

9bd20e3f8b501e660ffb613cfc59f8556ac1a8ff1a393147373397f733e5b1d12930b982e88e783f4f0463cbdac496cd26f4bb62062f7cdc72cbbb3740c41379
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGqlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023387-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023393-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233a2-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023393-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233a2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023393-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023415-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002341b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023415-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002341b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023424-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}\stubpath = "C:\\Windows\\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe"	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}\stubpath = "C:\\Windows\\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe"	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}	{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E59DB4-A100-405d-8E67-F461C443A050}	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E59DB4-A100-405d-8E67-F461C443A050}\stubpath = "C:\\Windows\\{70E59DB4-A100-405d-8E67-F461C443A050}.exe"	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}\stubpath = "C:\\Windows\\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe"	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}\stubpath = "C:\\Windows\\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe"	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}\stubpath = "C:\\Windows\\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe"	{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}\stubpath = "C:\\Windows\\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe"	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}\stubpath = "C:\\Windows\\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe"	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}\stubpath = "C:\\Windows\\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe"	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}	{70E59DB4-A100-405d-8E67-F461C443A050}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}\stubpath = "C:\\Windows\\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe"	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}\stubpath = "C:\\Windows\\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe"	{70E59DB4-A100-405d-8E67-F461C443A050}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}\stubpath = "C:\\Windows\\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe"	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe
4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
3708	{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
4520	{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe	{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
File created	C:\Windows\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
File created	C:\Windows\{70E59DB4-A100-405d-8E67-F461C443A050}.exe	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
File created	C:\Windows\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	{70E59DB4-A100-405d-8E67-F461C443A050}.exe
File created	C:\Windows\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
File created	C:\Windows\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
File created	C:\Windows\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
File created	C:\Windows\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
File created	C:\Windows\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
File created	C:\Windows\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
File created	C:\Windows\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
File created	C:\Windows\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
Token: SeIncBasePriorityPrivilege	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
Token: SeIncBasePriorityPrivilege	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
Token: SeIncBasePriorityPrivilege	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe
Token: SeIncBasePriorityPrivilege	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
Token: SeIncBasePriorityPrivilege	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
Token: SeIncBasePriorityPrivilege	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
Token: SeIncBasePriorityPrivilege	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
Token: SeIncBasePriorityPrivilege	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
Token: SeIncBasePriorityPrivilege	404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
Token: SeIncBasePriorityPrivilege	3708	{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1272	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	96
PID 228 wrote to memory of 1272	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	96
PID 228 wrote to memory of 1272	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	96
PID 228 wrote to memory of 3928	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	97
PID 228 wrote to memory of 3928	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	97
PID 228 wrote to memory of 3928	228	2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe	97
PID 1272 wrote to memory of 1520	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	98
PID 1272 wrote to memory of 1520	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	98
PID 1272 wrote to memory of 1520	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	98
PID 1272 wrote to memory of 3176	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	99
PID 1272 wrote to memory of 3176	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	99
PID 1272 wrote to memory of 3176	1272	{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe	99
PID 1520 wrote to memory of 208	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	103
PID 1520 wrote to memory of 208	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	103
PID 1520 wrote to memory of 208	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	103
PID 1520 wrote to memory of 3240	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	104
PID 1520 wrote to memory of 3240	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	104
PID 1520 wrote to memory of 3240	1520	{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe	104
PID 208 wrote to memory of 3084	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	105
PID 208 wrote to memory of 3084	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	105
PID 208 wrote to memory of 3084	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	105
PID 208 wrote to memory of 4076	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	106
PID 208 wrote to memory of 4076	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	106
PID 208 wrote to memory of 4076	208	{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe	106
PID 3084 wrote to memory of 4520	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	107
PID 3084 wrote to memory of 4520	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	107
PID 3084 wrote to memory of 4520	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	107
PID 3084 wrote to memory of 244	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	108
PID 3084 wrote to memory of 244	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	108
PID 3084 wrote to memory of 244	3084	{70E59DB4-A100-405d-8E67-F461C443A050}.exe	108
PID 4520 wrote to memory of 5000	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	110
PID 4520 wrote to memory of 5000	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	110
PID 4520 wrote to memory of 5000	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	110
PID 4520 wrote to memory of 1896	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	111
PID 4520 wrote to memory of 1896	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	111
PID 4520 wrote to memory of 1896	4520	{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe	111
PID 5000 wrote to memory of 3768	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	112
PID 5000 wrote to memory of 3768	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	112
PID 5000 wrote to memory of 3768	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	112
PID 5000 wrote to memory of 1872	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	113
PID 5000 wrote to memory of 1872	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	113
PID 5000 wrote to memory of 1872	5000	{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe	113
PID 3768 wrote to memory of 4960	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	116
PID 3768 wrote to memory of 4960	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	116
PID 3768 wrote to memory of 4960	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	116
PID 3768 wrote to memory of 1272	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	117
PID 3768 wrote to memory of 1272	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	117
PID 3768 wrote to memory of 1272	3768	{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe	117
PID 4960 wrote to memory of 2164	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	122
PID 4960 wrote to memory of 2164	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	122
PID 4960 wrote to memory of 2164	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	122
PID 4960 wrote to memory of 4156	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	123
PID 4960 wrote to memory of 4156	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	123
PID 4960 wrote to memory of 4156	4960	{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe	123
PID 2164 wrote to memory of 404	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	124
PID 2164 wrote to memory of 404	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	124
PID 2164 wrote to memory of 404	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	124
PID 2164 wrote to memory of 4164	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	125
PID 2164 wrote to memory of 4164	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	125
PID 2164 wrote to memory of 4164	2164	{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe	125
PID 404 wrote to memory of 3708	404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe	126
PID 404 wrote to memory of 3708	404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe	126
PID 404 wrote to memory of 3708	404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe	126
PID 404 wrote to memory of 1000	404	{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_57a36226fa578947489c80ae163aa9a6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
  C:\Windows\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
    C:\Windows\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
      C:\Windows\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\{70E59DB4-A100-405d-8E67-F461C443A050}.exe
        
        C:\Windows\{70E59DB4-A100-405d-8E67-F461C443A050}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
        
        C:\Windows\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
        
        C:\Windows\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
        
        C:\Windows\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
        
        C:\Windows\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
        
        C:\Windows\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
        
        C:\Windows\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
        
        C:\Windows\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe
        
        C:\Windows\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B3B~1.EXE > nul
        13⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8850~1.EXE > nul
        12⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAF7~1.EXE > nul
        11⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42E71~1.EXE > nul
        10⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D3C~1.EXE > nul
        9⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B87F9~1.EXE > nul
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D9E5~1.EXE > nul
        7⤵
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70E59~1.EXE > nul
        6⤵
        
        PID:244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72534~1.EXE > nul
        5⤵
        
        PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5080D~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BDF4~1.EXE > nul
    3⤵
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D9E5B19-8215-49e4-BB89-EF3DD5AD315A}.exe

Filesize
344KB

MD5
511a68e0d550e44205ceb77c2021bc41

SHA1
38df03a309dd813c4dcaa5efe4753d4f0b99b3ab

SHA256
e4d6d7876654763c01a8286e837feb30b28645e7896069aa0968d973ffbb8244

SHA512
8522e9b5727ab7931515c9912e28dd192068343ce03c40c69479d3c1c03f94777062a14cf819dc896c507a53a604001277827f48e74888de0069ace7957f34b8

Download Submit
C:\Windows\{42E71B16-44E6-46ee-B6A0-2E821AD5D0B8}.exe

Filesize
344KB

MD5
fb510c8f789012b24fbe6b0c613a8295

SHA1
af98a9cc128a5b4580f00fbfbe1bac4ef0f79fbd

SHA256
e80687fc905d7fd86297e17b0bb07bb4fbeb30c6f1ae2b109414c01a067de103

SHA512
9dcbdfa8c44ea62a151aec2d11a6a390216b33a7f9e2691d041cc639f9b96ed1aa29af4e6c11ead7f8fb5d06cdbde521931aa32e272cd84f192e2f5896b0eb8c

Download Submit
C:\Windows\{5080DA4E-9A2F-4aa7-851E-132A190A4B61}.exe

Filesize
344KB

MD5
ff957470b02ca593c84e91a5caca6a86

SHA1
1e2ac33d9b5519b99a1adeefed7040ed65ed58c9

SHA256
f1a682c84ca9deb73982bd0e758e90155bd8175f7a4a763b2c5f02c95ed66f23

SHA512
bb5d43c8af3020fe61ea929d3120ba29288d1ef9041233893fafea1e41487645af8ab145016bae4960e987f3b9b67e4014d0a32277d5a3387481d51253141fe9

Download Submit
C:\Windows\{5BDF470B-9D5B-4a5b-967F-0EFA86365D6D}.exe

Filesize
344KB

MD5
86baff3602e0c87b01ec6275660f761e

SHA1
acee0672511d6818f2b8da0d1d1531e0a9077415

SHA256
c8d0f7510490baa009753a20435799b0a6be1e8a743348e86e1a1c0bd96168d0

SHA512
a33b14179c1897bbc7a45b0c9cbcdc3a0c3fb2dd8d7f1590268a30ff96c7e09790c666aae1a566f07cd5ce285bf9b4ced2f33b5bb30ddf4cee7525f3d3539aaf

Download Submit
C:\Windows\{60AFA1B9-F9E3-41fc-9C11-4308036561CA}.exe

Filesize
344KB

MD5
079a30867a26e7f471975e6630a62b69

SHA1
37cfd1b771f5e93d052344bd2dfbeaea4f90b1ae

SHA256
3a45835f1cc9266712e3da1a39879a63cfeb89a8fbaad4c6e8d2b7957b77d497

SHA512
f3ca90a9ba3fd92548211257905b557f99be140790c7a588020f3aba7f6c240c060df831d12ee61a820e9b4ffc0ea5f754bcdbce16ba940c6ad15a047cbe24be

Download Submit
C:\Windows\{70E59DB4-A100-405d-8E67-F461C443A050}.exe

Filesize
344KB

MD5
cb381abfbae0b5b9e699e9dc645a4ba6

SHA1
7dce0285f199b5e65128c015b2710821ee349b45

SHA256
326d54d713e4daf008879b8ed14fdc7688f32c63f64906c4f8ab6aadf1b49103

SHA512
2294b4f7769c4e98a507eade88c7a4a2d1b41c3d77771dc7e48eb978c76d2557b397164819ed3c60a1560d594eadadd30cb3e1ae31614ce95474c9b1b001f29b

Download Submit
C:\Windows\{72534CA7-12E3-4e25-9465-CB5D9497AEE3}.exe

Filesize
344KB

MD5
414c0fc44d0a5f8652b9e68c43b673a9

SHA1
82692be2e9f77779e26b6156be39ac9f662f716a

SHA256
b34c9ac2f6709a52e2e4cbeb1156fd7556b76092ed04214e289c1bcffe6eceff

SHA512
4f1a7e9255eb7dc6734a8c19da80eb447e2f024846f4ae91294e2e2d7208292389ac679b26517ad1de40b9c2ec95f7d3d297421fa9932957c1bb9b21f7474d64

Download Submit
C:\Windows\{85B3B2C4-7C8B-40a3-9D55-CC69F5472453}.exe

Filesize
344KB

MD5
618258f211e6ecb95a659f39e2d0d0e4

SHA1
067f00fbb20541d60a7d7d6bf27042ea900f283c

SHA256
4ae249ac625ac116f94c2d2e81e3d3e673ef9ff1435b0a3a5f0eec017d2a8e52

SHA512
a94f0e15392476995ea379c9e655a1195662ea6dbc00d1f357a7f894886955b55a534049d71f952b9f08ca613820c329fa92b466a458b32c251691b6b5a8fadf

Download Submit
C:\Windows\{9FAF7B00-ABBD-46ed-8B78-C6D7477B23C8}.exe

Filesize
344KB

MD5
0de80d0a87965d187cf2df01432db23f

SHA1
03d7936abbbe2c16d19aaeae1c45122575eb56e4

SHA256
6cdb22cadf8d5d9d042644d80a79b6a1d56aefa607e31d5e490f3c717b120736

SHA512
bf40292f50b62b5b6878b90aa15f3c91a9af2e225f44957d60b5a406cb89f1c37f551e9af3c79eaca4846220eebdd4159b970d94267b960b65f05450663a4580

Download Submit
C:\Windows\{B87F976D-4E16-4947-8E07-6DF9B3E2FAA8}.exe

Filesize
344KB

MD5
74920349008b78007a3dbcf97f83b5b4

SHA1
435f495ca98f13d0b343a96e923858914c8d90ee

SHA256
6f021fe398f8fb30dfb2b709b7ef8b4a4f014ab6d58c81fcd8d20c881d9e8c5c

SHA512
756eb4de7d367dad24e52ec24e176a83dcef8079cace72eaca5fcefe62ee821ef50eb4a7b5231bd9b3ec4e9046154fa46819a054a88bb33d4fefe9ca1c87a5d0

Download Submit
C:\Windows\{D8850974-0CF4-4609-8241-E1BAF8C31EAB}.exe

Filesize
344KB

MD5
bc178119ba17c9c54a450b81a16e6048

SHA1
3226d6b5494e4c2896b82f51a71a59d693d47351

SHA256
2d585b6bac14ec11a83c4f144e88724fcc3ece73205c56d09f76580af6a49643

SHA512
9180653c7ba239c7995d40db97eaa58c3186aed8e041d3ee9afcde2d429f3cfa29e21aadc1691473acd665743052fa108f470a18490ea7c7d01c694c740d9e68

Download Submit
C:\Windows\{F2D3C9E0-5A52-4fb3-9E10-1BC6EBC27BC4}.exe

Filesize
344KB

MD5
1dd572b8a346c8f640835ee28f36861f

SHA1
a0900e9e659fab801e2d17f61c1f62f90214cf59

SHA256
d2b368f91fce668cf9f3db32d2251b35a739ca83a82a3f431b8e999f693822d4

SHA512
e9b8253e790f97febfc7b7026dcfec650ce09e894dc279a016d90673b1a6e2780140a477e0c92a43cf38636e4a5fe074852a70d5ef425eb2d274cd6943d77e0e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads