7c69232702fc24d6ea40cc8c714757c864318f8287a01aecfb11989fd71d88ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Size

168KB
MD5

578f015a1d5da7bd270cb43c7fc71d40
SHA1

3b698fc3e2f00a73ef22321e1835c707014282d6
SHA256

7c69232702fc24d6ea40cc8c714757c864318f8287a01aecfb11989fd71d88ae
SHA512

04d2df931e0b72f1f0917f9711961f010fe07eee0dd6e470b7e1ae859e45040088e5b7118dd9c648c56836c3b01a0e4e8b32ec459afba0bec5eb856b078ca6cc
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023473-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002346c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023479-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002346c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000021694-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000216b8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000021694-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}\stubpath = "C:\\Windows\\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe"	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}\stubpath = "C:\\Windows\\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe"	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B260D91-6AD0-4050-90B5-765A212BCBA3}\stubpath = "C:\\Windows\\{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe"	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}\stubpath = "C:\\Windows\\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe"	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}\stubpath = "C:\\Windows\\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe"	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}\stubpath = "C:\\Windows\\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe"	{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}\stubpath = "C:\\Windows\\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe"	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}\stubpath = "C:\\Windows\\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe"	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}\stubpath = "C:\\Windows\\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe"	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}\stubpath = "C:\\Windows\\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe"	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}\stubpath = "C:\\Windows\\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe"	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}	{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25191DB-9C79-4406-B3A1-10E5D2A69643}	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25191DB-9C79-4406-B3A1-10E5D2A69643}\stubpath = "C:\\Windows\\{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe"	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B260D91-6AD0-4050-90B5-765A212BCBA3}	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
1532	{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
4200	{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
File created	C:\Windows\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
File created	C:\Windows\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
File created	C:\Windows\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
File created	C:\Windows\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
File created	C:\Windows\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe	{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
File created	C:\Windows\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
File created	C:\Windows\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
File created	C:\Windows\{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
File created	C:\Windows\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
File created	C:\Windows\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
File created	C:\Windows\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
Token: SeIncBasePriorityPrivilege	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
Token: SeIncBasePriorityPrivilege	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
Token: SeIncBasePriorityPrivilege	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
Token: SeIncBasePriorityPrivilege	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
Token: SeIncBasePriorityPrivilege	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
Token: SeIncBasePriorityPrivilege	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
Token: SeIncBasePriorityPrivilege	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
Token: SeIncBasePriorityPrivilege	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
Token: SeIncBasePriorityPrivilege	2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
Token: SeIncBasePriorityPrivilege	1532	{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4748	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	92
PID 1264 wrote to memory of 4748	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	92
PID 1264 wrote to memory of 4748	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	92
PID 1264 wrote to memory of 3840	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	93
PID 1264 wrote to memory of 3840	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	93
PID 1264 wrote to memory of 3840	1264	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	93
PID 4748 wrote to memory of 2340	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	94
PID 4748 wrote to memory of 2340	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	94
PID 4748 wrote to memory of 2340	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	94
PID 4748 wrote to memory of 1064	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	95
PID 4748 wrote to memory of 1064	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	95
PID 4748 wrote to memory of 1064	4748	{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe	95
PID 2340 wrote to memory of 2192	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	97
PID 2340 wrote to memory of 2192	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	97
PID 2340 wrote to memory of 2192	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	97
PID 2340 wrote to memory of 2688	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	98
PID 2340 wrote to memory of 2688	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	98
PID 2340 wrote to memory of 2688	2340	{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe	98
PID 2192 wrote to memory of 2080	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	99
PID 2192 wrote to memory of 2080	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	99
PID 2192 wrote to memory of 2080	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	99
PID 2192 wrote to memory of 220	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	100
PID 2192 wrote to memory of 220	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	100
PID 2192 wrote to memory of 220	2192	{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe	100
PID 2080 wrote to memory of 3572	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	101
PID 2080 wrote to memory of 3572	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	101
PID 2080 wrote to memory of 3572	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	101
PID 2080 wrote to memory of 3580	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	102
PID 2080 wrote to memory of 3580	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	102
PID 2080 wrote to memory of 3580	2080	{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe	102
PID 3572 wrote to memory of 636	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	103
PID 3572 wrote to memory of 636	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	103
PID 3572 wrote to memory of 636	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	103
PID 3572 wrote to memory of 1952	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	104
PID 3572 wrote to memory of 1952	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	104
PID 3572 wrote to memory of 1952	3572	{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe	104
PID 636 wrote to memory of 4912	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	105
PID 636 wrote to memory of 4912	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	105
PID 636 wrote to memory of 4912	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	105
PID 636 wrote to memory of 1940	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	106
PID 636 wrote to memory of 1940	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	106
PID 636 wrote to memory of 1940	636	{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe	106
PID 4912 wrote to memory of 2396	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	107
PID 4912 wrote to memory of 2396	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	107
PID 4912 wrote to memory of 2396	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	107
PID 4912 wrote to memory of 4936	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	108
PID 4912 wrote to memory of 4936	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	108
PID 4912 wrote to memory of 4936	4912	{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe	108
PID 2396 wrote to memory of 2460	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	109
PID 2396 wrote to memory of 2460	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	109
PID 2396 wrote to memory of 2460	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	109
PID 2396 wrote to memory of 2404	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	110
PID 2396 wrote to memory of 2404	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	110
PID 2396 wrote to memory of 2404	2396	{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe	110
PID 2460 wrote to memory of 2700	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	111
PID 2460 wrote to memory of 2700	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	111
PID 2460 wrote to memory of 2700	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	111
PID 2460 wrote to memory of 4644	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	112
PID 2460 wrote to memory of 4644	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	112
PID 2460 wrote to memory of 4644	2460	{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe	112
PID 2700 wrote to memory of 1532	2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe	113
PID 2700 wrote to memory of 1532	2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe	113
PID 2700 wrote to memory of 1532	2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe	113
PID 2700 wrote to memory of 1688	2700	{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
  C:\Windows\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
    C:\Windows\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
      C:\Windows\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
        
        C:\Windows\{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
        
        C:\Windows\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
        
        C:\Windows\{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
        
        C:\Windows\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
        
        C:\Windows\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
        
        C:\Windows\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
        
        C:\Windows\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
        
        C:\Windows\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe
        
        C:\Windows\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C6B4~1.EXE > nul
        13⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8C34~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2885~1.EXE > nul
        11⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5296~1.EXE > nul
        10⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F0B6~1.EXE > nul
        9⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B260~1.EXE > nul
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C5B0~1.EXE > nul
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2519~1.EXE > nul
        6⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2630~1.EXE > nul
        5⤵
        
        PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B4B7~1.EXE > nul
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67E03~1.EXE > nul
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B4B7DFE-12C0-48fc-A718-28A3B4C15C42}.exe

Filesize
168KB

MD5
c2d2129aab084bd67a2281f82d51e122

SHA1
d22f8c3c68a6fa1cc9594b0f58eb51b9f94bd6aa

SHA256
6396406c8eeaf4344c90d71e947386131591ddeb5e73794064403cfc27a12764

SHA512
7943caee6f9313b73c7c84e3467921bcf673acf3e9e33d3a889fc281de0aefb8dcf3c26f0c2350cfe34efb3f14e01c1bff7f00368c5b8eb0c2ba617d938741ab

Download Submit
C:\Windows\{4B260D91-6AD0-4050-90B5-765A212BCBA3}.exe

Filesize
168KB

MD5
9050b2d5704b39960c33e68860986ce1

SHA1
98f5a0e97bfd559725aa8b3035ebfe2c79d2341f

SHA256
0e6700907fc7b8641cb0da60a891996382f91ada9dc78c2d7871597a893766f7

SHA512
abf14311da02312a6d12550ccdda820097d923c5145756910a36ad2b0aba2b8952706027cf0886c191a72e197b8bf443f6eeeec92f6fa61d7c8ccf1436d323f8

Download Submit
C:\Windows\{5C5B03BC-FE35-4d01-AA25-67DEF91796DE}.exe

Filesize
168KB

MD5
20cb7d858fc1c56a20eb8c6fa2670e25

SHA1
af31d454e749293e98680b3ab28727a823bdcf21

SHA256
0a4aa61ca9fb06a761431c076f013a95ebe59ff69515f38b3e6c0ed2fa3f5e02

SHA512
6cc8a63070d1f266cce92d6b4ad1b4c79859eb823c0507119510d52cac6bd7ad34baa3f5614a370e03a23b8de2cb51b14c2ef2f8fa6728c7ff8d829c059c188a

Download Submit
C:\Windows\{67E03ACB-B6F6-4a9b-8A36-C78E9EA81C30}.exe

Filesize
168KB

MD5
d1729aa77547aa3ed6baa9b0eb1f2aca

SHA1
8c7b0eda1ab930ad72c4ce2e64e33e6c1fe68db0

SHA256
318e1e6ebcbbeb1597750b8d3b9128cc21f96ee4666057675a2c4fe59827a3f3

SHA512
ca74b050630af7852282fb1c29c31b5bf1606201585744271dd0399a8d57104e0fcb77e3c9ae6e3416b2f8d1fe1e7d6f0010303af2a109a977f20c06b0482fd8

Download Submit
C:\Windows\{6F0B6245-0B0E-4fa0-9AE4-0167A0E8FA60}.exe

Filesize
168KB

MD5
b5dec5b8161244ba04a7489cc349a005

SHA1
29ee4044f270b62987ed5df123eeadfe367406f4

SHA256
dbf7e7277c3648cbec48f6cc29608db04f672604934c3913920805c28e28d95f

SHA512
08f3da0676e3bea4d593ab0618f08c4db727d49dd113fd625c4698654ac2d6e9855d73a45acec6d95612eaf3739863e35cc692563bb408daa40ecfc8f2733e85

Download Submit
C:\Windows\{8C6B4EEF-7098-4cfd-9E78-4D8F1BDCFE91}.exe

Filesize
168KB

MD5
d50a9fe29a090cdf041b6be96300d01b

SHA1
83eb5f025376157d2acd6a846cad1c80846cd3c1

SHA256
36ab6bc35ce7d711a024ebbf8585a7f3f7829b3280c90b86b83391277280da11

SHA512
217ee11f587624934f1b36efb3b135c6cb0262dc5980b98fb74a02c71a0fdaf9d59f6bec2a52eb85a95738a9f57b667655d2e4bc1af656d5cb1627a24e1cc933

Download Submit
C:\Windows\{9A45A334-1693-4a3d-BAE8-F5BF8808D1A6}.exe

Filesize
168KB

MD5
dc13df611f5d757f8c30a1f595801586

SHA1
acf21ded1ca7f5d53a289d8d39218444f153cfea

SHA256
2692b6691608e0c24fae89f3e87ed3f38753cdc30dbc808ffd1bff992d02042a

SHA512
37a9d348730426e95c5b7068ace595b82c19d1c15ef58b01ceb31a1d6d3b92e073a6041c24da5fb5a1375407bd000ab8a9520f40e8c742f130b8bd72bb98724b

Download Submit
C:\Windows\{B25191DB-9C79-4406-B3A1-10E5D2A69643}.exe

Filesize
168KB

MD5
e74864f1ad211cea3a74d0bda43b992a

SHA1
e908e8b13e046f56f623fd558a87bfd5a5c6809c

SHA256
5e41df6f4332236d65a940e3f132081bcb7d6437531c76fe742d384708798e6e

SHA512
139f879058777d2e0a7ea5a137af0f524134ddd69f114566785b7ab0a34d2c01c0b6c7c55f8cfaaa1d6ea37f50e5f16b0a35fba07df1ed514227e3b172b32976

Download Submit
C:\Windows\{D52969B3-E2D1-470c-BEC5-AAEA0118356E}.exe

Filesize
168KB

MD5
3ffbf2c22a5f89b2641185e1e296d199

SHA1
6d2dc0ce87f7fb8da5c78b9b6120c90bd29ea342

SHA256
1bcaa81dca32deadf849a912e1891d0a7f922465a558a2fa4158ec5f86f326d7

SHA512
d2b02d428efe63f7bed7b851ee63af57c54052c6654608b4658255c66e5eb62538d2afa7ac05292e17629ccc2b72b4ed23d81842e835cc708e96bfb797a1d843

Download Submit
C:\Windows\{D8C34152-A105-4fe6-9B47-1B9011FFC6C4}.exe

Filesize
168KB

MD5
1e5e5e068b55b5dc5f95169df580e52c

SHA1
b04a4d5564e47d9b9366d162b9ac38aeac02e944

SHA256
5d34918f5a59e50ec967f7d8820a243ce3e57acdbaef98697385c3eadae325e8

SHA512
e730b91616ef02eb155a06478e8a1ed331231db7246947bcd56f6966dd5b4879302bb6c4f63b13709809c22b729e00bdfe791f3d3d8688c86ba936f566325ca5

Download Submit
C:\Windows\{E2630994-0F6E-4719-840C-DFA79D6C4B3A}.exe

Filesize
168KB

MD5
6d866db5243f4201bab0946386eee9e7

SHA1
8ea110ddf78d38efb2439492a3530c3c149b1b32

SHA256
b857a59baece42f94c33f9a78f5c98c41497f5738b048b53f4eb980498a8a01b

SHA512
5bdd3cab6882776b601e44601a69d84d04f7fe2fde2e279cfe6258ac8264ed12d607611fc72bd64ef175fee7b5d0fa7e007675a815cad664ca74e2a1dee24475

Download Submit
C:\Windows\{F2885FF2-15DC-486c-95C7-F8D98159AD4C}.exe

Filesize
168KB

MD5
44019ea5542489e0674e25c771b0e839

SHA1
0eb029bcf312357dd617c75906368456526bced3

SHA256
715753656af84fb32a7adaf99e85a443623ca4f86b467475738c07a54493bd67

SHA512
30b579bbc33ca668c0b37424c8eb0a7fb8ca0e5935ac4e9a2be2e59b71609e62e52e930a0abd72b05e6196dc97341781e7988a0eb8f9af5de3ffccabb32d47ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads