5eab239bb3f4235f54c8f2e7e594c3258f47aea4aa0c1ee9f078a1c0f6a705b1

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Size

344KB
MD5

063cae50d88b087e665e90441c154026
SHA1

36881913c7708e6ed7989f81bddf8d97f46ef387
SHA256

5eab239bb3f4235f54c8f2e7e594c3258f47aea4aa0c1ee9f078a1c0f6a705b1
SHA512

c1f532aab434d9b9e02109b589e714df408aa1211c461fc67d4a3b85feae5816397e0e3cc5f6dcd9aeaad07d294f4ee027a03ad357a2e568ba5f86c6b1210aa1
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023427-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023432-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217e3-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000217e7-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000217e3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}	{71C08F07-6721-47d7-809C-812E956A84A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}\stubpath = "C:\\Windows\\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe"	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71C08F07-6721-47d7-809C-812E956A84A8}	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71C08F07-6721-47d7-809C-812E956A84A8}\stubpath = "C:\\Windows\\{71C08F07-6721-47d7-809C-812E956A84A8}.exe"	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{586059E7-A019-4655-A8C2-FA51DDC12036}	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{586059E7-A019-4655-A8C2-FA51DDC12036}\stubpath = "C:\\Windows\\{586059E7-A019-4655-A8C2-FA51DDC12036}.exe"	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F75B9461-DB12-4c88-BD0D-277D968CF290}	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F75B9461-DB12-4c88-BD0D-277D968CF290}\stubpath = "C:\\Windows\\{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe"	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}\stubpath = "C:\\Windows\\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe"	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02373096-42B4-40ca-A706-C7CC87EA3279}\stubpath = "C:\\Windows\\{02373096-42B4-40ca-A706-C7CC87EA3279}.exe"	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}\stubpath = "C:\\Windows\\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe"	{71C08F07-6721-47d7-809C-812E956A84A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969AAE20-F383-4b81-BF97-491ECEA656AB}\stubpath = "C:\\Windows\\{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe"	{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969AAE20-F383-4b81-BF97-491ECEA656AB}	{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02373096-42B4-40ca-A706-C7CC87EA3279}	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}\stubpath = "C:\\Windows\\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe"	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}\stubpath = "C:\\Windows\\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe"	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}\stubpath = "C:\\Windows\\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe"	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}\stubpath = "C:\\Windows\\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe"	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe

Executes dropped EXE 12 IoCs

pid	Process
4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe
2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
2468	{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe
3968	{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
File created	C:\Windows\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
File created	C:\Windows\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
File created	C:\Windows\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
File created	C:\Windows\{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
File created	C:\Windows\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
File created	C:\Windows\{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
File created	C:\Windows\{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
File created	C:\Windows\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
File created	C:\Windows\{71C08F07-6721-47d7-809C-812E956A84A8}.exe	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
File created	C:\Windows\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	{71C08F07-6721-47d7-809C-812E956A84A8}.exe
File created	C:\Windows\{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe	{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
Token: SeIncBasePriorityPrivilege	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
Token: SeIncBasePriorityPrivilege	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
Token: SeIncBasePriorityPrivilege	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
Token: SeIncBasePriorityPrivilege	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
Token: SeIncBasePriorityPrivilege	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe
Token: SeIncBasePriorityPrivilege	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
Token: SeIncBasePriorityPrivilege	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
Token: SeIncBasePriorityPrivilege	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
Token: SeIncBasePriorityPrivilege	2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
Token: SeIncBasePriorityPrivilege	2468	{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4216	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	91
PID 3188 wrote to memory of 4216	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	91
PID 3188 wrote to memory of 4216	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	91
PID 3188 wrote to memory of 864	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	92
PID 3188 wrote to memory of 864	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	92
PID 3188 wrote to memory of 864	3188	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	92
PID 4216 wrote to memory of 2156	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	93
PID 4216 wrote to memory of 2156	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	93
PID 4216 wrote to memory of 2156	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	93
PID 4216 wrote to memory of 3740	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	94
PID 4216 wrote to memory of 3740	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	94
PID 4216 wrote to memory of 3740	4216	{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe	94
PID 2156 wrote to memory of 4828	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	96
PID 2156 wrote to memory of 4828	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	96
PID 2156 wrote to memory of 4828	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	96
PID 2156 wrote to memory of 3920	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	97
PID 2156 wrote to memory of 3920	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	97
PID 2156 wrote to memory of 3920	2156	{02373096-42B4-40ca-A706-C7CC87EA3279}.exe	97
PID 4828 wrote to memory of 1576	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	98
PID 4828 wrote to memory of 1576	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	98
PID 4828 wrote to memory of 1576	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	98
PID 4828 wrote to memory of 1692	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	99
PID 4828 wrote to memory of 1692	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	99
PID 4828 wrote to memory of 1692	4828	{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe	99
PID 1576 wrote to memory of 2320	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	100
PID 1576 wrote to memory of 2320	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	100
PID 1576 wrote to memory of 2320	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	100
PID 1576 wrote to memory of 3916	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	101
PID 1576 wrote to memory of 3916	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	101
PID 1576 wrote to memory of 3916	1576	{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe	101
PID 2320 wrote to memory of 3408	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	102
PID 2320 wrote to memory of 3408	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	102
PID 2320 wrote to memory of 3408	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	102
PID 2320 wrote to memory of 4760	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	103
PID 2320 wrote to memory of 4760	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	103
PID 2320 wrote to memory of 4760	2320	{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe	103
PID 3408 wrote to memory of 2360	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	104
PID 3408 wrote to memory of 2360	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	104
PID 3408 wrote to memory of 2360	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	104
PID 3408 wrote to memory of 3112	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	105
PID 3408 wrote to memory of 3112	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	105
PID 3408 wrote to memory of 3112	3408	{71C08F07-6721-47d7-809C-812E956A84A8}.exe	105
PID 2360 wrote to memory of 1564	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	106
PID 2360 wrote to memory of 1564	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	106
PID 2360 wrote to memory of 1564	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	106
PID 2360 wrote to memory of 452	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	107
PID 2360 wrote to memory of 452	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	107
PID 2360 wrote to memory of 452	2360	{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe	107
PID 1564 wrote to memory of 4604	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	108
PID 1564 wrote to memory of 4604	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	108
PID 1564 wrote to memory of 4604	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	108
PID 1564 wrote to memory of 2364	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	109
PID 1564 wrote to memory of 2364	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	109
PID 1564 wrote to memory of 2364	1564	{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe	109
PID 4604 wrote to memory of 2988	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	110
PID 4604 wrote to memory of 2988	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	110
PID 4604 wrote to memory of 2988	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	110
PID 4604 wrote to memory of 3012	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	111
PID 4604 wrote to memory of 3012	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	111
PID 4604 wrote to memory of 3012	4604	{586059E7-A019-4655-A8C2-FA51DDC12036}.exe	111
PID 2988 wrote to memory of 2468	2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe	112
PID 2988 wrote to memory of 2468	2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe	112
PID 2988 wrote to memory of 2468	2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe	112
PID 2988 wrote to memory of 4592	2988	{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
  C:\Windows\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
    C:\Windows\{02373096-42B4-40ca-A706-C7CC87EA3279}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
      C:\Windows\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
        
        C:\Windows\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
        
        C:\Windows\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{71C08F07-6721-47d7-809C-812E956A84A8}.exe
        
        C:\Windows\{71C08F07-6721-47d7-809C-812E956A84A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
        
        C:\Windows\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
        
        C:\Windows\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
        
        C:\Windows\{586059E7-A019-4655-A8C2-FA51DDC12036}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
        
        C:\Windows\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe
        
        C:\Windows\{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe
        
        C:\Windows\{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F75B9~1.EXE > nul
        13⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88EDD~1.EXE > nul
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58605~1.EXE > nul
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6DB6~1.EXE > nul
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D04~1.EXE > nul
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71C08~1.EXE > nul
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8FF~1.EXE > nul
        7⤵
        
        PID:4760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39B81~1.EXE > nul
        6⤵
        
        PID:3916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B86~1.EXE > nul
        5⤵
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02373~1.EXE > nul
      4⤵
      PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE9B6~1.EXE > nul
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02373096-42B4-40ca-A706-C7CC87EA3279}.exe

Filesize
344KB

MD5
4b21c07469341b58430b3619b1f3e0ac

SHA1
0a08e213683d5529fd2a9705a25f510fb20d52a1

SHA256
f845688866f8db568fb5919b56edd6db0e0b6d98003dce5c3fccae3366260147

SHA512
fe3af1cf86e2d5be51872e596828d0e72d9dd450a0f98bcda8757e5bdde02458dcc16a9316aaa2fc6b9ea1e6c2ded0f0de89c8affe0db714f32e3ad3acee9309

Download Submit
C:\Windows\{39B81956-3D23-4f4d-9B7D-DDD8F851EF35}.exe

Filesize
344KB

MD5
e0bc8968cc5be65ae9617165f6ce5920

SHA1
ca351af97f91732e62caf7d0853dc7d196705898

SHA256
84ebbf21440af4f70c34c78d3a423f81c647bf6da993721eb75d0bf3cbf87f44

SHA512
b8270c6445d2df5f0eb486908ec7537a4a63523763ec4e98e254920651694ec6f801f89350045ecd28cbb2f0767c90bb621e67b8655cd42d69a21651d6914e02

Download Submit
C:\Windows\{586059E7-A019-4655-A8C2-FA51DDC12036}.exe

Filesize
344KB

MD5
ee3aecb0c3ec3af8bd76517f92ac424c

SHA1
872909e449869f9d1153384b9b8f9b753d45812a

SHA256
9a7916003ca73484a9826418c09bc5f50665db0823f5d10da2a05a32b3fe0ca7

SHA512
bc7f81b90da786a02bf5b5f3097b8affbdd073c83eb70dd372ef6506628be3cae430f58f4a04cfb1a234e20e3cb9410098aa2972220b78da7ffbea9190b38041

Download Submit
C:\Windows\{71C08F07-6721-47d7-809C-812E956A84A8}.exe

Filesize
344KB

MD5
152984a0aac0c8ddecbbae78f4a6bc85

SHA1
215ff1bbaaa85d36c33bd3d5dbe69404a9698d08

SHA256
90dc6320f1fb4effaaa0d25418c4e3b33d765df14c80eef10ef99d9fe59c1735

SHA512
c340f748aef7cb4a0051c4b1a6e77d89303950cd9186c809cc3b46da8371bd40b3e4930ffe09bcc539811cf76d6a53af027cb5cc6b9a14c7879aa98c4ea5a7ef

Download Submit
C:\Windows\{88EDD96D-96E8-459c-AFFB-AD7741652FB1}.exe

Filesize
344KB

MD5
34e143caf77c214c0c9b7ba6e3dbe991

SHA1
7e1428c15cd3b89b6e989af5add01209107bdcd4

SHA256
d429c3ccfdb33d9adc551d0110907f9e310d13bd9b7bf1551682b3f5d66b4db3

SHA512
9629f2a49e4c3c48c983c726c703d061c7f9509c491f9a4e092d3de864b542dbce9f5a2dd9893c3f2a8d879128f90d7555ba0e9b820be7bbb239ced18256d7d8

Download Submit
C:\Windows\{969AAE20-F383-4b81-BF97-491ECEA656AB}.exe

Filesize
344KB

MD5
833c8195b83c8e11af8533d9333823ec

SHA1
4e038bd29492c163166b34471b049c08297aeb2b

SHA256
f8ed8f440f44082872d8d0856f3975d2d61ca1e4ab62375de71a465a0279e6d4

SHA512
b2d5de9637c5becbbecc868db28a1a278698a8f5be9251e59e93265b2b9c53a92b94c3b7f2e7f740840dc7cdaf509cd01b12b6680d11d108c8673bb5e761f516

Download Submit
C:\Windows\{A1B86045-58A3-4d6c-B33D-6DA5DDAEF0BD}.exe

Filesize
344KB

MD5
cbcf849f4ece945fbdc020e48d9ca867

SHA1
e8ed684864a350a0a14b015df7455143b15fc7ef

SHA256
2cc227710fd4780c76bceb6ffe0c31ed7e13ced6d4f9e9d5b191e053cb1650a7

SHA512
885e0fb1165c85f8ba5548db72df0aa96156ca35ab406d49c4f6f8567e250d9d6a6c4252f19b518fcbd8259aee05959841227ca884ea794798706e7da94fbfcb

Download Submit
C:\Windows\{AD8FFA62-8D70-4e98-AF8D-C556E40EB53B}.exe

Filesize
344KB

MD5
54424fa43856d2628c2225993a1b654b

SHA1
08cc2735b143316eee16fcc59ed93a725ad0f5d6

SHA256
41431abd489b4c9667cb748480b64af4fdba9b674b1bc5186c6dc130cf497d89

SHA512
e64eaae9133ae8c742b44d40783fa568f5d8736a022dac017479806699f2c6237a2d94071db1650bf86ef414f74bdc94d6a5b69b0cfb7042344b81486bd64b05

Download Submit
C:\Windows\{B7D04DB1-335E-4ae9-8CD5-2F117D8A3D4A}.exe

Filesize
344KB

MD5
d9b87d81addf9b833439512939c3cd5a

SHA1
0f90341a17fe7e0e35b23fabf86347e05c318a12

SHA256
ca14254f173d8dd37096629b3a430ebcb366a0dead8e80f9062591cb73bc0393

SHA512
13562cfb124c68a47e9ab5f0b5b0946dd67d9860da0c0772463c6730e24d377a1e7ae0163619001020af4a245939b8c0fd168e7ef990e8e4c16d82daa906ddf2

Download Submit
C:\Windows\{DE9B6A8B-AF89-4966-A1F3-C4504D1BDA0F}.exe

Filesize
344KB

MD5
4c8a6705a51e567ab927d78be8868d0a

SHA1
b66fec6788f9caeb4dbd71dc27c87a5a0b2341ec

SHA256
0936aebbbfa8f69a2d7bb23c95ef80b2ac48ffc5314d4a430a668505bf6af0b2

SHA512
44ea6abdde511efde2db7e20e8c180437f82b7f0b3d3c1169741121b30eb5037c94ffcc2d98af147cfd5129ab4fc3a4eeca97bb6cd512c6e16d3d85c3e569f65

Download Submit
C:\Windows\{E6DB69BB-5D59-4af6-8E01-80C67C7D30E0}.exe

Filesize
344KB

MD5
c362599356434a59030aed70cf938091

SHA1
e597607ab37b0282130999da469a4f27910dabab

SHA256
5408fe60e868ef21909952157fa937cf210ff175567ef37ae962b70153c949b9

SHA512
73a0031cdd5592db13b9d4c0bc958e833b8f3cdbe05c9ae27109ad998bb13835e5d4e81beef3f124e9f9c9dfb10b918a43c104e24ecdefc95c7b4bfa1b1fe944

Download Submit
C:\Windows\{F75B9461-DB12-4c88-BD0D-277D968CF290}.exe

Filesize
344KB

MD5
5e018284238573b5a235a3d17cf3ca00

SHA1
8ff52ef942c9642bf295d5eb703a7cf19ae0fca2

SHA256
5c5045d0666ad260a90f6e17c3f9ca7ea69443cd527649ab919125dc54944715

SHA512
d5cc1f5aed511d3d8f7f1d4a05a61ed541f73790c3028b9cf02385ff424029daaa00fd577ec8997b125f2191327657772bb036fc78d13d03e8ad6c2c917e7fd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads