3b331a65617bd9d48bcc508c95157f004b9de03c2e80445b36626de84c36dc32

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
Size

380KB
MD5

40947240d3f7613c541213e1042d765d
SHA1

e4eeebd96635c760206720717cecfbc38bcee821
SHA256

3b331a65617bd9d48bcc508c95157f004b9de03c2e80445b36626de84c36dc32
SHA512

34c3dcbfeac23a42bd76f3cf2c8efea504a778cbae01f5a2e934bb40a2dcd626797c628ca5d59cce6391099f935dfd9935d083852a0e918da027d494fb0efcf6
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGtl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ab6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022abf-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340e-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023411-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023417-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023411-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023417-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023411-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023417-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023411-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023417-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023411-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}\stubpath = "C:\\Windows\\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe"	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545D6FCE-998B-421f-A40A-99C9F9825ABD}	{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}\stubpath = "C:\\Windows\\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe"	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}\stubpath = "C:\\Windows\\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe"	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}\stubpath = "C:\\Windows\\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe"	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}\stubpath = "C:\\Windows\\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe"	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545D6FCE-998B-421f-A40A-99C9F9825ABD}\stubpath = "C:\\Windows\\{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe"	{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}\stubpath = "C:\\Windows\\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe"	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55B65EC9-88A2-4d15-9732-AD39C8906804}\stubpath = "C:\\Windows\\{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe"	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}\stubpath = "C:\\Windows\\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe"	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55B65EC9-88A2-4d15-9732-AD39C8906804}	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}\stubpath = "C:\\Windows\\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe"	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}\stubpath = "C:\\Windows\\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe"	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}\stubpath = "C:\\Windows\\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe"	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
3960	{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
3284	{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
File created	C:\Windows\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
File created	C:\Windows\{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
File created	C:\Windows\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
File created	C:\Windows\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
File created	C:\Windows\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
File created	C:\Windows\{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe	{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
File created	C:\Windows\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
File created	C:\Windows\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
File created	C:\Windows\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
File created	C:\Windows\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
File created	C:\Windows\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
Token: SeIncBasePriorityPrivilege	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
Token: SeIncBasePriorityPrivilege	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
Token: SeIncBasePriorityPrivilege	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
Token: SeIncBasePriorityPrivilege	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
Token: SeIncBasePriorityPrivilege	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
Token: SeIncBasePriorityPrivilege	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
Token: SeIncBasePriorityPrivilege	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
Token: SeIncBasePriorityPrivilege	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
Token: SeIncBasePriorityPrivilege	3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
Token: SeIncBasePriorityPrivilege	3960	{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4912	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	86
PID 5036 wrote to memory of 4912	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	86
PID 5036 wrote to memory of 4912	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	86
PID 5036 wrote to memory of 4816	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	87
PID 5036 wrote to memory of 4816	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	87
PID 5036 wrote to memory of 4816	5036	2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe	87
PID 4912 wrote to memory of 1168	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	88
PID 4912 wrote to memory of 1168	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	88
PID 4912 wrote to memory of 1168	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	88
PID 4912 wrote to memory of 2196	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	89
PID 4912 wrote to memory of 2196	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	89
PID 4912 wrote to memory of 2196	4912	{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe	89
PID 1168 wrote to memory of 3340	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	92
PID 1168 wrote to memory of 3340	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	92
PID 1168 wrote to memory of 3340	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	92
PID 1168 wrote to memory of 2592	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	93
PID 1168 wrote to memory of 2592	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	93
PID 1168 wrote to memory of 2592	1168	{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe	93
PID 3340 wrote to memory of 2204	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	98
PID 3340 wrote to memory of 2204	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	98
PID 3340 wrote to memory of 2204	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	98
PID 3340 wrote to memory of 440	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	99
PID 3340 wrote to memory of 440	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	99
PID 3340 wrote to memory of 440	3340	{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe	99
PID 2204 wrote to memory of 1428	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	101
PID 2204 wrote to memory of 1428	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	101
PID 2204 wrote to memory of 1428	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	101
PID 2204 wrote to memory of 1560	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	102
PID 2204 wrote to memory of 1560	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	102
PID 2204 wrote to memory of 1560	2204	{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe	102
PID 1428 wrote to memory of 4660	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	103
PID 1428 wrote to memory of 4660	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	103
PID 1428 wrote to memory of 4660	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	103
PID 1428 wrote to memory of 1484	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	104
PID 1428 wrote to memory of 1484	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	104
PID 1428 wrote to memory of 1484	1428	{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe	104
PID 4660 wrote to memory of 4100	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	105
PID 4660 wrote to memory of 4100	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	105
PID 4660 wrote to memory of 4100	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	105
PID 4660 wrote to memory of 4068	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	106
PID 4660 wrote to memory of 4068	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	106
PID 4660 wrote to memory of 4068	4660	{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe	106
PID 4100 wrote to memory of 1592	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	107
PID 4100 wrote to memory of 1592	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	107
PID 4100 wrote to memory of 1592	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	107
PID 4100 wrote to memory of 468	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	108
PID 4100 wrote to memory of 468	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	108
PID 4100 wrote to memory of 468	4100	{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe	108
PID 1592 wrote to memory of 1580	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	109
PID 1592 wrote to memory of 1580	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	109
PID 1592 wrote to memory of 1580	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	109
PID 1592 wrote to memory of 3304	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	110
PID 1592 wrote to memory of 3304	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	110
PID 1592 wrote to memory of 3304	1592	{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe	110
PID 1580 wrote to memory of 3496	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	111
PID 1580 wrote to memory of 3496	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	111
PID 1580 wrote to memory of 3496	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	111
PID 1580 wrote to memory of 3096	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	112
PID 1580 wrote to memory of 3096	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	112
PID 1580 wrote to memory of 3096	1580	{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe	112
PID 3496 wrote to memory of 3960	3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe	113
PID 3496 wrote to memory of 3960	3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe	113
PID 3496 wrote to memory of 3960	3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe	113
PID 3496 wrote to memory of 3416	3496	{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_40947240d3f7613c541213e1042d765d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
  C:\Windows\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
    C:\Windows\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
      C:\Windows\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3340
    - - C:\Windows\{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
        
        C:\Windows\{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
        
        C:\Windows\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
        
        C:\Windows\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
        
        C:\Windows\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
        
        C:\Windows\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
        
        C:\Windows\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
        
        C:\Windows\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
        
        C:\Windows\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe
        
        C:\Windows\{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe
        13⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5939~1.EXE > nul
        13⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7D2~1.EXE > nul
        12⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09198~1.EXE > nul
        11⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2921C~1.EXE > nul
        10⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF10E~1.EXE > nul
        9⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF0F~1.EXE > nul
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D481E~1.EXE > nul
        7⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B65~1.EXE > nul
        6⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4B57~1.EXE > nul
        5⤵
        
        PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C80A~1.EXE > nul
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EBDEA~1.EXE > nul
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09198D27-4DA7-4263-B1EA-6D8CC50F5BEB}.exe

Filesize
380KB

MD5
735684b022c3f30f76032019342e3078

SHA1
54a1537d3a8f6200f41efffb197e53cb7f4e0b74

SHA256
ee1cd32add8ba1cf2970e722a331c682762788345e9afffe6559fe4a5b70721a

SHA512
e53450419ac495d22d5ee66716f190cf50a89fb18bec59779d057c4fb7cf070e6bf3f10687dd870364063b7bf61f590a280f74cb4c3368e4adef5e21ef2ab4c3

Download Submit
C:\Windows\{0E7D2890-C584-4e3f-A6CC-52CC0A589EDC}.exe

Filesize
380KB

MD5
0022a9676d9b67bf1a61aed49cd4d5fc

SHA1
8c842d465455caa9f1cb0c2f6a9023315f6cff9c

SHA256
2d32114598dffc28b2d08eb9194d710de0ef922ecce26f11c82dc132edf47612

SHA512
01e62fcbe1a29360bf5e3dbbb75e3b47d01a1ec0e8ec65ac5646a936eb08b6d6eb6afb9ba102ccc459bff7443dc1a5a0d9be8e63a44e3ac27f4d8a978cc0bf3f

Download Submit
C:\Windows\{2921C06E-7F3A-45f8-9C8B-9E8BD0A1E2B6}.exe

Filesize
380KB

MD5
8eab27bd31bfe2e6a1941e9b31fae56b

SHA1
e53b8ffb5c4025e5f97048de6de679ae3d23ebe8

SHA256
0d92af1f72e1d3fa9ce4cb416ece40f9480f549b774e966ae051a0597c73ef38

SHA512
e535e010b44dfe1639f69f1cdffd8bffcee00a9e17924b4a2a5f6243d72955199f574c739555f02d7128b8a8f7fda1f397d004b95f47cebfa6702c77474287d2

Download Submit
C:\Windows\{545D6FCE-998B-421f-A40A-99C9F9825ABD}.exe

Filesize
380KB

MD5
3b2774bac35feb829701c99ad751de46

SHA1
c9aea4132aba9d934a625614b7abea1bb88acbce

SHA256
c5425f50c6caac9b431415a5dbf7f8357080cee219d83af909c87f0b85f55eac

SHA512
ad940be3591220c5b16c53d1b187b0fa0313efe665fd935bf2e6425e1f2f1c2b55f2ac0f2b5483d7e82829d72ddf430118de5f3881a913657b48800d17219a4b

Download Submit
C:\Windows\{55B65EC9-88A2-4d15-9732-AD39C8906804}.exe

Filesize
380KB

MD5
a575c8232af52b021498b762bd220593

SHA1
7a1c55375ced4a1abb7783d2d70df031bbd6599e

SHA256
ba87b3823974e7f43e3e6742b47e5ea420a996b8c6d8532b062773c972037006

SHA512
aba476fd7f58241686b30f92f693f2b1ca9207e7da663e2314a3fd857cf41e3a4c819324bacfd03bfa5a22dc041191093b845e2ecbd8f944b4757361f60627bb

Download Submit
C:\Windows\{7C80A98D-712A-4456-A5EE-DDDE2415F92A}.exe

Filesize
380KB

MD5
4a58ee7fdf962c627432d0deb91da15d

SHA1
99c75cf19b06babae59b275525ecb606c7fe9336

SHA256
d8aa22e22e77f686516c7cd01c9253ee6920d5e19e67902b89b57433da2b51fa

SHA512
83af4d6c3203d388d7b41280674662b1908eb459bea0c7d622ae949158852282a12e03f4ae0b64fb89ffb235baceb34734562674b2439a316417962a682d8621

Download Submit
C:\Windows\{BCF0F2D1-FF1A-4e2b-AB2B-7A8B991875B5}.exe

Filesize
380KB

MD5
a52fcbf9d08eaa55781a828dadd9882b

SHA1
0018e27990684f2989b7c374b00bc52873eb9cb5

SHA256
45999ce2f5f965e1371268b1647cbd7e11782aaf77581871c09e751ce8c9b7f5

SHA512
36dd799f08030447951e203279b944c0dc3f5427cb55b5e682170a87f008b94152b03867caf5ba36ddb4855325fe2570cb1768de5b0eca696d1d46922bbf85cf

Download Submit
C:\Windows\{BF10E655-CC52-49b6-A7EF-21B0FE3524A1}.exe

Filesize
380KB

MD5
a3a8aaeb646f406a5f3581fd6da4b4e4

SHA1
91b26d82d5941e9a22c7e803a7913f65ed3d38cb

SHA256
23c94568d1a8998e38a8194c7903b65ee9aca228557a316cb58a8a85b33c10de

SHA512
d592bc68b6fe82b1af0eeea04d3a543a4155f92f8d07cdef67638d5e66121bdd157554d2d58212fed6d7950478b948dae06b74186020d21ec228ad7078582542

Download Submit
C:\Windows\{C5939C8A-A18D-4654-9837-D4D1F5217A1A}.exe

Filesize
380KB

MD5
13521ce73f8bffc3eabe2fde6f184cd5

SHA1
6429c17d3159676e5963365365e01dd7777165c5

SHA256
e584439635633d0243991ef311b1c0d5eda1e28a00058ea7a4eaa76dca6a1661

SHA512
60cfd30d3797c608c8a88190ef56a7c26b3e51d7f3310e96feaaf816024bffedcc4a5d3e3552b213170674a87c43bbdbd4a2be03d51adb1f967c235e89c1c175

Download Submit
C:\Windows\{D481E27A-7F56-4f05-BC7B-BB57A2A28579}.exe

Filesize
380KB

MD5
41f06364449e3a772cd6d299658e720d

SHA1
5b5e9ec3f4d8eb3d0d024909e380f991392c48f6

SHA256
248df9da499c8deb054a68d335d274cae0d4f5f2302bae52ed25869ec0911126

SHA512
72225b0cbd703bf9f3d4d71057bc86be262c7314723350d58acaf98390bf568646195f9c0a533058944c73463c059ebed8156f20138973bca9059b208c52d3a8

Download Submit
C:\Windows\{D4B572A4-971F-4caa-A11B-66B6FDE0AD79}.exe

Filesize
380KB

MD5
1bc04cdf4d8d3e54fadcb8a5e397a6d3

SHA1
0667878e17292d77e15e70605c6e22973a645c59

SHA256
cb5f6760c9eab637ccfe13592d3fe8fcff4c769ea80f9d3b25dafd9ebaec7be4

SHA512
f1dd0e36eb3620b31e67dd94a65e9c7d5dc7ff71e2a6ba9e5a16fbb321e4481faa9c9580215afca7d01f4bba9322b10fc0af36eb49c4e27503a7fe466e5da89b

Download Submit
C:\Windows\{EBDEA755-3074-4d39-827A-1F7A7E03E27B}.exe

Filesize
380KB

MD5
91f3b98e7443d05f3f00c57d53acff19

SHA1
9cd1a077c6e7cdb5b45ac4a05755bcf7684789b3

SHA256
885ec11a1159f070d47d865e95ed20eedc43eb7e372f54cd846e31b35ff24e89

SHA512
48d67bb3f48a8a830899edb8e5acf2a6839524e4f1b3a4989811066ae996cd9b883d63d840d20aee174c560ad5faac6dbdc75d94706878dabce7b12803b35c12

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads