4f851c9a8bd282f439d18c6c2d7a33b509b5c817e89908e138658fb699448923

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
Size

192KB
MD5

50c6fe60659d65b9850332c8e839d609
SHA1

4891007093ca47fde95b885a3e6d8058488b736d
SHA256

4f851c9a8bd282f439d18c6c2d7a33b509b5c817e89908e138658fb699448923
SHA512

5fa52d00be05151071fd1a6a3f1129cf383ec03207635f345506b431c9ff4d3c7f11a56f0ad8ebb869775c4afc46ddafeb3b57a6164d692be43fdacf3aad2b4c
SSDEEP

1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022973-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022974-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023407-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002340b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023410-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023410-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023410-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023410-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340b-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}\stubpath = "C:\\Windows\\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe"	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}\stubpath = "C:\\Windows\\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe"	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}\stubpath = "C:\\Windows\\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe"	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}\stubpath = "C:\\Windows\\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe"	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}\stubpath = "C:\\Windows\\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe"	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F68BF2-19DE-469c-A29C-68CDE61C652C}\stubpath = "C:\\Windows\\{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe"	{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C628194D-ED4F-45ce-B410-F0690F1DB946}	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C628194D-ED4F-45ce-B410-F0690F1DB946}\stubpath = "C:\\Windows\\{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe"	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}\stubpath = "C:\\Windows\\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe"	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8879D4D-8D52-4900-8084-2E6253A1DC42}\stubpath = "C:\\Windows\\{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe"	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F68BF2-19DE-469c-A29C-68CDE61C652C}	{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}\stubpath = "C:\\Windows\\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe"	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}\stubpath = "C:\\Windows\\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe"	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}\stubpath = "C:\\Windows\\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe"	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8879D4D-8D52-4900-8084-2E6253A1DC42}	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe

Executes dropped EXE 12 IoCs

pid	Process
456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
4304	{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe
4100	{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
File created	C:\Windows\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
File created	C:\Windows\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
File created	C:\Windows\{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
File created	C:\Windows\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
File created	C:\Windows\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
File created	C:\Windows\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
File created	C:\Windows\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
File created	C:\Windows\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
File created	C:\Windows\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
File created	C:\Windows\{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
File created	C:\Windows\{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe	{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
Token: SeIncBasePriorityPrivilege	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
Token: SeIncBasePriorityPrivilege	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
Token: SeIncBasePriorityPrivilege	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
Token: SeIncBasePriorityPrivilege	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
Token: SeIncBasePriorityPrivilege	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
Token: SeIncBasePriorityPrivilege	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
Token: SeIncBasePriorityPrivilege	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
Token: SeIncBasePriorityPrivilege	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
Token: SeIncBasePriorityPrivilege	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
Token: SeIncBasePriorityPrivilege	1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
Token: SeIncBasePriorityPrivilege	4304	{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 456	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	85
PID 4568 wrote to memory of 456	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	85
PID 4568 wrote to memory of 456	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	85
PID 4568 wrote to memory of 4012	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	86
PID 4568 wrote to memory of 4012	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	86
PID 4568 wrote to memory of 4012	4568	2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe	86
PID 456 wrote to memory of 1080	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	87
PID 456 wrote to memory of 1080	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	87
PID 456 wrote to memory of 1080	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	87
PID 456 wrote to memory of 1680	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	88
PID 456 wrote to memory of 1680	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	88
PID 456 wrote to memory of 1680	456	{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe	88
PID 1080 wrote to memory of 2840	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	91
PID 1080 wrote to memory of 2840	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	91
PID 1080 wrote to memory of 2840	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	91
PID 1080 wrote to memory of 2128	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	92
PID 1080 wrote to memory of 2128	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	92
PID 1080 wrote to memory of 2128	1080	{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe	92
PID 2840 wrote to memory of 4072	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	97
PID 2840 wrote to memory of 4072	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	97
PID 2840 wrote to memory of 4072	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	97
PID 2840 wrote to memory of 1996	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	98
PID 2840 wrote to memory of 1996	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	98
PID 2840 wrote to memory of 1996	2840	{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe	98
PID 4072 wrote to memory of 4220	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	100
PID 4072 wrote to memory of 4220	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	100
PID 4072 wrote to memory of 4220	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	100
PID 4072 wrote to memory of 3736	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	101
PID 4072 wrote to memory of 3736	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	101
PID 4072 wrote to memory of 3736	4072	{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe	101
PID 4220 wrote to memory of 1484	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	102
PID 4220 wrote to memory of 1484	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	102
PID 4220 wrote to memory of 1484	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	102
PID 4220 wrote to memory of 4056	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	103
PID 4220 wrote to memory of 4056	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	103
PID 4220 wrote to memory of 4056	4220	{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe	103
PID 1484 wrote to memory of 4676	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	104
PID 1484 wrote to memory of 4676	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	104
PID 1484 wrote to memory of 4676	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	104
PID 1484 wrote to memory of 4616	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	105
PID 1484 wrote to memory of 4616	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	105
PID 1484 wrote to memory of 4616	1484	{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe	105
PID 4676 wrote to memory of 4736	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	106
PID 4676 wrote to memory of 4736	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	106
PID 4676 wrote to memory of 4736	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	106
PID 4676 wrote to memory of 3280	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	107
PID 4676 wrote to memory of 3280	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	107
PID 4676 wrote to memory of 3280	4676	{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe	107
PID 4736 wrote to memory of 4932	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	108
PID 4736 wrote to memory of 4932	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	108
PID 4736 wrote to memory of 4932	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	108
PID 4736 wrote to memory of 3052	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	109
PID 4736 wrote to memory of 3052	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	109
PID 4736 wrote to memory of 3052	4736	{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe	109
PID 4932 wrote to memory of 1720	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	110
PID 4932 wrote to memory of 1720	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	110
PID 4932 wrote to memory of 1720	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	110
PID 4932 wrote to memory of 732	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	111
PID 4932 wrote to memory of 732	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	111
PID 4932 wrote to memory of 732	4932	{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe	111
PID 1720 wrote to memory of 4304	1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe	112
PID 1720 wrote to memory of 4304	1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe	112
PID 1720 wrote to memory of 4304	1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe	112
PID 1720 wrote to memory of 3108	1720	{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_50c6fe60659d65b9850332c8e839d609_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
  C:\Windows\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
    C:\Windows\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
      C:\Windows\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
        
        C:\Windows\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
        
        C:\Windows\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
        
        C:\Windows\{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
        
        C:\Windows\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
        
        C:\Windows\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
        
        C:\Windows\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
        
        C:\Windows\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe
        
        C:\Windows\{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe
        
        C:\Windows\{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8879~1.EXE > nul
        13⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC57F~1.EXE > nul
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB07A~1.EXE > nul
        11⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C683~1.EXE > nul
        10⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67DE4~1.EXE > nul
        9⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6281~1.EXE > nul
        8⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A03~1.EXE > nul
        7⤵
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{289BB~1.EXE > nul
        6⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF66A~1.EXE > nul
        5⤵
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9822~1.EXE > nul
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60B63~1.EXE > nul
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C683FDF-38DF-4a3c-A903-2F95AB8E8FBC}.exe

Filesize
192KB

MD5
999ca4df42091345ef94c5f04eb4f6a1

SHA1
571accc4fa876f2cf9f5d3d50840e467874eb310

SHA256
cb6cf55671af3a061c59771a0c3788793bf5c8f27bbd862161beaf4b63285588

SHA512
e03737c4350c2f84a8c78f180083712f55af486ea0aa3a8121dfc57e92adc3c407e1610bf1a3d253430cbed1f6a2885560ea14fa996a663e35d1beab05fb8c6f

Download Submit
C:\Windows\{289BB29A-FC47-4d71-9A18-6CE542F3BCA6}.exe

Filesize
192KB

MD5
a56c642d190d7e50390f39686f2ce0a4

SHA1
7926fff960fd308dd07d01da6f386429a802a8cf

SHA256
8bfc8121bef4ae3427e13d244f7121f380e1f59a90103f11e15209d6304c1e05

SHA512
e27a9f331ed9689b9c4faf4c07f9d397e871d11e4247f8d47419d1a3742d43cb45d05198b7f8516d405178772438f67fcf7394b78fe6f955574381b730d78d12

Download Submit
C:\Windows\{46F68BF2-19DE-469c-A29C-68CDE61C652C}.exe

Filesize
192KB

MD5
578db93de60bcc5cbfb462957e3844bc

SHA1
04579c4a6dfe20d2d52993dbd35143d717cec3e7

SHA256
e9d74f76e0e7322d257f13e5192a56473063071a1b8318896174c55652f8c72e

SHA512
37f5c9e8298cacdd55848874d37d572580a16cf788b3d886e0a1dca9a700cc40673a4f71482c1c3d90afca311205d6ba5d7bdad396ea79dd3781b1b247f16345

Download Submit
C:\Windows\{60B6360F-5FDF-4bcd-98EE-21030D7E6A37}.exe

Filesize
192KB

MD5
d3b1b66d2ab619d9869b64862c7966a0

SHA1
d9d1a58fb8d36797347863cdf7de629a63173cdc

SHA256
6aa6aa54c5e28c6b2b86d2c15a9376f578d510ac05196e532e4be6b5f118ed08

SHA512
b6522d864f73697e3c04776e7e5e3d7678d556f076dc75cf601b13220cebd2fa3f754bff51eefff4dd59376d11d16753ead9659d34a95c17c8d474c7cbf9ecd8

Download Submit
C:\Windows\{67DE43DD-8DE9-455a-BC85-B5CD29F0CB46}.exe

Filesize
192KB

MD5
1327d61ae061c8e97df08c64b1a47e9f

SHA1
287fd91e0abc3e9f9fd703e7ae14311c78273eb5

SHA256
196102188553e3eb80b67a8edb58c28ba492635f20c2f6d0eac656a336a62cc0

SHA512
2ee06c606997cbaec2e368b42f0db4c4222d2cc4004a918af895b539fd95d0d1b5171d4b5cac556018d4e50e6edbbc77e36178fba31571fe73cd4be73e8f0062

Download Submit
C:\Windows\{86A03C9C-0BC3-4320-8B17-AA93A8764C4B}.exe

Filesize
192KB

MD5
6f6ea8bc1f631990d38422a0b3f5f2cb

SHA1
f38d58a98fe5477828f13d0df1dadeffd27f6b2d

SHA256
a075f4cd9dbd8b6322e6444a98722ccec0e08b1482b51d4ae6c275aec40dd18e

SHA512
c5f3b6b326dbe3bdcbac63aff419d3972ac00b964460b9406ffc8754e594f123bd44540576cfb6e7a7af54309f7c5fc96e9aec909f6357ee692dac69631482e6

Download Submit
C:\Windows\{B9822E7A-3807-45aa-99EB-E2F96D7543FD}.exe

Filesize
192KB

MD5
b0337560f8443d7bcc5e045aebb7c9cc

SHA1
635c4b4b9dba110b5941cbd46b691ef29a9a48d3

SHA256
4ba1d03e305e2d31eafc94a4a89a6c815b7bc76a1607eae9d514b25a64679f5c

SHA512
1ab7878163a9170da4851a718f6acd7caa664cee8e5603ece819e1cc2d7c0f211c405dc331ac69708e2bc3ef7eea23ed398b7556dc53b2b7b74eea00984cdfdd

Download Submit
C:\Windows\{BB07AEBA-EC49-496a-BFA4-B28B08FD1E7F}.exe

Filesize
192KB

MD5
7e167419686774e7fdd7ece7e5a473d3

SHA1
308a4d1ff1d2626302ec76fa642c615be17ffb70

SHA256
c46144b1fc0b250bc45ee4ed5410a043bd08853b1c3f07b1f6b78f8b448d35db

SHA512
43e6ab2eae0eeac3152afe7ac98c5cf2a187375d9be262d4022da0f85a2f3686503ee9cb8612c078bdda3df33ac123c8f86024af8894080aee0bdee46eb4bb1a

Download Submit
C:\Windows\{BC57FDDD-A587-4acf-9B03-B449E7FAA2F2}.exe

Filesize
192KB

MD5
ce22afcc7e5652c117939c6a13b78d2b

SHA1
1aa19a466824d28f5e86a74fa78381bf64570bca

SHA256
01fd9b1e87f7a97134805b1bb27567b18ba22bbaa6b7c3cba34f38c52b7a0e13

SHA512
96d21d1ba43d5bd11ee20327983cbc9259c83a35def8a35eeda67fb06874ddbf0dc7c4da5b9988db3af41e5c2d8405e3c7e9225cf27e11ead278e014ae874c94

Download Submit
C:\Windows\{C628194D-ED4F-45ce-B410-F0690F1DB946}.exe

Filesize
192KB

MD5
809b8b719817456472e973a8725dde62

SHA1
8be2a5090f2c2978379cc044533379cbcb8dd145

SHA256
a5875c965dd6c0af60b528316306e8b620a0b7c46eecaad3ce26142905b0282e

SHA512
df90035b045f62df72e5e3cec7586a5859349a534e18c39a5758aee5da97bc8909543c408706ba177f472cfe3875b02b4133237c32bcd93a2c4b8ae8f2efac31

Download Submit
C:\Windows\{C8879D4D-8D52-4900-8084-2E6253A1DC42}.exe

Filesize
192KB

MD5
730454d188277748190e8a3185b87cfd

SHA1
8cb257cba6da9f6ee80049524bad053a1966b3a7

SHA256
6d1b033065fddf5ff075e06cfce1a56c3932a529cf0d32b3ed9a55efa419c839

SHA512
fe8605e4d9baa4cb90f4159b0538cdd0850111e390f3d1b998f8ee502ea2331a8b54cd6566d395800b82517436be814b0c4603025fd99ccd031ecf07bc3d7d37

Download Submit
C:\Windows\{CF66A2FF-937A-42a5-AA80-6502F8E23AE0}.exe

Filesize
192KB

MD5
5217856e4ecbbd7cabf56ce6c7740fcc

SHA1
eb4bd137dc651db72207537ce9d5917645b5d19b

SHA256
3493e4c834978116f048e9240b4d5170b1068324d8e4b190017c81c50019dc08

SHA512
2100ee6a49500421c564642b7a6b16fd99e867d427fc06ae3bd2191031852d7bb2d0d78b37f4ace890db564b8036d34c5956171b3de9cc927c6dc2680a25f3a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads