acfc29b2d6b8d6d0d796db1fa0f07c46133aa670b0fa313f91708ee8e611125d

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 11:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
Size

408KB
MD5

63491eda1deeecab79878ac00a7cdd2b
SHA1

b1c660e932b753248763d9a20d32cfa703c432e3
SHA256

acfc29b2d6b8d6d0d796db1fa0f07c46133aa670b0fa313f91708ee8e611125d
SHA512

6449c23e7307785f5ec6345616a112ee46203a30f97c82dabf1451990c4749a922df7d8575ae3d9ecb90b64666c1d43ba76ec1204f44cd8f313047c839286df7
SSDEEP

3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023367-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023403-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023367-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023403-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023367-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023403-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023367-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023403-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023367-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023403-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023367-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023403-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EC078C-EF91-4912-AADB-7F50F3E026EA}\stubpath = "C:\\Windows\\{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe"	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F21910DE-B9A0-40f7-86FC-566471562480}\stubpath = "C:\\Windows\\{F21910DE-B9A0-40f7-86FC-566471562480}.exe"	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7C9884-C394-40b4-9029-039CCE10F12B}\stubpath = "C:\\Windows\\{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe"	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}	{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}\stubpath = "C:\\Windows\\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe"	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}\stubpath = "C:\\Windows\\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe"	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}\stubpath = "C:\\Windows\\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe"	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}\stubpath = "C:\\Windows\\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe"	{F21910DE-B9A0-40f7-86FC-566471562480}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}\stubpath = "C:\\Windows\\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe"	{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}\stubpath = "C:\\Windows\\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe"	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EC078C-EF91-4912-AADB-7F50F3E026EA}	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}	{F21910DE-B9A0-40f7-86FC-566471562480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}\stubpath = "C:\\Windows\\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe"	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F21910DE-B9A0-40f7-86FC-566471562480}	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7C9884-C394-40b4-9029-039CCE10F12B}	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}\stubpath = "C:\\Windows\\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe"	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}\stubpath = "C:\\Windows\\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe"	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe

Executes dropped EXE 12 IoCs

pid	Process
1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe
644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
2252	{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
2008	{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
File created	C:\Windows\{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
File created	C:\Windows\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
File created	C:\Windows\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe	{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
File created	C:\Windows\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
File created	C:\Windows\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
File created	C:\Windows\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
File created	C:\Windows\{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
File created	C:\Windows\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
File created	C:\Windows\{F21910DE-B9A0-40f7-86FC-566471562480}.exe	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
File created	C:\Windows\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	{F21910DE-B9A0-40f7-86FC-566471562480}.exe
File created	C:\Windows\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
Token: SeIncBasePriorityPrivilege	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
Token: SeIncBasePriorityPrivilege	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
Token: SeIncBasePriorityPrivilege	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
Token: SeIncBasePriorityPrivilege	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
Token: SeIncBasePriorityPrivilege	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
Token: SeIncBasePriorityPrivilege	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
Token: SeIncBasePriorityPrivilege	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe
Token: SeIncBasePriorityPrivilege	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
Token: SeIncBasePriorityPrivilege	2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
Token: SeIncBasePriorityPrivilege	2252	{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1196	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	82
PID 4132 wrote to memory of 1196	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	82
PID 4132 wrote to memory of 1196	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	82
PID 4132 wrote to memory of 4532	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	83
PID 4132 wrote to memory of 4532	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	83
PID 4132 wrote to memory of 4532	4132	2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe	83
PID 1196 wrote to memory of 4816	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	84
PID 1196 wrote to memory of 4816	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	84
PID 1196 wrote to memory of 4816	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	84
PID 1196 wrote to memory of 5104	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	85
PID 1196 wrote to memory of 5104	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	85
PID 1196 wrote to memory of 5104	1196	{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe	85
PID 4816 wrote to memory of 3184	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	87
PID 4816 wrote to memory of 3184	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	87
PID 4816 wrote to memory of 3184	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	87
PID 4816 wrote to memory of 4804	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	88
PID 4816 wrote to memory of 4804	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	88
PID 4816 wrote to memory of 4804	4816	{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe	88
PID 3184 wrote to memory of 4928	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	89
PID 3184 wrote to memory of 4928	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	89
PID 3184 wrote to memory of 4928	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	89
PID 3184 wrote to memory of 8	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	90
PID 3184 wrote to memory of 8	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	90
PID 3184 wrote to memory of 8	3184	{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe	90
PID 4928 wrote to memory of 1088	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	91
PID 4928 wrote to memory of 1088	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	91
PID 4928 wrote to memory of 1088	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	91
PID 4928 wrote to memory of 4076	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	92
PID 4928 wrote to memory of 4076	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	92
PID 4928 wrote to memory of 4076	4928	{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe	92
PID 1088 wrote to memory of 5044	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	93
PID 1088 wrote to memory of 5044	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	93
PID 1088 wrote to memory of 5044	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	93
PID 1088 wrote to memory of 3148	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	94
PID 1088 wrote to memory of 3148	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	94
PID 1088 wrote to memory of 3148	1088	{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe	94
PID 5044 wrote to memory of 1488	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	95
PID 5044 wrote to memory of 1488	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	95
PID 5044 wrote to memory of 1488	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	95
PID 5044 wrote to memory of 4400	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	96
PID 5044 wrote to memory of 4400	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	96
PID 5044 wrote to memory of 4400	5044	{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe	96
PID 1488 wrote to memory of 604	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	97
PID 1488 wrote to memory of 604	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	97
PID 1488 wrote to memory of 604	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	97
PID 1488 wrote to memory of 1876	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	98
PID 1488 wrote to memory of 1876	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	98
PID 1488 wrote to memory of 1876	1488	{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe	98
PID 604 wrote to memory of 644	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	99
PID 604 wrote to memory of 644	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	99
PID 604 wrote to memory of 644	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	99
PID 604 wrote to memory of 512	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	100
PID 604 wrote to memory of 512	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	100
PID 604 wrote to memory of 512	604	{F21910DE-B9A0-40f7-86FC-566471562480}.exe	100
PID 644 wrote to memory of 2028	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	101
PID 644 wrote to memory of 2028	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	101
PID 644 wrote to memory of 2028	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	101
PID 644 wrote to memory of 2604	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	102
PID 644 wrote to memory of 2604	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	102
PID 644 wrote to memory of 2604	644	{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe	102
PID 2028 wrote to memory of 2252	2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe	103
PID 2028 wrote to memory of 2252	2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe	103
PID 2028 wrote to memory of 2252	2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe	103
PID 2028 wrote to memory of 4224	2028	{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
  C:\Windows\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
    C:\Windows\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
      C:\Windows\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
        
        C:\Windows\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Windows\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
        
        C:\Windows\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
        
        C:\Windows\{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
        
        C:\Windows\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{F21910DE-B9A0-40f7-86FC-566471562480}.exe
        
        C:\Windows\{F21910DE-B9A0-40f7-86FC-566471562480}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
        
        C:\Windows\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
        
        C:\Windows\{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
        
        C:\Windows\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe
        
        C:\Windows\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe
        13⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB5B~1.EXE > nul
        13⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D7C9~1.EXE > nul
        12⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C26~1.EXE > nul
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2191~1.EXE > nul
        10⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F38~1.EXE > nul
        9⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09EC0~1.EXE > nul
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E8F~1.EXE > nul
        7⤵
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BC4~1.EXE > nul
        6⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AA7E~1.EXE > nul
        5⤵
        
        PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E180~1.EXE > nul
      4⤵
      PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AD5C9~1.EXE > nul
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09EC078C-EF91-4912-AADB-7F50F3E026EA}.exe

Filesize
408KB

MD5
22a80fda2934bd6dcdf6250596207f06

SHA1
50af18589b07643a2642ff7a693fe6afbdfecdd5

SHA256
c0d100c1eefd5039eb790f2e0fd6fc18814edd55f601249a08d7e8b7c09b2a3d

SHA512
762b894d691d1cd41bb612aa3888a9efdf3331aa85863cd00e00363b6132a835bfd2197aaa491dcbdb30b5248cf8ef2ddfd3b2a71cdab0802abd970ed1e5388c

Download Submit
C:\Windows\{0D7C9884-C394-40b4-9029-039CCE10F12B}.exe

Filesize
408KB

MD5
f5012b99e74da4d150e130bab459c49d

SHA1
1f1eae1d4700cac7fb8471f8f0c0c602544712c9

SHA256
bd9163dc9f5c649956dcf686e427a8bce093610650f22e64fc4a252b3de88c50

SHA512
cde90ec803ceed7b9a0a6b3441b35f9dfb781da73019fd864ddfc1b48e1655bc8667542528dac7857610e8e581bf174b23f5029fc76939bfc26fec50823a0788

Download Submit
C:\Windows\{14C261FD-75D1-4034-BC5D-88C2C9D01A60}.exe

Filesize
408KB

MD5
64bc3060e35afd9b3660e4f639e63a41

SHA1
bfedb429cdd6d3f3f6d53e55e1fd6d75ef3a0e31

SHA256
00fda3e1478679239c8918cbe71c6c9d32c6fa559501d5cab3f9ca3958cd21c5

SHA512
cc9ed939863cc5f90bd4358b90a3f67d3eede45ba43d2c5d5fa6a92beef4c59bf6ff3396e71e171bec4d5e673daabdc29722c79d8f216b0299229f66124192e2

Download Submit
C:\Windows\{23CDAA3F-D0E6-4ff9-BF94-007771583F92}.exe

Filesize
408KB

MD5
4ec1e93579b321e50dbfc692c7ee68ff

SHA1
c82847386cc6f2981fee98d06b09013e117b80db

SHA256
1ca3e9991266f115e206465bc3fe6cd00c85cacf0d6d9e36a1b1610ca4230c5a

SHA512
f56f7a49b6e6dcc7201027c01a2973ea6529ecffe11427ace032bc08bcd5d2ea1898d76971e39d9e05128d3e8e3c0b308bcbb1a375ee7f3db06b2a1d97e7e5c8

Download Submit
C:\Windows\{2AA7EBB7-08B6-4907-B578-27D98D40E0D0}.exe

Filesize
408KB

MD5
ce2ae7b7bbf4326f8ca55970dbe5429e

SHA1
90b3e8f0e236829b40719db532c2d827344bd0ea

SHA256
3a0f6b383655b76fe130d08eb3e5ba75d64b9c207cdd2620febb96c4cf8b4ef0

SHA512
ad801cbe409ceccaf6697358b70ee922624d804c0468f5214c3bb2d6b2c9f6e11deacc0da789bcddb817a5af6ae5ed898ed822a76c525cecc6063a614c0156dc

Download Submit
C:\Windows\{3EB5BAF8-BE27-40fc-A58B-FDA96F040EF4}.exe

Filesize
408KB

MD5
d28c221e1ff8e3ce05fa41500bd9f427

SHA1
0b2a5c3c911ff1e83ced7e6b2080159c9bec631d

SHA256
bbd900a21bd71f9625848096d80ddbfc7608bf4dc72a13435a5fcd8a67399df5

SHA512
2360a7205411b1015a88cd38da781e43bc12abe96215faa90d3783fc71ec048b79deef3b9c090fc09fb41c558e8af3ab322837738cd36f5d5f4ce675d2b87cda

Download Submit
C:\Windows\{8E180042-2E9F-4bbc-90E5-4E2AEAA69665}.exe

Filesize
408KB

MD5
d69865324475e70602a31e10f91a0b39

SHA1
b56aaa02c94bd35ac93de5b2fe607b3995512333

SHA256
e18ee601f47bbede4cf185389e3deda4ce5bba1333b190d19d4c858999cc9e48

SHA512
8cd9aff5d59b4cb93ae791c31f12e7e1e54f95b63616ca3e0dfe765542710403675873f9d1123b769f111f1d746b063039f2d91a3e0f1f7490ac993137da90db

Download Submit
C:\Windows\{AD5C945F-07A9-4be2-88D4-57CE7CB72715}.exe

Filesize
408KB

MD5
31dd153ba32db310b36b4aa0c924ebd7

SHA1
b70b723b270937c7260adf6a92d8f59d4ff0a83f

SHA256
49c98447e955e91a7fde4a440ca0b384d1ebe5288b8eaaf3368f6dfd057594ec

SHA512
b3b1039ce0f392495f4479072f6e8be328b179a092ed27303e4dc841de80a01f35fc181046082296bc2bbb692a6bc080432b34ee76088480f338dc45665bdee2

Download Submit
C:\Windows\{C4BC4084-339C-4247-A7DE-9A4EF5E4F5F8}.exe

Filesize
408KB

MD5
02b63702f56d1b54db8a3c5a3c5219cc

SHA1
51b59e0e201a5c4bc4c235e45c276aa2b724be46

SHA256
be77a21e647a9fc9066b0de11e2f9477552658297b08360d483c706744627d6a

SHA512
08b6d0be37529b2c027e9c2a9eb4e76234104cdbb5d4f5c61da422e3b32cff9131dcc3e5e94697a8fb320aedc1db3726d5d0cb3a003c38e0550353f490aed63f

Download Submit
C:\Windows\{C4F38DBB-44BE-4d76-BD26-6F140B33B5F5}.exe

Filesize
408KB

MD5
247be0110d9efccafc9964053d38fd8c

SHA1
0564df1be274f2794a26f7507bf07138d4c4983b

SHA256
3e9844c4098e7c6643e08625c580c8bc656fa24f584a07844396383bb0d9f061

SHA512
a220b8a2f408e640bb8325b35f1b69a8050b19eae4ac15c798d998fdf9af5625069292e39502b5ca99f1b89bd37d2959601488a6f50fe44af539fae045593179

Download Submit
C:\Windows\{F21910DE-B9A0-40f7-86FC-566471562480}.exe

Filesize
408KB

MD5
3e72f20d50970f5ef700dffc8d638dbb

SHA1
950c8b7d01472bba316bb3ebbb05a5e97d4dee27

SHA256
4d440a736d88a0babae0a81dc1284add6bcc782a17690cc89150f01e2260dfdb

SHA512
8af22507207620c103644523a80b9c7c40baf20892cdc372f8deed85237cd7148c0d7367e7a68457721ab7cce92477dc60ea639cf181cdf273ec8ac7e90c9a0c

Download Submit
C:\Windows\{F2E8FAE6-2093-42e3-889C-DBC60BDE6CB9}.exe

Filesize
408KB

MD5
5835129d863a974460cdfc40480a8d19

SHA1
3503e380fa57b227136c090f09f764f0315e42e6

SHA256
d94215b7dfea45bf1182798f6fb37f7ecbfec49e66d008f4be28bb2ad9025d8f

SHA512
088263456312ab44d19a2452680dbc3a7540a03d0b41bc5a0c3c57346356e4529ad34c877a34d6ba7c5ea29627998360672b8cd96a868e6f72956d14e21856ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads