f3f4cd68fdc8e51433cf2ffd0d259b1a11e7b24e1c55e15fc406ff9dcd7b8cf7

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
Size

380KB
MD5

6437dabae7d25257bb573a0b73c6042e
SHA1

3b7b445c4a9b759d1eefbb5b83c61eb682bae8e0
SHA256

f3f4cd68fdc8e51433cf2ffd0d259b1a11e7b24e1c55e15fc406ff9dcd7b8cf7
SHA512

a0af082c0baa99f0e7cf6d3124a1a71ff448af3ca1fe763c0c71bb52810ba370ed23ba00d2d92ae5541ec4235c2e521c2b9f70d3d7b5aade1869397f121da5c1
SSDEEP

3072:mEGh0oklPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e3f9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e6dc-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e7eb-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e6dc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e7eb-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e6dc-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e7eb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e6dc-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e7eb-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e6dc-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e7eb-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e6dc-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13BC4D1A-6403-42d7-8689-6682834AA77A}	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F5A5C2-0092-401d-A80A-497816CBD992}	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}\stubpath = "C:\\Windows\\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe"	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B124B39-2131-42d2-88BD-06FCED4F48A9}	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}\stubpath = "C:\\Windows\\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe"	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F5A5C2-0092-401d-A80A-497816CBD992}\stubpath = "C:\\Windows\\{67F5A5C2-0092-401d-A80A-497816CBD992}.exe"	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}	{2C34E504-D023-42a8-858F-127913516A79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B90E32-43B1-4e6a-8005-552048E8573B}	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}\stubpath = "C:\\Windows\\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe"	{2C34E504-D023-42a8-858F-127913516A79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B90E32-43B1-4e6a-8005-552048E8573B}\stubpath = "C:\\Windows\\{86B90E32-43B1-4e6a-8005-552048E8573B}.exe"	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}\stubpath = "C:\\Windows\\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe"	{86B90E32-43B1-4e6a-8005-552048E8573B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}\stubpath = "C:\\Windows\\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe"	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}\stubpath = "C:\\Windows\\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe"	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}\stubpath = "C:\\Windows\\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe"	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C34E504-D023-42a8-858F-127913516A79}\stubpath = "C:\\Windows\\{2C34E504-D023-42a8-858F-127913516A79}.exe"	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B124B39-2131-42d2-88BD-06FCED4F48A9}\stubpath = "C:\\Windows\\{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe"	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13BC4D1A-6403-42d7-8689-6682834AA77A}\stubpath = "C:\\Windows\\{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe"	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C34E504-D023-42a8-858F-127913516A79}	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}	{86B90E32-43B1-4e6a-8005-552048E8573B}.exe

Executes dropped EXE 12 IoCs

pid	Process
524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
3756	{2C34E504-D023-42a8-858F-127913516A79}.exe
516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
3532	{86B90E32-43B1-4e6a-8005-552048E8573B}.exe
4220	{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
File created	C:\Windows\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
File created	C:\Windows\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
File created	C:\Windows\{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
File created	C:\Windows\{2C34E504-D023-42a8-858F-127913516A79}.exe	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
File created	C:\Windows\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe	{2C34E504-D023-42a8-858F-127913516A79}.exe
File created	C:\Windows\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
File created	C:\Windows\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
File created	C:\Windows\{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
File created	C:\Windows\{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
File created	C:\Windows\{86B90E32-43B1-4e6a-8005-552048E8573B}.exe	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
File created	C:\Windows\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe	{86B90E32-43B1-4e6a-8005-552048E8573B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
Token: SeIncBasePriorityPrivilege	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
Token: SeIncBasePriorityPrivilege	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
Token: SeIncBasePriorityPrivilege	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
Token: SeIncBasePriorityPrivilege	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
Token: SeIncBasePriorityPrivilege	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
Token: SeIncBasePriorityPrivilege	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
Token: SeIncBasePriorityPrivilege	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
Token: SeIncBasePriorityPrivilege	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe
Token: SeIncBasePriorityPrivilege	516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
Token: SeIncBasePriorityPrivilege	3532	{86B90E32-43B1-4e6a-8005-552048E8573B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 524	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	88
PID 2376 wrote to memory of 524	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	88
PID 2376 wrote to memory of 524	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	88
PID 2376 wrote to memory of 2348	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	89
PID 2376 wrote to memory of 2348	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	89
PID 2376 wrote to memory of 2348	2376	2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe	89
PID 524 wrote to memory of 2696	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	90
PID 524 wrote to memory of 2696	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	90
PID 524 wrote to memory of 2696	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	90
PID 524 wrote to memory of 4384	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	91
PID 524 wrote to memory of 4384	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	91
PID 524 wrote to memory of 4384	524	{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe	91
PID 2696 wrote to memory of 3860	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	95
PID 2696 wrote to memory of 3860	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	95
PID 2696 wrote to memory of 3860	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	95
PID 2696 wrote to memory of 4076	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	96
PID 2696 wrote to memory of 4076	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	96
PID 2696 wrote to memory of 4076	2696	{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe	96
PID 3860 wrote to memory of 4424	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	97
PID 3860 wrote to memory of 4424	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	97
PID 3860 wrote to memory of 4424	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	97
PID 3860 wrote to memory of 1076	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	98
PID 3860 wrote to memory of 1076	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	98
PID 3860 wrote to memory of 1076	3860	{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe	98
PID 4424 wrote to memory of 4288	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	99
PID 4424 wrote to memory of 4288	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	99
PID 4424 wrote to memory of 4288	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	99
PID 4424 wrote to memory of 3720	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	100
PID 4424 wrote to memory of 3720	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	100
PID 4424 wrote to memory of 3720	4424	{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe	100
PID 4288 wrote to memory of 4464	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	101
PID 4288 wrote to memory of 4464	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	101
PID 4288 wrote to memory of 4464	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	101
PID 4288 wrote to memory of 4240	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	102
PID 4288 wrote to memory of 4240	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	102
PID 4288 wrote to memory of 4240	4288	{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe	102
PID 4464 wrote to memory of 1212	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	103
PID 4464 wrote to memory of 1212	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	103
PID 4464 wrote to memory of 1212	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	103
PID 4464 wrote to memory of 3104	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	104
PID 4464 wrote to memory of 3104	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	104
PID 4464 wrote to memory of 3104	4464	{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe	104
PID 1212 wrote to memory of 3548	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	105
PID 1212 wrote to memory of 3548	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	105
PID 1212 wrote to memory of 3548	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	105
PID 1212 wrote to memory of 4616	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	106
PID 1212 wrote to memory of 4616	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	106
PID 1212 wrote to memory of 4616	1212	{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe	106
PID 3548 wrote to memory of 3756	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	107
PID 3548 wrote to memory of 3756	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	107
PID 3548 wrote to memory of 3756	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	107
PID 3548 wrote to memory of 900	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	108
PID 3548 wrote to memory of 900	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	108
PID 3548 wrote to memory of 900	3548	{67F5A5C2-0092-401d-A80A-497816CBD992}.exe	108
PID 3756 wrote to memory of 516	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	109
PID 3756 wrote to memory of 516	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	109
PID 3756 wrote to memory of 516	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	109
PID 3756 wrote to memory of 4536	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	110
PID 3756 wrote to memory of 4536	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	110
PID 3756 wrote to memory of 4536	3756	{2C34E504-D023-42a8-858F-127913516A79}.exe	110
PID 516 wrote to memory of 3532	516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe	111
PID 516 wrote to memory of 3532	516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe	111
PID 516 wrote to memory of 3532	516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe	111
PID 516 wrote to memory of 3304	516	{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_6437dabae7d25257bb573a0b73c6042e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
  C:\Windows\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
    C:\Windows\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
      C:\Windows\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
        
        C:\Windows\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
        
        C:\Windows\{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
        
        C:\Windows\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
        
        C:\Windows\{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
        
        C:\Windows\{67F5A5C2-0092-401d-A80A-497816CBD992}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{2C34E504-D023-42a8-858F-127913516A79}.exe
        
        C:\Windows\{2C34E504-D023-42a8-858F-127913516A79}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
        
        C:\Windows\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{86B90E32-43B1-4e6a-8005-552048E8573B}.exe
        
        C:\Windows\{86B90E32-43B1-4e6a-8005-552048E8573B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe
        
        C:\Windows\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86B90~1.EXE > nul
        13⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5AC~1.EXE > nul
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C34E~1.EXE > nul
        11⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67F5A~1.EXE > nul
        10⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13BC4~1.EXE > nul
        9⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DDC9~1.EXE > nul
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B124~1.EXE > nul
        7⤵
        
        PID:4240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF1AA~1.EXE > nul
        6⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AE81~1.EXE > nul
        5⤵
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF68~1.EXE > nul
      4⤵
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBB1~1.EXE > nul
    3⤵
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13BC4D1A-6403-42d7-8689-6682834AA77A}.exe

Filesize
380KB

MD5
9da3ee1b94809ddddc26d679ff9c10a3

SHA1
f8d9fbbee03d806f26775cf79eefbbaf1a0cd6ba

SHA256
c8950b20355c8d0f59c04d0780a70bdd3c5ce18e6f1538514ccbe9ca7ddbab7c

SHA512
aded939b0affc07f14ad215bf2356f00257d3024d49fcfa104bb02d8c5f023f5c76f411598a5d577b60633a7cd16d07a3213e6b29dee07b24a03fab4d3593dba

Download Submit
C:\Windows\{1AE81D30-D5D9-4d97-851D-D01AE7009C21}.exe

Filesize
380KB

MD5
c3f4a8c814d61fd334f945147c8da90f

SHA1
0a80dc5516963f9ca09abeaebd73e3dd733142ce

SHA256
acfe2972acc200a7ac02ad27a6dd9dc792df0c542dd94f8ab14e26c7437e3e5e

SHA512
518e4c40190bec0b7fc9496ead2c42db5644ba8085a3dcf00883236c1cf52c965f967fa4b93d501652e72ae2420696ea751e1b532964cbfb0d8dd0c2ad51d5cf

Download Submit
C:\Windows\{2AF68271-1636-49ef-9788-EDE8D38D5A0D}.exe

Filesize
380KB

MD5
a484a0bf0abf2d48075db24e84b173d4

SHA1
a14c135edcbf498e321a78365b36bc2bbac45280

SHA256
ea64f7f18ff624113c871f3701bb159c3950e0a79bc8832d9725bd5b4224b696

SHA512
a857178683a59d67e750b223a9972f387c3aca0b914b72cfacae73cf1f3e55411945f2affb4d40f380bc53379090892e535cdd05b91777ad9f6eb6b17dc5e325

Download Submit
C:\Windows\{2C34E504-D023-42a8-858F-127913516A79}.exe

Filesize
380KB

MD5
8bcd7a57709f852bf82fd89728de233b

SHA1
fa74683ad3619f3190684050a00ca2a142e5f40a

SHA256
d6a6e8f11d5b652bc1946c9923feaca4e2c39db77cef6f3f607dab1a6f6473b9

SHA512
abfed178d75c969c309906eaa3017867485004c3e136bca2adde6db715ac382ab85e4359f6c7adfca0cd91f8350bb6d1bb51c142d9ce2e56a3445c8ab6e9ffe4

Download Submit
C:\Windows\{3FBB1BD7-3BB6-4ade-A208-C1FEC73FAFE5}.exe

Filesize
380KB

MD5
d88b2b15cf264801e11a1c6fdd23b879

SHA1
da0c45dbb4acfe23d55a48ed2f17d1d28b62e10d

SHA256
165b1f03592f33dc4866ccfaa618e196cd06b0d5d368190beb0e7e39d9375229

SHA512
aaa420fb3eb537ea6dbbd2dc89df55b3a9508bc998e690a2e1683f2dc7bb85fa06b45e4ee09c93202a84e07f811a8b26cdb0b96933b7517a24f72c1a91f7a357

Download Submit
C:\Windows\{67F5A5C2-0092-401d-A80A-497816CBD992}.exe

Filesize
380KB

MD5
7ad77980f6ca04a8ff2893283829b535

SHA1
69bfbdf02a85d3b325671bc56bff026f900b4c24

SHA256
8cea9fe0ccde6edd5b272d3fb52cf33499e6faab4755483f62339ac6b4db4005

SHA512
973bf1ce34950809c0011b12759a4c8adb4a99ba3f2c58195ea81749cb39fdd61bfc1ae5fbbbe8fb8850fa7260ecbef81cd65c61970868f144a86909b5e1a046

Download Submit
C:\Windows\{7B124B39-2131-42d2-88BD-06FCED4F48A9}.exe

Filesize
380KB

MD5
51ba9516bbc86498e8c4813597cf877c

SHA1
8cc3e1a7c52f2f432b16ed9fd86f4635667a0480

SHA256
1e378aa81c5eddb6421818dbfa34c0680a3bc9308c42e8a24748d028375998a6

SHA512
a35d7d66551b7aa7aebad4bf5e5b1fcc3bd34c893a9f8c1978869cb05a132d5a5d5640cc54cc0f47f4167866169c8b89941c8c11b1bc0eddc435a1a212ffaf9f

Download Submit
C:\Windows\{86B90E32-43B1-4e6a-8005-552048E8573B}.exe

Filesize
380KB

MD5
7b480e01c6ec479d6973e65e2e3aad4d

SHA1
64b465b654bbeafe78df7b14f046e5240b950af4

SHA256
490b5ed9a32324111d6030eacc4ae564f88cd08d14b82dd6ca4286040382a1f6

SHA512
8d069eb5e42a38c2aee6e00f4f3a38a2d47940cc32fd21b2f76ad18548b67f5a6256f6871f16700047632e4b6fa8f91bc05806831db2969d612d2bf6b15c5d63

Download Submit
C:\Windows\{8DDC9E4E-C239-472c-B6B7-F584BFA0716D}.exe

Filesize
380KB

MD5
c50bc8cceb051984796e882d8b44412e

SHA1
fd9b21406121c48f1b9f4accf261e3120faac3c6

SHA256
7042ce5572f1bebf4d34e2d5a30b4607528c7355b9c67ebf71e5521f7249667f

SHA512
777ae0962988926347ecc13cb6824669af650fe00571aebcec9a525246737456a51e6c75820e15f3d88c8bc8448937c40445984400f8669c8da8e639a94612b8

Download Submit
C:\Windows\{B01FA3DE-880E-4397-AA54-6F51E63CEE6A}.exe

Filesize
380KB

MD5
ae99b4aaa7209c81cc0934f2f38bbe5f

SHA1
e065efbae58b2378e122c236e22ba3b8de8f204d

SHA256
1137fa318ce9ca4291b4859898e25115f7e7a31ea2fedbbc3f1c381a72bb8337

SHA512
9503459369b3e7ca258c73b432760477ff8a330c26c77ad97751ab26f4831459b282362d8631ff34de4962f22d6cfa8d10305860f1e5a055cfef25c75508833a

Download Submit
C:\Windows\{DD5AC208-2B3C-4cf0-B270-FEFC9886AC9C}.exe

Filesize
380KB

MD5
7baaeddc8e72dfdb25477ddad0095f92

SHA1
4892e27d8f2651344573f7c32ca27d5bc291396e

SHA256
6a4d09c893fa185dd300a65365ed693249580b763fae448c2262bf590730e017

SHA512
4c03182dbfbe1bdab82f3c41cd44203167dd3516d4eb2face4a37ed0a42add01d1f6691f9b68bb3c0a14003dad1550e7fec8d5a080e229aa55a6233da3928b9b

Download Submit
C:\Windows\{EF1AAF8C-853C-4a59-B33D-246A3EB7F4EE}.exe

Filesize
380KB

MD5
fbbc652292d6b79ce1e77d5920cae92a

SHA1
5f672cf4f2d0f05ab8305ad3c7142fb9a3385432

SHA256
2f6e6c421f91fb8aef08c03d779c6b6ba667a597ef5905315aea080b4c28fdec

SHA512
634aaf5f542d28d4ab6e2be25a535188483aff4ae7abec45942db60ee27badf6bd1d24eca273e5cfb9f22a4a115721649dec107159f246e74b0d0879d0c0fd3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads