8ef99568f291bb4d20392339c9bc3ee35bac7a97515c2b650f08bb52a5990f41

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
Size

344KB
MD5

3e0744a688806d0d62744b0cd6c1a3dd
SHA1

36d891e640e0ab1149359e58273c1a7f8c5291cd
SHA256

8ef99568f291bb4d20392339c9bc3ee35bac7a97515c2b650f08bb52a5990f41
SHA512

ad4420e6316d1702c3672434d8fdd724817c4665d5d0996f53b1676ba51747cfea8b14f8a96aea36dcd46698182d81182089175312bbcc0d6334f4d396c61759
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGxlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d0000000006c1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e6d8-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002293d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e6d8-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002293d-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e6d8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002293d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e6d8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002293d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e6d8-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002293d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e6d8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}\stubpath = "C:\\Windows\\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe"	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}\stubpath = "C:\\Windows\\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe"	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63948971-23BB-4576-A181-6BCFEC3C0F51}\stubpath = "C:\\Windows\\{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe"	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}\stubpath = "C:\\Windows\\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe"	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1429B6CD-A494-49c7-B4EA-614BA9844D02}	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F8393A-4FA7-47e8-B13D-77D52902382A}\stubpath = "C:\\Windows\\{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe"	{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}\stubpath = "C:\\Windows\\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe"	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1429B6CD-A494-49c7-B4EA-614BA9844D02}\stubpath = "C:\\Windows\\{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe"	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}\stubpath = "C:\\Windows\\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe"	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}\stubpath = "C:\\Windows\\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe"	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F8393A-4FA7-47e8-B13D-77D52902382A}	{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}\stubpath = "C:\\Windows\\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe"	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}\stubpath = "C:\\Windows\\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe"	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63948971-23BB-4576-A181-6BCFEC3C0F51}	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}\stubpath = "C:\\Windows\\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe"	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
4428	{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
1576	{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
File created	C:\Windows\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
File created	C:\Windows\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
File created	C:\Windows\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
File created	C:\Windows\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
File created	C:\Windows\{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
File created	C:\Windows\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
File created	C:\Windows\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
File created	C:\Windows\{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe	{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
File created	C:\Windows\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
File created	C:\Windows\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
File created	C:\Windows\{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
Token: SeIncBasePriorityPrivilege	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
Token: SeIncBasePriorityPrivilege	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
Token: SeIncBasePriorityPrivilege	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
Token: SeIncBasePriorityPrivilege	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
Token: SeIncBasePriorityPrivilege	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
Token: SeIncBasePriorityPrivilege	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
Token: SeIncBasePriorityPrivilege	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
Token: SeIncBasePriorityPrivilege	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
Token: SeIncBasePriorityPrivilege	4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
Token: SeIncBasePriorityPrivilege	4428	{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4760	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	84
PID 2448 wrote to memory of 4760	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	84
PID 2448 wrote to memory of 4760	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	84
PID 2448 wrote to memory of 2764	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	85
PID 2448 wrote to memory of 2764	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	85
PID 2448 wrote to memory of 2764	2448	2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe	85
PID 4760 wrote to memory of 5112	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	86
PID 4760 wrote to memory of 5112	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	86
PID 4760 wrote to memory of 5112	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	86
PID 4760 wrote to memory of 4960	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	87
PID 4760 wrote to memory of 4960	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	87
PID 4760 wrote to memory of 4960	4760	{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe	87
PID 5112 wrote to memory of 5052	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	91
PID 5112 wrote to memory of 5052	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	91
PID 5112 wrote to memory of 5052	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	91
PID 5112 wrote to memory of 3240	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	92
PID 5112 wrote to memory of 3240	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	92
PID 5112 wrote to memory of 3240	5112	{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe	92
PID 5052 wrote to memory of 4348	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	93
PID 5052 wrote to memory of 4348	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	93
PID 5052 wrote to memory of 4348	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	93
PID 5052 wrote to memory of 1440	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	94
PID 5052 wrote to memory of 1440	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	94
PID 5052 wrote to memory of 1440	5052	{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe	94
PID 4348 wrote to memory of 1044	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	95
PID 4348 wrote to memory of 1044	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	95
PID 4348 wrote to memory of 1044	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	95
PID 4348 wrote to memory of 528	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	96
PID 4348 wrote to memory of 528	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	96
PID 4348 wrote to memory of 528	4348	{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe	96
PID 1044 wrote to memory of 2496	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	97
PID 1044 wrote to memory of 2496	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	97
PID 1044 wrote to memory of 2496	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	97
PID 1044 wrote to memory of 732	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	98
PID 1044 wrote to memory of 732	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	98
PID 1044 wrote to memory of 732	1044	{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe	98
PID 2496 wrote to memory of 3996	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	99
PID 2496 wrote to memory of 3996	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	99
PID 2496 wrote to memory of 3996	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	99
PID 2496 wrote to memory of 1704	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	100
PID 2496 wrote to memory of 1704	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	100
PID 2496 wrote to memory of 1704	2496	{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe	100
PID 3996 wrote to memory of 2196	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	101
PID 3996 wrote to memory of 2196	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	101
PID 3996 wrote to memory of 2196	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	101
PID 3996 wrote to memory of 4036	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	102
PID 3996 wrote to memory of 4036	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	102
PID 3996 wrote to memory of 4036	3996	{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe	102
PID 2196 wrote to memory of 1456	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	103
PID 2196 wrote to memory of 1456	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	103
PID 2196 wrote to memory of 1456	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	103
PID 2196 wrote to memory of 3056	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	104
PID 2196 wrote to memory of 3056	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	104
PID 2196 wrote to memory of 3056	2196	{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe	104
PID 1456 wrote to memory of 4952	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	105
PID 1456 wrote to memory of 4952	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	105
PID 1456 wrote to memory of 4952	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	105
PID 1456 wrote to memory of 5044	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	106
PID 1456 wrote to memory of 5044	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	106
PID 1456 wrote to memory of 5044	1456	{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe	106
PID 4952 wrote to memory of 4428	4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe	107
PID 4952 wrote to memory of 4428	4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe	107
PID 4952 wrote to memory of 4428	4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe	107
PID 4952 wrote to memory of 4640	4952	{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_3e0744a688806d0d62744b0cd6c1a3dd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
  C:\Windows\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
    C:\Windows\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
      C:\Windows\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
        
        C:\Windows\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
        
        C:\Windows\{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
        
        C:\Windows\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
        
        C:\Windows\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
        
        C:\Windows\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
        
        C:\Windows\{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
        
        C:\Windows\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
        
        C:\Windows\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe
        
        C:\Windows\{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41679~1.EXE > nul
        13⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69C2D~1.EXE > nul
        12⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1429B~1.EXE > nul
        11⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B9E~1.EXE > nul
        10⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7A4~1.EXE > nul
        9⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1AB3~1.EXE > nul
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63948~1.EXE > nul
        7⤵
        
        PID:732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B787~1.EXE > nul
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11A0C~1.EXE > nul
        5⤵
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{634FE~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6FB27~1.EXE > nul
    3⤵
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11A0CA6F-2024-4ba6-8ECE-E665E6C6D7DE}.exe

Filesize
344KB

MD5
c27dc554e9f69704ab61bcbc41d3b8f5

SHA1
5e1c625bae59c557bf2a7dadebfab005105e0a03

SHA256
f17405f55e609d0cb10c1b0fc639325256c87d07a7be8149eb5a1b9250f9c2ab

SHA512
f8706084cebb25959798c9d5cc5a3317e2fb5da9244636560e57afa5d218ba0038533e0ca11d6749a746b45fa95566c5b8a1616eb89cdc49fe47d7b87b9f365c

Download Submit
C:\Windows\{1429B6CD-A494-49c7-B4EA-614BA9844D02}.exe

Filesize
344KB

MD5
df7f418c997213c6dd4b6334c45e7347

SHA1
35b9ed9ee84c4846860652674a721950ca1fefb1

SHA256
3525cb0d5e2eb3f0621c81e86784d47dde712350540888856978b1bd1fc1221f

SHA512
00b0310a35abfaaf5594ac6670267449dbcffe2cd0fc4dac8558c5ba06b18dfe3c928c3b1c709ad91d22cc00e541f808cfe8fd8e873dc7c47470d0646a1a7f19

Download Submit
C:\Windows\{25B9E8A2-923A-4c75-B3C4-9A4BFCD2CB54}.exe

Filesize
344KB

MD5
d58e73e87816602219ba873bc4131bd5

SHA1
d231a39759f5326ff0d739b6f26b1443d85e25ee

SHA256
cf892488d63023edc0bf0240a381ef56b369c99be9fca263e8be918b5efe2442

SHA512
36576501d6b17dc203970ee680b1259a7dfc1ab93aa6dd84186f37dce0238957cae96aeb97602c580b93a2fd51ed1bdf0098238327dd63557ab3a57299dc8634

Download Submit
C:\Windows\{41679F2A-7F87-4352-98EE-10D00A7BCA5F}.exe

Filesize
344KB

MD5
795ba51b69ad5fa3f1be0782a7c84e3c

SHA1
4404a3955819111c569fa198354d9af61c8a84db

SHA256
de6c1be759eee1ae40be7a948669b879c78f6770105dfdc589a006eab77a407d

SHA512
f1806b5f0ca38b8fea5fcec563824de59bd6ed0c6956c030f150587477cfbbe9472f47ed6a4b0196530d5056feef9fe108cb9593473d29afbb107a6e33f62d15

Download Submit
C:\Windows\{634FE9F3-E8B4-44f8-9F88-C0675DB959F9}.exe

Filesize
344KB

MD5
a704f61eef26694ef108c1f818cabdbd

SHA1
474c1a200bd6cd7cab0cb87751264f83d56c4dbb

SHA256
f6b18e494bd7619c565e96c48097ed46fae1c4fb19682005bb070de35dc3eb00

SHA512
46936f86ddbfabc2078b4a2827fb32acf83c506cbba5f3f7a1095704e3122462543405495114bb4c70d29741b1f9f68e133883a927e5c85c38b0aedda003d49c

Download Submit
C:\Windows\{63948971-23BB-4576-A181-6BCFEC3C0F51}.exe

Filesize
344KB

MD5
aefec9709ccfe9c6961a682c82ec6503

SHA1
dd4e005c0d312b85ad33eacb9bc77224f3bc8d9b

SHA256
48fa114620822fd06deb5ab5f8bf56bafdf03cfa76cf8fa5f9158da03beb92cc

SHA512
ab4934aa5ed69a842043a879718d76726f2c7c0f5761b9dabee3c450a545fdd26b3e509da34aa24c17917489a4c6d8a0cba4a66aeaeac21e25002c53ff3bcaa2

Download Submit
C:\Windows\{69C2DC02-0CC1-4cb5-96D1-C8A2DA78BD6D}.exe

Filesize
344KB

MD5
2e2e18fb1270a8c9eed62f6483e0e7b7

SHA1
c8c26a4227701b4653d931633eb1025d48b04e2a

SHA256
451f1fecc4b6b35fcd8e2679a33a1612ee820004b3b5e54a6d2d07411b39f911

SHA512
b559a1b5953a069e2a2bff0c546501b08fcb8ce616379c13b1614074579f158b864c9047a8b6fbc30fb8c3c5642fd3b6807bb741ff4f06f41123763dfbcb6bc7

Download Submit
C:\Windows\{6B7872D5-E1BE-40cc-9051-B0DE1E33E5DE}.exe

Filesize
344KB

MD5
a01a3d255758feec3094af47abb5e4ec

SHA1
9897b70ed6a0c02b04ba84618e9c9b0f690fec2e

SHA256
3c62923910ac19b9dee0f793f24c50fe39ffe4a8f10305711b821917df55b563

SHA512
81971358feecb01eb747d0db1397b66f53f9e79051cca2f86bf2891c0ddb29c641a45844b4a607bd265e565e3f096b6333ef92f16581b60eac7a3e83061f2d10

Download Submit
C:\Windows\{6FB27B36-A66B-4c6e-B880-6B82D7795B11}.exe

Filesize
344KB

MD5
11ce799716e1fad5c2c303b8824e9f27

SHA1
0668ccb66b34f3d06d443f3b264d25bef5c55765

SHA256
418aa6306227966e906c665c251ae5c74b88b312b91718b064608b02ccf2f6ee

SHA512
b0868baf083293ab2a68cf7b6b59d50141d8e4493043d5c0a95267d5ea58c30adbdb1eb5d7ea0e82cdfbfae956b702b4e0008b71ddd38647f48d3466a1bd89d8

Download Submit
C:\Windows\{9F7A4B86-6139-4f1d-B164-6A620EAB5237}.exe

Filesize
344KB

MD5
63dcb39bdd634d41336f841cc695adf9

SHA1
6de70250f81adf898c33b13c138cb62a31556ec4

SHA256
1a7339b94d3a444e62c267b1040f2892c05bd41973d938ff998c4314428b4bc1

SHA512
640d0f1c3fc63a2dedc6a42279a44dd1a3381aab2434c6f7c403a7fd03b4b3cd2dc62f2d29d15e0a1e1fd581521997bed7c22091219275552b594c995a52db77

Download Submit
C:\Windows\{C1AB3340-01ED-4a9e-9A6B-CC88CEBEC3E1}.exe

Filesize
344KB

MD5
c964bbab2a393ad6976e4e58e21297ad

SHA1
af0db4fcc15a65bdb39baacc42172fe667f81844

SHA256
0a7b121203a33d4cb6b106cfbefc22fbd180bce98bb1ef2568199dff1e0a5e48

SHA512
3906b50a5b827341e92254178eb4cd6661b117b9017693920a8cc29b972ed64b660046403e2e8df5638e14ddbfdfbe17df751dc87f5ffcf4d6d6fba8cb17ffa1

Download Submit
C:\Windows\{F2F8393A-4FA7-47e8-B13D-77D52902382A}.exe

Filesize
344KB

MD5
4c638064cf5a3a7164cd38d44aff1527

SHA1
f28fcf4950ef97380a5552d81864efc95f2a7e6b

SHA256
f70e9eaf2479d4244fda6e9ed76ac93d6323d09c03d852ce6fcfa65cd686b2a4

SHA512
8c17364a4485ba21edcdaa03d73e3ace10ae13d8110f8f770e3cc71eaa9f4066555100e1faa4c94afe46385451b92ca773d866a2b8bf8f74053df51a59d2ad86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads