a6bc704a2097160cca4ec3d5e71e22afccca9ed47e57d5e789248dc5ac2dcf3f

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Size

344KB
MD5

227d7b377cff96068fbb75ee0c57b572
SHA1

a5d1142c3b040452a796057988829216613f7b7a
SHA256

a6bc704a2097160cca4ec3d5e71e22afccca9ed47e57d5e789248dc5ac2dcf3f
SHA512

5402b1e324f3c7d4ee99720c6fdea35d4a9ef0507e2a1d7c556eac8f519cc8dec85b88d84b0db9acc7b19903cf0539d30139b835bf1facffa3129bfcf4df2b0a
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023590-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023583-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000234e4-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023583-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000234e4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023583-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000234e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234e9-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000234e4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000234e9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000234e4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000234e5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79382042-2B92-4763-8031-BDA9AF4B52BB}\stubpath = "C:\\Windows\\{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe"	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA6F6DE-1A77-4891-BF34-594C265B9981}\stubpath = "C:\\Windows\\{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe"	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3209906D-C898-4b64-9D62-6B11D63AE0B2}	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B422D186-99EA-4559-8780-B7FE1F55E498}	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}\stubpath = "C:\\Windows\\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe"	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}\stubpath = "C:\\Windows\\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe"	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}\stubpath = "C:\\Windows\\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe"	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3209906D-C898-4b64-9D62-6B11D63AE0B2}\stubpath = "C:\\Windows\\{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe"	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035175FF-DABF-4cf6-9A42-AE8E696F915F}	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035175FF-DABF-4cf6-9A42-AE8E696F915F}\stubpath = "C:\\Windows\\{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe"	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}\stubpath = "C:\\Windows\\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe"	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}\stubpath = "C:\\Windows\\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe"	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB054C35-CC47-40b4-BE88-D4F1E3401155}\stubpath = "C:\\Windows\\{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe"	{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79382042-2B92-4763-8031-BDA9AF4B52BB}	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B422D186-99EA-4559-8780-B7FE1F55E498}\stubpath = "C:\\Windows\\{B422D186-99EA-4559-8780-B7FE1F55E498}.exe"	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}\stubpath = "C:\\Windows\\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe"	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA6F6DE-1A77-4891-BF34-594C265B9981}	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB054C35-CC47-40b4-BE88-D4F1E3401155}	{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
1984	{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe
3432	{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
File created	C:\Windows\{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
File created	C:\Windows\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
File created	C:\Windows\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
File created	C:\Windows\{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
File created	C:\Windows\{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe	{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe
File created	C:\Windows\{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
File created	C:\Windows\{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
File created	C:\Windows\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
File created	C:\Windows\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
File created	C:\Windows\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
File created	C:\Windows\{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
Token: SeIncBasePriorityPrivilege	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
Token: SeIncBasePriorityPrivilege	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
Token: SeIncBasePriorityPrivilege	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
Token: SeIncBasePriorityPrivilege	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
Token: SeIncBasePriorityPrivilege	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
Token: SeIncBasePriorityPrivilege	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
Token: SeIncBasePriorityPrivilege	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
Token: SeIncBasePriorityPrivilege	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
Token: SeIncBasePriorityPrivilege	628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
Token: SeIncBasePriorityPrivilege	1984	{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3760	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	93
PID 3224 wrote to memory of 3760	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	93
PID 3224 wrote to memory of 3760	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	93
PID 3224 wrote to memory of 3368	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	94
PID 3224 wrote to memory of 3368	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	94
PID 3224 wrote to memory of 3368	3224	2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe	94
PID 3760 wrote to memory of 5084	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	95
PID 3760 wrote to memory of 5084	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	95
PID 3760 wrote to memory of 5084	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	95
PID 3760 wrote to memory of 2732	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	96
PID 3760 wrote to memory of 2732	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	96
PID 3760 wrote to memory of 2732	3760	{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe	96
PID 5084 wrote to memory of 4164	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	100
PID 5084 wrote to memory of 4164	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	100
PID 5084 wrote to memory of 4164	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	100
PID 5084 wrote to memory of 452	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	101
PID 5084 wrote to memory of 452	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	101
PID 5084 wrote to memory of 452	5084	{B422D186-99EA-4559-8780-B7FE1F55E498}.exe	101
PID 4164 wrote to memory of 5076	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	102
PID 4164 wrote to memory of 5076	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	102
PID 4164 wrote to memory of 5076	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	102
PID 4164 wrote to memory of 2616	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	103
PID 4164 wrote to memory of 2616	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	103
PID 4164 wrote to memory of 2616	4164	{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe	103
PID 5076 wrote to memory of 2824	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	104
PID 5076 wrote to memory of 2824	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	104
PID 5076 wrote to memory of 2824	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	104
PID 5076 wrote to memory of 1864	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	105
PID 5076 wrote to memory of 1864	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	105
PID 5076 wrote to memory of 1864	5076	{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe	105
PID 2824 wrote to memory of 1948	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	107
PID 2824 wrote to memory of 1948	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	107
PID 2824 wrote to memory of 1948	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	107
PID 2824 wrote to memory of 3048	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	108
PID 2824 wrote to memory of 3048	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	108
PID 2824 wrote to memory of 3048	2824	{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe	108
PID 1948 wrote to memory of 3764	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	109
PID 1948 wrote to memory of 3764	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	109
PID 1948 wrote to memory of 3764	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	109
PID 1948 wrote to memory of 1368	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	110
PID 1948 wrote to memory of 1368	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	110
PID 1948 wrote to memory of 1368	1948	{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe	110
PID 3764 wrote to memory of 3944	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	118
PID 3764 wrote to memory of 3944	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	118
PID 3764 wrote to memory of 3944	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	118
PID 3764 wrote to memory of 5084	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	119
PID 3764 wrote to memory of 5084	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	119
PID 3764 wrote to memory of 5084	3764	{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe	119
PID 3944 wrote to memory of 3852	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	120
PID 3944 wrote to memory of 3852	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	120
PID 3944 wrote to memory of 3852	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	120
PID 3944 wrote to memory of 3756	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	121
PID 3944 wrote to memory of 3756	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	121
PID 3944 wrote to memory of 3756	3944	{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe	121
PID 3852 wrote to memory of 628	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	122
PID 3852 wrote to memory of 628	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	122
PID 3852 wrote to memory of 628	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	122
PID 3852 wrote to memory of 4520	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	123
PID 3852 wrote to memory of 4520	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	123
PID 3852 wrote to memory of 4520	3852	{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe	123
PID 628 wrote to memory of 1984	628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe	124
PID 628 wrote to memory of 1984	628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe	124
PID 628 wrote to memory of 1984	628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe	124
PID 628 wrote to memory of 3588	628	{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
  C:\Windows\{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
    C:\Windows\{B422D186-99EA-4559-8780-B7FE1F55E498}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
      C:\Windows\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
        
        C:\Windows\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
        
        C:\Windows\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
        
        C:\Windows\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
        
        C:\Windows\{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
        
        C:\Windows\{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
        
        C:\Windows\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
        
        C:\Windows\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe
        
        C:\Windows\{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe
        
        C:\Windows\{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe
        13⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32099~1.EXE > nul
        13⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BAF0~1.EXE > nul
        12⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98A69~1.EXE > nul
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA6F~1.EXE > nul
        10⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03517~1.EXE > nul
        9⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0580F~1.EXE > nul
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15A5D~1.EXE > nul
        7⤵
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7714~1.EXE > nul
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D2B~1.EXE > nul
        5⤵
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B422D~1.EXE > nul
      4⤵
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{79382~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035175FF-DABF-4cf6-9A42-AE8E696F915F}.exe

Filesize
344KB

MD5
90252013a8b3d5355eca2ecaa814aea0

SHA1
a5be17544e152dccbd38129cea7b50087781420c

SHA256
2a039cf25eb7847e65c153e07e5578090d8ea3d2ef46d8ea5065c63ab1df940e

SHA512
a0d634a949f4f88b31e436a478707098505f39be49367b65e8a2297511f3dea737025fb4e26d8bebe423aa34101497a71202cdeed4bb702defc4bedd9bcb8a70

Download Submit
C:\Windows\{0580FA00-8F69-473a-B3DC-6C2F62117ACE}.exe

Filesize
344KB

MD5
29f72eea741f3abf593f662510447a25

SHA1
efcc8bf22d21e9a4434726684b730b63828b8f4c

SHA256
f8b95e99a57ec6b7732c44b14937cab52fb1a88fc1905e3c8616290d9e912495

SHA512
4abd660d86047fdc7ebdb4b7d3167aa7eebfb9d4e899d5a795bbb223f78f5769f05987de9352a97380a8692a982e6b014933ae5314fdc7b7fe5e2a7b994e4fcf

Download Submit
C:\Windows\{0BAF0C52-1241-4fa6-98DE-0AB505AC72A6}.exe

Filesize
344KB

MD5
273957077792863aa2f9d0ea01a85bb7

SHA1
d56d8d896a8641bb5d18e8119f78089f059d189c

SHA256
ed7249c4af4dfdd6f2f5618bbce6c346c5e1b29d110deae7ae67622752cfd3de

SHA512
e6d42711bc1a06bc1651ae2b81d8063f114614ea3562b38243a78af860ea13086dbe40488f61cfe636a5bd09593d7834c85a26920da70192231c19f7e6b74953

Download Submit
C:\Windows\{15A5D5F7-98F5-4939-87A6-D13D5A1BF1F5}.exe

Filesize
344KB

MD5
7d9955057f5e04879b9fb3f7ae6f497c

SHA1
8c3b67bed6bf9fbae599fd824a76241639122241

SHA256
c3a00322030c265e96dec4d751b8ca1239a42cdff20f0c0d7fe1f42befac8e23

SHA512
f3b343ca15650945fc1e09256eb9c71d08500c83d67d378d38c1c04bdbe94ef6b039e9112008f2532b3465760b45fcd1a4ebbe9700ad788d23542d614556bb6d

Download Submit
C:\Windows\{3209906D-C898-4b64-9D62-6B11D63AE0B2}.exe

Filesize
344KB

MD5
98d4140772d6c2eefd5964a9997af017

SHA1
24bf5e53b14085ee6ec3b45dfff764c8705fafe4

SHA256
d3cc4d9e6e7fbb5b4e65ebdd11267b0f5b41747f72dd4a5300aeb8205ce57b6b

SHA512
4efe342d847cc9ba86e3811076a7171cbf1d2974fbbe1c7a848e38298e39b791eec8169b0ad047d4e699b24ac22de206c97604594d8251ec5607fae769f83091

Download Submit
C:\Windows\{79382042-2B92-4763-8031-BDA9AF4B52BB}.exe

Filesize
344KB

MD5
cf7a6c206166e5ad7258b8aeb8428d4e

SHA1
9ab41f7bdd4584ff90b04046c73f436419bcadb0

SHA256
71e1337e368c561b5520053faeaf9623b267dcdf776e3a0ed40ecdbd252973ea

SHA512
9a08c6d1ed798b46a4f5ac54efd42fe557e903b8fcbc9cfcd414cccfb2214f59b3882097e927e00295c48b678667e250d1023b2204de654324d4115a10099eb8

Download Submit
C:\Windows\{98A69B7A-C7B3-4dac-BCC6-2432F5B79FC0}.exe

Filesize
344KB

MD5
6e5d450253735abc83c44cb05b2ebb43

SHA1
57761c78c29628f1d3acf95df93fd1cd564ed780

SHA256
58231f850a085af62ce14316545182e068d54f87588158e794aafb10df011084

SHA512
195ff746e6651853ebe04154f39784aef5a78349af1fedbae9f70fdfd4cc453023b961cd6b3ef0d931803a754e08f5552c0c2848103b2e4913fb4eca06cf2b58

Download Submit
C:\Windows\{ADA6F6DE-1A77-4891-BF34-594C265B9981}.exe

Filesize
344KB

MD5
9829b340998673a9ab1994e2e289cb6e

SHA1
8029ab9a4fbd405c5258f73711f15f425fd1309a

SHA256
c40800ff22688bcf753f251010fb3a71587706f1b829ca04249334fb83e73c9a

SHA512
6b7dc4773911318fe87113726ed2681901a652218f7ea045ec5d368e04014fadd26cda8e5291597dda29d3d9f1c50ec45b502c245f78a82ca3185294d8b78976

Download Submit
C:\Windows\{B422D186-99EA-4559-8780-B7FE1F55E498}.exe

Filesize
344KB

MD5
e8f5d66c8e9f9af0009872096aecd3e9

SHA1
b75af1b86e14180e776cf7741e1b8110757930e4

SHA256
ed9e2946f446f540171249e80a7d3c8c7aa8a43c2bfb5219a94ba93178d6497a

SHA512
bdf5130663a50b1e76467a234058a4ab46fadc654b98eb5405fe1cd43fee0fadd0e763a5eb13d4190ea62b3403227a1099b0db46d7f0dc9a47f8e5deb32abcd0

Download Submit
C:\Windows\{B5D2B462-6616-4b0a-9CE1-EC876FA314FE}.exe

Filesize
344KB

MD5
f29bda0b83010f383d60d5fdaa347360

SHA1
286897f8db43c9a9a77b38ba0e887f93f44f1e48

SHA256
26f2c7141a82c8aa3b327647eabe32cb7db497aa3b947073bf66a7f7711dec64

SHA512
1e03f36db6ce4aab1e2419efeef546f3354f5a777dc2ab74910cb9cc325483e8e0941b92e89329fb7b945dd9e14643557d8cdc70de65cde7c09c5acf90053762

Download Submit
C:\Windows\{F7714D5D-D759-46d6-A191-9BA20DB4C17D}.exe

Filesize
344KB

MD5
59ddaa8aa7ba8b9fe8247c219dc096fd

SHA1
9430c3d8d4b2780beb53a929f003c174b3873c9c

SHA256
75e344c85352111e19bb5d45d65082ae0a6e18f1a95d2e7d9e7865b2b255d6d9

SHA512
b2fa6fd06c0a7c6d8aa49f91326b2cd53d067fea10af669bf39f26f5df7c6410f8978190f7beef02852e280e9d5066c17754d3550efdf6dfcdc283bc7506d429

Download Submit
C:\Windows\{FB054C35-CC47-40b4-BE88-D4F1E3401155}.exe

Filesize
344KB

MD5
b62b356ce4c2b34528fde39d4e940ba8

SHA1
8cb884079cde8ed0227082887b7804d8ce24185e

SHA256
4c86c03cf6e8638836145f7d4d6390cf22f032e83845c6a79fe70a785b5b055c

SHA512
35c4688d6bae3085e58fb2dd1519c3702a6d9d5f642a335fec5137ee9b044c38257cdcd35b395a3cde5f2449deaf9808d3bf4e8e1761aa62851e65332721c93d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads