cea67938829e30a8f5a7ed3edf6ee027760b6627af5c79221e1d4f797df0f955

Analysis

max time kernel
149s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Size

372KB
MD5

cb0dca067253ba56502d1f95e5bc1c50
SHA1

9d6d9a133eabcb5b69615bb2b8106e042c3edc84
SHA256

cea67938829e30a8f5a7ed3edf6ee027760b6627af5c79221e1d4f797df0f955
SHA512

2ecdbe7752c2c526d3df705517081217ec642593f125d37f1145001d95afec1ed9cf4a9150d56d58987748c32f94908a217e2a0727696957543c8771abe5df09
SSDEEP

3072:CEGh0oWlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233bb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c0-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c3-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ca-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ca-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c3-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ca-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c3-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233ca-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000031-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2127006A-F496-44a6-8C2C-696E44D98A89}\stubpath = "C:\\Windows\\{2127006A-F496-44a6-8C2C-696E44D98A89}.exe"	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}\stubpath = "C:\\Windows\\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe"	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7197BBF-DE0E-4120-B441-2091C68A69EE}	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7197BBF-DE0E-4120-B441-2091C68A69EE}\stubpath = "C:\\Windows\\{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe"	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}\stubpath = "C:\\Windows\\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe"	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2127006A-F496-44a6-8C2C-696E44D98A89}	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}\stubpath = "C:\\Windows\\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe"	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68632B6D-A487-4b6b-B62D-A7BE977811F4}	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}\stubpath = "C:\\Windows\\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe"	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E54FDE-470F-4579-8F4C-86792E2DC945}	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}\stubpath = "C:\\Windows\\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe"	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}\stubpath = "C:\\Windows\\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe"	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}\stubpath = "C:\\Windows\\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe"	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68632B6D-A487-4b6b-B62D-A7BE977811F4}\stubpath = "C:\\Windows\\{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe"	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E54FDE-470F-4579-8F4C-86792E2DC945}\stubpath = "C:\\Windows\\{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe"	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}	{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}\stubpath = "C:\\Windows\\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe"	{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe

Executes dropped EXE 12 IoCs

pid	Process
3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
4876	{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe
4396	{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
File created	C:\Windows\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
File created	C:\Windows\{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
File created	C:\Windows\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
File created	C:\Windows\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
File created	C:\Windows\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe	{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe
File created	C:\Windows\{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
File created	C:\Windows\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
File created	C:\Windows\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
File created	C:\Windows\{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
File created	C:\Windows\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
File created	C:\Windows\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
Token: SeIncBasePriorityPrivilege	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
Token: SeIncBasePriorityPrivilege	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
Token: SeIncBasePriorityPrivilege	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
Token: SeIncBasePriorityPrivilege	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
Token: SeIncBasePriorityPrivilege	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
Token: SeIncBasePriorityPrivilege	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
Token: SeIncBasePriorityPrivilege	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
Token: SeIncBasePriorityPrivilege	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
Token: SeIncBasePriorityPrivilege	4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
Token: SeIncBasePriorityPrivilege	4876	{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3904	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	81
PID 464 wrote to memory of 3904	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	81
PID 464 wrote to memory of 3904	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	81
PID 464 wrote to memory of 1440	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	82
PID 464 wrote to memory of 1440	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	82
PID 464 wrote to memory of 1440	464	2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe	82
PID 3904 wrote to memory of 4472	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	83
PID 3904 wrote to memory of 4472	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	83
PID 3904 wrote to memory of 4472	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	83
PID 3904 wrote to memory of 1444	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	84
PID 3904 wrote to memory of 1444	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	84
PID 3904 wrote to memory of 1444	3904	{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe	84
PID 4472 wrote to memory of 3092	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	87
PID 4472 wrote to memory of 3092	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	87
PID 4472 wrote to memory of 3092	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	87
PID 4472 wrote to memory of 752	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	88
PID 4472 wrote to memory of 752	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	88
PID 4472 wrote to memory of 752	4472	{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe	88
PID 3092 wrote to memory of 1596	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	93
PID 3092 wrote to memory of 1596	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	93
PID 3092 wrote to memory of 1596	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	93
PID 3092 wrote to memory of 2220	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	94
PID 3092 wrote to memory of 2220	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	94
PID 3092 wrote to memory of 2220	3092	{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe	94
PID 1596 wrote to memory of 4556	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	96
PID 1596 wrote to memory of 4556	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	96
PID 1596 wrote to memory of 4556	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	96
PID 1596 wrote to memory of 2928	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	97
PID 1596 wrote to memory of 2928	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	97
PID 1596 wrote to memory of 2928	1596	{2127006A-F496-44a6-8C2C-696E44D98A89}.exe	97
PID 4556 wrote to memory of 2848	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	98
PID 4556 wrote to memory of 2848	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	98
PID 4556 wrote to memory of 2848	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	98
PID 4556 wrote to memory of 4720	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	99
PID 4556 wrote to memory of 4720	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	99
PID 4556 wrote to memory of 4720	4556	{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe	99
PID 2848 wrote to memory of 436	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	100
PID 2848 wrote to memory of 436	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	100
PID 2848 wrote to memory of 436	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	100
PID 2848 wrote to memory of 1916	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	101
PID 2848 wrote to memory of 1916	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	101
PID 2848 wrote to memory of 1916	2848	{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe	101
PID 436 wrote to memory of 2980	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	102
PID 436 wrote to memory of 2980	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	102
PID 436 wrote to memory of 2980	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	102
PID 436 wrote to memory of 1484	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	103
PID 436 wrote to memory of 1484	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	103
PID 436 wrote to memory of 1484	436	{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe	103
PID 2980 wrote to memory of 2984	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	104
PID 2980 wrote to memory of 2984	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	104
PID 2980 wrote to memory of 2984	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	104
PID 2980 wrote to memory of 3488	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	105
PID 2980 wrote to memory of 3488	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	105
PID 2980 wrote to memory of 3488	2980	{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe	105
PID 2984 wrote to memory of 4364	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	106
PID 2984 wrote to memory of 4364	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	106
PID 2984 wrote to memory of 4364	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	106
PID 2984 wrote to memory of 4324	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	107
PID 2984 wrote to memory of 4324	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	107
PID 2984 wrote to memory of 4324	2984	{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe	107
PID 4364 wrote to memory of 4876	4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe	108
PID 4364 wrote to memory of 4876	4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe	108
PID 4364 wrote to memory of 4876	4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe	108
PID 4364 wrote to memory of 4304	4364	{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_cb0dca067253ba56502d1f95e5bc1c50_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
  C:\Windows\{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
    C:\Windows\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
      C:\Windows\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
        
        C:\Windows\{2127006A-F496-44a6-8C2C-696E44D98A89}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
        
        C:\Windows\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
        
        C:\Windows\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
        
        C:\Windows\{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
        
        C:\Windows\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
        
        C:\Windows\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
        
        C:\Windows\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe
        
        C:\Windows\{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe
        
        C:\Windows\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E54~1.EXE > nul
        13⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4109F~1.EXE > nul
        12⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AEF2~1.EXE > nul
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62922~1.EXE > nul
        10⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68632~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EA9F~1.EXE > nul
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C696~1.EXE > nul
        7⤵
        
        PID:4720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21270~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA16A~1.EXE > nul
        5⤵
        
        PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D016~1.EXE > nul
      4⤵
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7197~1.EXE > nul
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09E54FDE-470F-4579-8F4C-86792E2DC945}.exe

Filesize
372KB

MD5
a5f70c9f36c9cf1bb509d36e55ec16e0

SHA1
0f4a611c9b2fb063d9af5a863f8d2a468596ae7f

SHA256
2a805fda9cdc3e79984fbdc1aa37ead28810db5d474e0530edec533796ef3975

SHA512
b37f4ff548b40d9078d1d3e77663893ff0f3a435c1a9f55710cfabf8be80db2245d7637a1ff717783a8114e3cc52e2450e2c1aa49a363ef399cc4a400c226df6

Download Submit
C:\Windows\{0AEF25FF-08D2-499b-B4C6-FB5123DB499A}.exe

Filesize
372KB

MD5
44bb73a3b0ad64f14eaf189b4c81145c

SHA1
2d7cb91b6eabfe36dd75fb8716b3e5088c22ab04

SHA256
3f233f870955ce63de2ec3322a1483a23f660c36054ef54566514d8402c369be

SHA512
57835d30712dfc61a08b732338fea0e952afcec0142cf9655c7372612d5931ee715afa71d569eb1155ecc3e43a5c9ee3edfc740f1411481ddf840eada77e035a

Download Submit
C:\Windows\{1C6969B7-AF9E-4750-ACAE-8F8BBB1D2F6A}.exe

Filesize
372KB

MD5
9064955b14992cae0c532ed06a67c808

SHA1
8904690494922d99b750c92379e5ed8918a0b4f3

SHA256
2bd5d7b6a5a74ba4f9391d01b552cdf03d45fda4403c051d559677eb283c5680

SHA512
3970376d7718970f28d1e4ba7073224231de4f12e62d53d35375de9f3b3049ff13f554ef36b438684ccfa837b10ea7a2bd56321638a75a629205df8ac4e7236a

Download Submit
C:\Windows\{2127006A-F496-44a6-8C2C-696E44D98A89}.exe

Filesize
372KB

MD5
03c1557c4ed81e59f45f1c9d0e9c2e5e

SHA1
f9b52a6f9b8056cd970574db2b4a0d2f4f6e3b2b

SHA256
0e39a1c99ff75db8fe7a664e950cf7e5e7ba264eb808c41f095e677dbf7c9395

SHA512
a5a236c54175796c234261f58f3caba7eb9178fe05bfbcfd9bc9b67d4007510575d6660d9e542264ffe7a334f275f190acf1d0021b34f0f98b77a9f06824f137

Download Submit
C:\Windows\{4109F97A-C7AC-4c81-AB34-99CBECE2771C}.exe

Filesize
372KB

MD5
43430b81f04b8eb6c1228125fc7bf6be

SHA1
118a74c84896b9f0d9d6d34fbc03e2896fbfdfd9

SHA256
d917742ceef13170fd85cfc04008809dc91efff9c59a4c9bec16b162a5e8478b

SHA512
f00264a23b1e10da27b530c31118e96e023b10d6c10099311c3cb39250d59679f70df25b71511531623c079b82c0bfd8e696a72feed978816cb73152d777b2fd

Download Submit
C:\Windows\{60987436-F8B7-47fa-9B89-65BD5EF82AA1}.exe

Filesize
372KB

MD5
b83fcf17e1f15cacda5beb6309b2c143

SHA1
41f965f8bf33fd5cb6108be172650534ac52bdd0

SHA256
d183bd0a6cb7369c28006e4da125d9c0391c3492c04d22cca7bc7a5da56f926c

SHA512
1561a1aa202c58909376bc934447cee8cf81a74179e308a31dab29401e9a777cb7c842f6c5676b72b8942e5056d389156f058c7978db41778629baf7917691e2

Download Submit
C:\Windows\{6292286E-38E8-4eeb-ADF3-843F6D1354B5}.exe

Filesize
372KB

MD5
5fbff1b7df5fbb72510463054afb4f9b

SHA1
ccfe48ff8ba7997b6d23930b4a543c35b1810181

SHA256
c6bdf0b2ef07cedded71ebfa77a493dde4f41d1dd4747d0f3eeb91371f86fc30

SHA512
838e8b49ba5cb24a777b4dcc586cf6fd74305482f5b0be649d056e5eb860f8dd7f6cf24958efbfa1ee997694471cd21edb67bdfb22238620639f2acd4d3af698

Download Submit
C:\Windows\{68632B6D-A487-4b6b-B62D-A7BE977811F4}.exe

Filesize
372KB

MD5
4e61f4ade1f50d24fdbfa83cb5f41372

SHA1
a7b67a24f30b318a1bcacfc70da974563cb95071

SHA256
ac80b5816396894db4880d284b1584525b19d149eb4d139bc8007ca5bc4b9ef0

SHA512
07d36c072ea2d3a0c4bb62c6c2eb4324c88f6f255b13f04aa83a73f71967c83270ae5aaaeca977c2edbf06334cb78a1afb75509d118764efdbbab267efec4538

Download Submit
C:\Windows\{6EA9F3F5-9787-4361-B855-5EC2DA35D278}.exe

Filesize
372KB

MD5
bea3ba197d94248e0231a6fdaf81254f

SHA1
38b902db83aa4e91bf88891c9ac7886e58047af5

SHA256
90532adb29ffac77d3a6e4d27f9e5fa7da0cc2415638428aad4a8ca8770f48f6

SHA512
ad1a59cdb9aee859f993afb4b22f97f753d28ae3561b4d93200aecac340011d4fe0df745177fe53f8a7be1b667f53b6641f714edb9bc63f0ea5cd72bf5d3602b

Download Submit
C:\Windows\{7D016533-71F6-4f10-ACAC-AE62A3AA53FA}.exe

Filesize
372KB

MD5
2de516a58a5e67fa1aaffc82cf70f247

SHA1
d060856abfe109c536eb80e502069d60021780d5

SHA256
dda733e2dbfaa7ae0f57ee1b63664a83d660d3f1a4c588f6f54c182153e50981

SHA512
5d5d7dd187a940d6ff325954f8c813170deceb45c31dc03e803fb93331fc311f56a1d859d110b51dbc72b45a6af16e5463813d4be3f230bfba498db358a717e2

Download Submit
C:\Windows\{CA16A664-F39E-4fe8-81CC-C5CE82D173F7}.exe

Filesize
372KB

MD5
ccba61911bff7e73ce8b055dd650f50f

SHA1
fce75165d38017d9cb84436dadf3e1ad35f3d563

SHA256
7aef2c8f417c05da37d4d1d672f0662f9f7dbde96b6644d43f5e5fc73f26d510

SHA512
f75248bb6e28847de5682d6480bcd1d368087ec617cb8af119768cf9b3af90253529ed84a6f5067e4e11e6533e425fcf41c0ca68b53f1ae10edadb38b45a7103

Download Submit
C:\Windows\{D7197BBF-DE0E-4120-B441-2091C68A69EE}.exe

Filesize
372KB

MD5
0b08d926101aedd60e4601d13e1ebb24

SHA1
d5b1cf2dba2b4d59635114ef42c22480c51b9b13

SHA256
55839a07f1d8aad3b3bcde6b4c57f9f21f5bb86b6c4c06f7e56c3668289ff015

SHA512
4911729501135816e66be06218fdaa72a468df629f9ce347d302ab93b0972697bda3f1788368f558718412c5d6cb27d10066117531ec6e0275bea8be42504879

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads