dcbd5a11c03b481f2a3028be80fcdaa9dea9895ade6ab00d4ea7683c64860a41

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
Size

372KB
MD5

be48d6341cc20c2d2ba4344233ced2d2
SHA1

ad54696e41027d51e76afc7b883513e9d0266533
SHA256

dcbd5a11c03b481f2a3028be80fcdaa9dea9895ade6ab00d4ea7683c64860a41
SHA512

a5c0512d36b3166fbabd65f2bd587275a5a9bcae7709ce39712024dd413775ce088411eee664c8157ab416b4f573cd4347570c3bbc4b0819fac62ecffd95ff16
SSDEEP

3072:CEGh0oLmlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJmlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023412-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f6-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000021567-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021aa1-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000021567-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FACEF10-07ED-4934-AECF-5B2F53913116}	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FACEF10-07ED-4934-AECF-5B2F53913116}\stubpath = "C:\\Windows\\{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe"	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}\stubpath = "C:\\Windows\\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe"	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}\stubpath = "C:\\Windows\\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe"	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1027077A-5331-4d57-9905-1491CB07A4CB}	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}\stubpath = "C:\\Windows\\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe"	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312706F2-4E0B-4607-8653-4382C732FDB8}	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}\stubpath = "C:\\Windows\\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe"	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A5111BF-F513-4570-9078-49937F9FF2AC}	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7191E264-DF05-4009-BC0E-332D3D3CA507}	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7191E264-DF05-4009-BC0E-332D3D3CA507}\stubpath = "C:\\Windows\\{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe"	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}	{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A5111BF-F513-4570-9078-49937F9FF2AC}\stubpath = "C:\\Windows\\{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe"	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312706F2-4E0B-4607-8653-4382C732FDB8}\stubpath = "C:\\Windows\\{312706F2-4E0B-4607-8653-4382C732FDB8}.exe"	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}\stubpath = "C:\\Windows\\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe"	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}\stubpath = "C:\\Windows\\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe"	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1027077A-5331-4d57-9905-1491CB07A4CB}\stubpath = "C:\\Windows\\{1027077A-5331-4d57-9905-1491CB07A4CB}.exe"	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}\stubpath = "C:\\Windows\\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe"	{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe

Executes dropped EXE 12 IoCs

pid	Process
1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
3328	{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe
416	{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
File created	C:\Windows\{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
File created	C:\Windows\{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
File created	C:\Windows\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
File created	C:\Windows\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
File created	C:\Windows\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
File created	C:\Windows\{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
File created	C:\Windows\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe	{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe
File created	C:\Windows\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
File created	C:\Windows\{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
File created	C:\Windows\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
File created	C:\Windows\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
Token: SeIncBasePriorityPrivilege	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
Token: SeIncBasePriorityPrivilege	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
Token: SeIncBasePriorityPrivilege	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
Token: SeIncBasePriorityPrivilege	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
Token: SeIncBasePriorityPrivilege	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
Token: SeIncBasePriorityPrivilege	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
Token: SeIncBasePriorityPrivilege	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
Token: SeIncBasePriorityPrivilege	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
Token: SeIncBasePriorityPrivilege	468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
Token: SeIncBasePriorityPrivilege	3328	{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 1488	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	87
PID 3816 wrote to memory of 1488	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	87
PID 3816 wrote to memory of 1488	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	87
PID 3816 wrote to memory of 2100	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	88
PID 3816 wrote to memory of 2100	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	88
PID 3816 wrote to memory of 2100	3816	2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe	88
PID 1488 wrote to memory of 4196	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	89
PID 1488 wrote to memory of 4196	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	89
PID 1488 wrote to memory of 4196	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	89
PID 1488 wrote to memory of 3488	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	90
PID 1488 wrote to memory of 3488	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	90
PID 1488 wrote to memory of 3488	1488	{312706F2-4E0B-4607-8653-4382C732FDB8}.exe	90
PID 4196 wrote to memory of 2436	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	93
PID 4196 wrote to memory of 2436	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	93
PID 4196 wrote to memory of 2436	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	93
PID 4196 wrote to memory of 4588	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	94
PID 4196 wrote to memory of 4588	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	94
PID 4196 wrote to memory of 4588	4196	{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe	94
PID 2436 wrote to memory of 4552	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	95
PID 2436 wrote to memory of 4552	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	95
PID 2436 wrote to memory of 4552	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	95
PID 2436 wrote to memory of 4404	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	96
PID 2436 wrote to memory of 4404	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	96
PID 2436 wrote to memory of 4404	2436	{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe	96
PID 4552 wrote to memory of 4340	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	97
PID 4552 wrote to memory of 4340	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	97
PID 4552 wrote to memory of 4340	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	97
PID 4552 wrote to memory of 2948	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	98
PID 4552 wrote to memory of 2948	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	98
PID 4552 wrote to memory of 2948	4552	{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe	98
PID 4340 wrote to memory of 1200	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	99
PID 4340 wrote to memory of 1200	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	99
PID 4340 wrote to memory of 1200	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	99
PID 4340 wrote to memory of 1284	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	100
PID 4340 wrote to memory of 1284	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	100
PID 4340 wrote to memory of 1284	4340	{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe	100
PID 1200 wrote to memory of 3556	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	101
PID 1200 wrote to memory of 3556	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	101
PID 1200 wrote to memory of 3556	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	101
PID 1200 wrote to memory of 856	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	102
PID 1200 wrote to memory of 856	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	102
PID 1200 wrote to memory of 856	1200	{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe	102
PID 3556 wrote to memory of 1632	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	103
PID 3556 wrote to memory of 1632	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	103
PID 3556 wrote to memory of 1632	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	103
PID 3556 wrote to memory of 3884	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	104
PID 3556 wrote to memory of 3884	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	104
PID 3556 wrote to memory of 3884	3556	{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe	104
PID 1632 wrote to memory of 4108	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	105
PID 1632 wrote to memory of 4108	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	105
PID 1632 wrote to memory of 4108	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	105
PID 1632 wrote to memory of 5000	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	106
PID 1632 wrote to memory of 5000	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	106
PID 1632 wrote to memory of 5000	1632	{1027077A-5331-4d57-9905-1491CB07A4CB}.exe	106
PID 4108 wrote to memory of 468	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	107
PID 4108 wrote to memory of 468	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	107
PID 4108 wrote to memory of 468	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	107
PID 4108 wrote to memory of 2524	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	108
PID 4108 wrote to memory of 2524	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	108
PID 4108 wrote to memory of 2524	4108	{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe	108
PID 468 wrote to memory of 3328	468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe	109
PID 468 wrote to memory of 3328	468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe	109
PID 468 wrote to memory of 3328	468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe	109
PID 468 wrote to memory of 2904	468	{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_be48d6341cc20c2d2ba4344233ced2d2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
  C:\Windows\{312706F2-4E0B-4607-8653-4382C732FDB8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
    C:\Windows\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
      C:\Windows\{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
        
        C:\Windows\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
        
        C:\Windows\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
        
        C:\Windows\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
        
        C:\Windows\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
        
        C:\Windows\{1027077A-5331-4d57-9905-1491CB07A4CB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
        
        C:\Windows\{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
        
        C:\Windows\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe
        
        C:\Windows\{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe
        
        C:\Windows\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe
        13⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7191E~1.EXE > nul
        13⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA234~1.EXE > nul
        12⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A511~1.EXE > nul
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10270~1.EXE > nul
        10⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2983B~1.EXE > nul
        9⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{872CC~1.EXE > nul
        8⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B2A~1.EXE > nul
        7⤵
        
        PID:1284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31B7F~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FACE~1.EXE > nul
        5⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37D51~1.EXE > nul
      4⤵
      PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31270~1.EXE > nul
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1027077A-5331-4d57-9905-1491CB07A4CB}.exe

Filesize
372KB

MD5
26ba6642eb287dcf10e4697a2a9cfd1e

SHA1
516bbdc8824cc4b3792e4298ac34ceaa37fee417

SHA256
d47b86da117239441508dfe8f72aad5bdf6823e1bafa8f2eb6cc3bb57c954e2b

SHA512
36b820398dda49ecfdb1f0fd9a066a48c44606d78e24d7566427c1046f1a190af039fe446c2f427686fdfcbe755ef3bb575b0da511d35c6afe5679659114c4df

Download Submit
C:\Windows\{1A5111BF-F513-4570-9078-49937F9FF2AC}.exe

Filesize
372KB

MD5
ac03fbb6cbddffa8aa5a1e3867278e6e

SHA1
4e1cb46d0258f4c1a6e3712290284bd61be27546

SHA256
6a0a2e366b0d594b3a3e53ab03658bc31b85ee264683870db945b262721acb84

SHA512
06e15833b70e0b14742cc7c6fa04674c1193236c3b0f136753c813a273c6fcca770bb3c2a31c863373cb6e8d466d5a7e7e9edf05cce2f3652050e137e5338d17

Download Submit
C:\Windows\{2983B78A-580B-4b0d-88B0-E4D0360FD24F}.exe

Filesize
372KB

MD5
5dc57ff4dde281e637869636317cdab3

SHA1
4b3a4c26483146e311b24978101686b67f4fd054

SHA256
ca926c18f972bdd116dcf72b5ece478e02d890400986024e47b2427b49b80a52

SHA512
815e3cfc8caebe97e349c15f5463ccbb9a893befcb3fed793b5c26ddfd0641793a597235b118f523f83487ef79222e0c573fad438b20e8b84847b5bd08578132

Download Submit
C:\Windows\{312706F2-4E0B-4607-8653-4382C732FDB8}.exe

Filesize
372KB

MD5
698c1ea113f5052a9c93223b7dfb708f

SHA1
a9e235af63d2e36632055b06e45da6ec278bb388

SHA256
e3a8e7ca0fe7da722fe09846fdbb41a7ef3d52dd49ef986b96c244f01fe4fae6

SHA512
578be6169208508b2593012aa62b68ba6179303728ccef8d59bd1cc57315f8a5979f5b87b38e7a13c334f864f590d64c5e4cc207d128dacd445ab905e24ac19c

Download Submit
C:\Windows\{31B7FB50-C7F5-49ca-8D6E-1B54D0F772B3}.exe

Filesize
372KB

MD5
eec20a253b4152f4d4f40cf0b0c4c11f

SHA1
5832ae38e93b6f754e6250139ac924bd50ce74e7

SHA256
62389a53621ee11e8b9c2d44eac44f3fe273729c499a54ad52d50f1732368370

SHA512
cd0c5b6cd526b2c9661181d5afef431001e35cdbf9196ca9f34d280c87ae932e2a3801d3d40a3d1e68064c2ad47a56c8b9c68397a1856d11c13b4d6bb7739471

Download Submit
C:\Windows\{37D5163C-8DC7-4a9c-92F0-082D8E2ADE81}.exe

Filesize
372KB

MD5
b69bce0f01417aea91b85ab62ceec1fb

SHA1
480f33e5fd308777849befc3cbe7b2dd8af6eef4

SHA256
920efccf442c29b66e210e7973e1577e7f3d87831ed54e4d80f068e937016c05

SHA512
daf8630efad7a2ac1f036252f9afb562520178bc5215319241b720287738b1d73cb4f848b1dda9e07b8c4a5439c27b8a4504e6acf0262785186ecca1e36b1c1a

Download Submit
C:\Windows\{3FACEF10-07ED-4934-AECF-5B2F53913116}.exe

Filesize
372KB

MD5
fa718b25167e02e2931da12f38a721f7

SHA1
96414e2d12070ffe9d4c29d5a4ffd7ce2c8ebb5a

SHA256
73d03ddec3c3f840785f205b336f658182ccf68e88fea5edbc1b5572c8fa45cf

SHA512
7e3c4c6d57f6ee11a050b2829a96fc52df943bfd5613bc42bf148c38f0071061df8a990431fc13a50b1bb45b149954ea4e0b1c3acd9f22349f09755074470c0e

Download Submit
C:\Windows\{7191E264-DF05-4009-BC0E-332D3D3CA507}.exe

Filesize
372KB

MD5
25a1c7bf72635b79988b69304f571fcb

SHA1
1288566985c44ad3a37868281f3a6893705b0143

SHA256
7a1468a81d8d80d5188659664f97ff57976287271ffa62e30f349ec0393b7057

SHA512
c788c2d811254079ccee98c5178282ba710d50f9430c34dd045e7596ac12dd3c5e098db2cd3325d65e2199bd2db5b2dc2e748f10829b0ebeee3e191dc98ef1f0

Download Submit
C:\Windows\{872CCFBE-6213-4cf8-8E24-34A3F8A73CCB}.exe

Filesize
372KB

MD5
b6b7395f49226496cb91a1eac8b65abc

SHA1
2300653be9280f2e1cc70a9df92407c4e0ad62d9

SHA256
0a7988ae585f57d536cd9c04310a46b4e8a61b02510b92b9eaf15013ea6dceb9

SHA512
32f453542fff113e6c087c5ca25269339f5fcacfd3a90862989f6be29f7484d7b214c259f416f5d5b41b639d14910bc7b31025407d8f132976cd1bf9628685d5

Download Submit
C:\Windows\{AD71065D-7A42-4b47-BEEA-25B57831BDEC}.exe

Filesize
372KB

MD5
80804d8967a6c1914607f13906baf50e

SHA1
c4ccb49bc71311c2a297b5b7d6d1aad5f84f6f44

SHA256
a4dc4aa74086bac123ca333c6da1b2c44ac0f20f342c79cbe1bf316619e3d87b

SHA512
2cee76aefe0ab429a25e62790efe14800a29f95643d34837d513a726eedb5f303bd90a39d38be04861d3c40e6e60746945e7cab484f2c1a6b9af365f389bfb0e

Download Submit
C:\Windows\{B7B2A01B-155F-49e5-AD9C-88F7C4ADDAEE}.exe

Filesize
372KB

MD5
6271540e48e9dc1849151820efb175a7

SHA1
33e234ece6d4c2175d365f1dae0774f00b6b0117

SHA256
d8abb9b8134f2ac0c8272d91f9c2ec4f6fe2bef1b462cc287c5876b0450e4f07

SHA512
2ff4149531f2a716804faa52985c63fa59186eb2ea16baccec834e6f1b5d876cd896d0808f11272a31a66f1466adbb9ac705640cf3927191cba5546dff8fd157

Download Submit
C:\Windows\{CA234FDC-D838-4e0f-96F5-D52D2DB8B27B}.exe

Filesize
372KB

MD5
3333e51736a4417e6ea1800d578783de

SHA1
203a0e5d991622346926121353da6df218ede624

SHA256
780a306e914d9cc5f37639e75647c84864eeebdc223392db23d532852fc57052

SHA512
d709d32fe1b60523fb328ef9cd6c44dec0060893bb8f2725ac6209b60819bd0b746225fa00b81c4319b811e2f84321c129f3bd88873f106707d857af452e6384

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads