ddff43abb5114f099634268016e100b16f24a3be0a45b8f951378303cb67d0c4

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Size

408KB
MD5

65beb50930bc3dd7dcfc323ee53d315e
SHA1

721a04fe3670b824b368bc9dfa134489e46ab254
SHA256

ddff43abb5114f099634268016e100b16f24a3be0a45b8f951378303cb67d0c4
SHA512

32efc01c1c9eee183e2ea6e1f8b9b6e45774792af135a6c955d93c2111b3770394349ae5a1bf3543bd6ce096a39ebf7098e76db335d01018bdf0cfa513f4a33e
SSDEEP

3072:CEGh0o0l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012252-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a0000000132bd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00290000000132d0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a0000000132d0-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b0000000132d0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001339f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001339f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000133a7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16880615-63C8-4de5-B8F3-97FABCA3920F}	{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16880615-63C8-4de5-B8F3-97FABCA3920F}\stubpath = "C:\\Windows\\{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe"	{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}\stubpath = "C:\\Windows\\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe"	{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72963EA8-873D-453f-BDCD-8874BD3DC466}	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}\stubpath = "C:\\Windows\\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe"	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}\stubpath = "C:\\Windows\\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe"	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2307AD1-F9DB-4584-8F21-2935C76244ED}	{322D604B-AC89-4e70-B02F-E769697AB232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484A09CB-9E40-49cb-9C06-6749360DEAE8}\stubpath = "C:\\Windows\\{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe"	{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484A09CB-9E40-49cb-9C06-6749360DEAE8}	{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E673C97-2CE2-48a9-8153-305BBFC14C79}	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E673C97-2CE2-48a9-8153-305BBFC14C79}\stubpath = "C:\\Windows\\{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe"	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2307AD1-F9DB-4584-8F21-2935C76244ED}\stubpath = "C:\\Windows\\{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe"	{322D604B-AC89-4e70-B02F-E769697AB232}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC021EE-357D-4b87-A314-83D8E47991B6}	{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}	{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322D604B-AC89-4e70-B02F-E769697AB232}\stubpath = "C:\\Windows\\{322D604B-AC89-4e70-B02F-E769697AB232}.exe"	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC021EE-357D-4b87-A314-83D8E47991B6}\stubpath = "C:\\Windows\\{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe"	{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72963EA8-873D-453f-BDCD-8874BD3DC466}\stubpath = "C:\\Windows\\{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe"	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}\stubpath = "C:\\Windows\\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe"	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322D604B-AC89-4e70-B02F-E769697AB232}	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}\stubpath = "C:\\Windows\\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe"	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe
2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe
940	{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
628	{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
1732	{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
2316	{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
1532	{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
File created	C:\Windows\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
File created	C:\Windows\{322D604B-AC89-4e70-B02F-E769697AB232}.exe	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
File created	C:\Windows\{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe	{322D604B-AC89-4e70-B02F-E769697AB232}.exe
File created	C:\Windows\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
File created	C:\Windows\{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
File created	C:\Windows\{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe	{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
File created	C:\Windows\{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe	{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
File created	C:\Windows\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe	{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
File created	C:\Windows\{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe	{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
File created	C:\Windows\{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
File created	C:\Windows\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
Token: SeIncBasePriorityPrivilege	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
Token: SeIncBasePriorityPrivilege	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
Token: SeIncBasePriorityPrivilege	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe
Token: SeIncBasePriorityPrivilege	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
Token: SeIncBasePriorityPrivilege	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
Token: SeIncBasePriorityPrivilege	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe
Token: SeIncBasePriorityPrivilege	940	{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
Token: SeIncBasePriorityPrivilege	628	{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
Token: SeIncBasePriorityPrivilege	1732	{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
Token: SeIncBasePriorityPrivilege	2316	{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2536	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	28
PID 2896 wrote to memory of 2536	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	28
PID 2896 wrote to memory of 2536	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	28
PID 2896 wrote to memory of 2536	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	28
PID 2896 wrote to memory of 2552	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	29
PID 2896 wrote to memory of 2552	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	29
PID 2896 wrote to memory of 2552	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	29
PID 2896 wrote to memory of 2552	2896	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	29
PID 2536 wrote to memory of 2664	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	30
PID 2536 wrote to memory of 2664	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	30
PID 2536 wrote to memory of 2664	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	30
PID 2536 wrote to memory of 2664	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	30
PID 2536 wrote to memory of 2640	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	31
PID 2536 wrote to memory of 2640	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	31
PID 2536 wrote to memory of 2640	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	31
PID 2536 wrote to memory of 2640	2536	{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe	31
PID 2664 wrote to memory of 2468	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	32
PID 2664 wrote to memory of 2468	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	32
PID 2664 wrote to memory of 2468	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	32
PID 2664 wrote to memory of 2468	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	32
PID 2664 wrote to memory of 2344	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	33
PID 2664 wrote to memory of 2344	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	33
PID 2664 wrote to memory of 2344	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	33
PID 2664 wrote to memory of 2344	2664	{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe	33
PID 2468 wrote to memory of 1968	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	36
PID 2468 wrote to memory of 1968	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	36
PID 2468 wrote to memory of 1968	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	36
PID 2468 wrote to memory of 1968	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	36
PID 2468 wrote to memory of 1744	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	37
PID 2468 wrote to memory of 1744	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	37
PID 2468 wrote to memory of 1744	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	37
PID 2468 wrote to memory of 1744	2468	{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe	37
PID 1968 wrote to memory of 2532	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	38
PID 1968 wrote to memory of 2532	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	38
PID 1968 wrote to memory of 2532	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	38
PID 1968 wrote to memory of 2532	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	38
PID 1968 wrote to memory of 1704	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	39
PID 1968 wrote to memory of 1704	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	39
PID 1968 wrote to memory of 1704	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	39
PID 1968 wrote to memory of 1704	1968	{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe	39
PID 2532 wrote to memory of 1884	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	40
PID 2532 wrote to memory of 1884	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	40
PID 2532 wrote to memory of 1884	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	40
PID 2532 wrote to memory of 1884	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	40
PID 2532 wrote to memory of 1996	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	41
PID 2532 wrote to memory of 1996	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	41
PID 2532 wrote to memory of 1996	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	41
PID 2532 wrote to memory of 1996	2532	{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe	41
PID 1884 wrote to memory of 2260	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	42
PID 1884 wrote to memory of 2260	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	42
PID 1884 wrote to memory of 2260	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	42
PID 1884 wrote to memory of 2260	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	42
PID 1884 wrote to memory of 708	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	43
PID 1884 wrote to memory of 708	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	43
PID 1884 wrote to memory of 708	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	43
PID 1884 wrote to memory of 708	1884	{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe	43
PID 2260 wrote to memory of 940	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	44
PID 2260 wrote to memory of 940	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	44
PID 2260 wrote to memory of 940	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	44
PID 2260 wrote to memory of 940	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	44
PID 2260 wrote to memory of 540	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	45
PID 2260 wrote to memory of 540	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	45
PID 2260 wrote to memory of 540	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	45
PID 2260 wrote to memory of 540	2260	{322D604B-AC89-4e70-B02F-E769697AB232}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
  C:\Windows\{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
    C:\Windows\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
      C:\Windows\{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe
        
        C:\Windows\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
        
        C:\Windows\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
        
        C:\Windows\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{322D604B-AC89-4e70-B02F-E769697AB232}.exe
        
        C:\Windows\{322D604B-AC89-4e70-B02F-E769697AB232}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
        
        C:\Windows\{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
        
        C:\Windows\{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
        
        C:\Windows\{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16880~1.EXE > nul
        12⤵
        
        PID:328
        
        C:\Windows\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
        
        C:\Windows\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe
        
        C:\Windows\{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe
        13⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B11E~1.EXE > nul
        13⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC02~1.EXE > nul
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2307~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{322D6~1.EXE > nul
        9⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A209A~1.EXE > nul
        8⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68FE1~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF34~1.EXE > nul
        6⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72963~1.EXE > nul
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F55F3~1.EXE > nul
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E673~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16880615-63C8-4de5-B8F3-97FABCA3920F}.exe

Filesize
408KB

MD5
77b06c0678f02fa76daf223668f5ea70

SHA1
9e9e3be010d2f0b771c601a06c723b0015f242f0

SHA256
12097895e4b05ce5639ad6f3bd90a9f21583cd8fde1185d1cfd8269bd5549600

SHA512
0977c9a9ba289e5e33cfb8c3b6fb14113f2e56cfddfc087fc8548f4e6109fa99307ba23dbf7d0dfeaf922155e0f39dad22245cce062ec30b53ee93355db99263

Download Submit
C:\Windows\{322D604B-AC89-4e70-B02F-E769697AB232}.exe

Filesize
408KB

MD5
11539ffe4edf583ce049a913a26c9ef1

SHA1
3bb273485db9093a6402fb9c08bb80a095c41f29

SHA256
07b71ce44331b968b6c5c98969a864dcc856d0896a3a6b2d31939ca75788a685

SHA512
18c78d4893dbf9e2492fe1cf5599cfd7a5e80ae6bab6d6d2cbc831dd796bbdf23aa8c81f3c23ca7f066e378428e3c5cfb26054fa4bf6046d71920a1507a01bb8

Download Submit
C:\Windows\{484A09CB-9E40-49cb-9C06-6749360DEAE8}.exe

Filesize
408KB

MD5
9d7dfae3290388c98d455dc883253cdd

SHA1
95f1883362d7fd90d52cbbe4c6286ff9381ec6a5

SHA256
2fbd5b8bc5f474357cd6876ef72e9c81ec0ff74eb2bd0860fbf2d471af11bcbc

SHA512
1558b759ede25996a2dae36bd8a76fc533a69257ac7ed90ff0a1ecd0dc9d71054938c511a729edac09375bea8db5383870a792621db1c7786065805ba75e587d

Download Submit
C:\Windows\{5B11E3AF-1D6D-4b0a-823C-089F5BCD732E}.exe

Filesize
408KB

MD5
2eeeecac12aee64b67a0ce39164ba69b

SHA1
5e4cfc08a90b9a3e51e6996e57eeae455731f835

SHA256
776c21b58e1bad1ea8a2e8c85f4dd4d2d060b66ca137dc91670a7c5138a577f0

SHA512
9844989e5974b98c905357c48ff5e3b96664b14298665f3842f163cdc9410a27d425312d79de7c9731a812399b0830088888f677ad9d48381e01548442c38c26

Download Submit
C:\Windows\{68FE1359-1CAA-464d-A08C-C8171A2A0EF6}.exe

Filesize
408KB

MD5
18842ff969fa9eb11cbd344871d8adb0

SHA1
c49d82c44ff606c3ef9c33031a57ec8f0d609c68

SHA256
f8f9f6d6b3d1ea24acab25c3544b70cd61ea429b84af214e39cf54edea2a05fc

SHA512
c3d1d696d25b46a74eb1367015ca9f118949433baf1b1aa73805b017a6c954701f2c47fea672d2a7e06d60e1e204b19d90c4d34a64d7a6a1e6c9037f5597f72e

Download Submit
C:\Windows\{6CF34DBF-17F3-4ee3-9DA5-BF7009BDBA40}.exe

Filesize
408KB

MD5
b4aaf1f8b047e5df36259abb14d8885a

SHA1
ec51260efa125e6e83cf21edcfd94bd3bd5ee9fe

SHA256
1a9f2ec43bfa5eb1db76a6410bf10b2595528e450289f7ab1d82a4abd96acbcb

SHA512
f824ba42481a9967b41d209e8e412797afad9411e57a56e2c4cd4f8e0233571d25b08aa70b105a8b4b7d25ca440f02d36e6c8bd07fc9aaf8c9ee947d5662e4c5

Download Submit
C:\Windows\{6E673C97-2CE2-48a9-8153-305BBFC14C79}.exe

Filesize
408KB

MD5
92d0a21ce30c4fcf3088c94f805b06ad

SHA1
c92dd1847df55e1b4d8340f599fd04dd3f3332df

SHA256
dbfa282e698d1cab73514a730f6dc54333c02f6bad396ac55af9e20dfb11f135

SHA512
51106198f23a127073ae955aae5ade71a35fe57cedc2bd00660acacd7422e92927cb4eafbad27b39be980f5264257a05c6a4da7ec7443a0e313d7ecd2acba002

Download Submit
C:\Windows\{72963EA8-873D-453f-BDCD-8874BD3DC466}.exe

Filesize
408KB

MD5
724067880b4d753d27bab68e128a9c64

SHA1
007e73cad380b10b076503bc939b695a0a93e323

SHA256
c267a46aafeeb923b3f4116071caef09f97bebc0a6bbda9f430a8557a3e3ff7a

SHA512
f052a98f16db1351e5faec166836bade04781d67754f9420ac1c5fc025f2df99823a3b1afe4e5b2a39c3e098790a61dc047764c60ba1713bf0cf4c78c09aee4b

Download Submit
C:\Windows\{7FC021EE-357D-4b87-A314-83D8E47991B6}.exe

Filesize
408KB

MD5
bbe6974c633d19aea82e094cf2657791

SHA1
c3b6e393525f493d4c5fcd6e5f924938e29b76b1

SHA256
77e4bba856cdb3ef0240d756e2d5b1f2312506780f98db5929412661c0545293

SHA512
23f99d3c71a6ea499477c2729412a4672c70d5521bbaf13340eabeab69e95b75c24d7fb659f71c92ab75ea0d954cd98bd7bdc3ce9388cf6a644fca49ced7e213

Download Submit
C:\Windows\{A209A9C0-EDA2-4fa5-8E6A-58D8C0992352}.exe

Filesize
408KB

MD5
a7ff58de05dfe3a2e1b8811adbf4a203

SHA1
50138b7ccebc2b46444ab1e94e4a485dabfb1b7a

SHA256
fd52f8bb631fdf4b7dd697be82a8c30cb7209ae82f52018b2a9d43e013aa4083

SHA512
2a1cb8e2f93ce1458c23e447d7b30eb570f910fad37254d9e2d7e7637e72b9a1a05be2b4ceb180a8681cfd7e4f991f74137f905d7127fee76a68006a75308d18

Download Submit
C:\Windows\{C2307AD1-F9DB-4584-8F21-2935C76244ED}.exe

Filesize
408KB

MD5
f0dc1e25fe9d092c3d84ce30c8d859df

SHA1
4f460bce11ea8d546df6c6d613ff7ac4c05351a4

SHA256
007fcdc9e14718c2558fbd402b03cd0acb1f5ca79b8c9069bf1522a5bc26a3ff

SHA512
1d99d1e0175b7abafae515033c0d064796b9fcf2e5c8dc4ba907e0a5d329b6a086644baed1c136a53a9d58c064546d996a5c196d191539f0b253a8d4c31971af

Download Submit
C:\Windows\{F55F34E7-412F-4c8d-9A2D-EED38201ACB9}.exe

Filesize
408KB

MD5
94fa00cfc051d3252a7c1b6a5c56102d

SHA1
230ed6cda160f35539bf00a2c7dd1c68ac26fd1d

SHA256
83135210b6ec1b9bea337debd301602b77985159eb0b18ec8c30e034ad5b6537

SHA512
b1fe5c217b74f89e0fcfc02c54ec062ac10571c13dfc1bc58b05459b6f13c9857864311be5467aec44e3cf456dc9c81d18affec7c49803a4dd6cb5f892bb4119

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads