f6b9db83b7d6328b679dedf7c4dfebeb05bf8285c53c9c85c7a530fa33d8d99f

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
Size

204KB
MD5

5d9c26f0b1e0caa9403f28a639bfb7b8
SHA1

a89514bebd5c7fb4a9b2d559a8ca67a6925a58d8
SHA256

f6b9db83b7d6328b679dedf7c4dfebeb05bf8285c53c9c85c7a530fa33d8d99f
SHA512

cb4863a28d30354bb13c5de10054d146915ae5a89b866f778f829a6f1ecc702ad7462d89f3c7c9ac3799616c1ee3da078a35d89e8b5fb68ed52802596edd2bac
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fc-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d22-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00050000000130fc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000130fc-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000130fc-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000130fc-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC40C597-4B47-49e5-88C2-1E962B108732}\stubpath = "C:\\Windows\\{BC40C597-4B47-49e5-88C2-1E962B108732}.exe"	{F693271A-D500-44e5-B322-A084D5551795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}\stubpath = "C:\\Windows\\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe"	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}\stubpath = "C:\\Windows\\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe"	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A531EC-90D7-4499-9479-DAA65986AC18}\stubpath = "C:\\Windows\\{23A531EC-90D7-4499-9479-DAA65986AC18}.exe"	{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF302C58-330E-46b6-AF4C-515096CD80FA}	{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A531EC-90D7-4499-9479-DAA65986AC18}	{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF302C58-330E-46b6-AF4C-515096CD80FA}\stubpath = "C:\\Windows\\{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe"	{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F693271A-D500-44e5-B322-A084D5551795}\stubpath = "C:\\Windows\\{F693271A-D500-44e5-B322-A084D5551795}.exe"	{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C25192-0B01-4bb7-BD2D-09FE821F5757}	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}\stubpath = "C:\\Windows\\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe"	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B8B6197-06EE-4861-A921-4F538C3018C6}	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}\stubpath = "C:\\Windows\\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe"	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B8B6197-06EE-4861-A921-4F538C3018C6}\stubpath = "C:\\Windows\\{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe"	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC40C597-4B47-49e5-88C2-1E962B108732}	{F693271A-D500-44e5-B322-A084D5551795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}\stubpath = "C:\\Windows\\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe"	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C25192-0B01-4bb7-BD2D-09FE821F5757}\stubpath = "C:\\Windows\\{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe"	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F693271A-D500-44e5-B322-A084D5551795}	{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC428F76-3129-4886-ACF4-DD1700BC846A}	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC428F76-3129-4886-ACF4-DD1700BC846A}\stubpath = "C:\\Windows\\{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe"	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
2884	{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
1672	{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
2284	{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
2112	{F693271A-D500-44e5-B322-A084D5551795}.exe
3016	{BC40C597-4B47-49e5-88C2-1E962B108732}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
File created	C:\Windows\{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
File created	C:\Windows\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
File created	C:\Windows\{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
File created	C:\Windows\{23A531EC-90D7-4499-9479-DAA65986AC18}.exe	{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
File created	C:\Windows\{F693271A-D500-44e5-B322-A084D5551795}.exe	{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
File created	C:\Windows\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
File created	C:\Windows\{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
File created	C:\Windows\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
File created	C:\Windows\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
File created	C:\Windows\{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe	{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
File created	C:\Windows\{BC40C597-4B47-49e5-88C2-1E962B108732}.exe	{F693271A-D500-44e5-B322-A084D5551795}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
Token: SeIncBasePriorityPrivilege	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
Token: SeIncBasePriorityPrivilege	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
Token: SeIncBasePriorityPrivilege	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
Token: SeIncBasePriorityPrivilege	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
Token: SeIncBasePriorityPrivilege	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
Token: SeIncBasePriorityPrivilege	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
Token: SeIncBasePriorityPrivilege	2884	{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
Token: SeIncBasePriorityPrivilege	1672	{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
Token: SeIncBasePriorityPrivilege	2284	{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
Token: SeIncBasePriorityPrivilege	2112	{F693271A-D500-44e5-B322-A084D5551795}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 1060	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	28
PID 300 wrote to memory of 1060	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	28
PID 300 wrote to memory of 1060	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	28
PID 300 wrote to memory of 1060	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	28
PID 300 wrote to memory of 2716	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	29
PID 300 wrote to memory of 2716	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	29
PID 300 wrote to memory of 2716	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	29
PID 300 wrote to memory of 2716	300	2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe	29
PID 1060 wrote to memory of 2644	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	32
PID 1060 wrote to memory of 2644	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	32
PID 1060 wrote to memory of 2644	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	32
PID 1060 wrote to memory of 2644	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	32
PID 1060 wrote to memory of 2456	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	33
PID 1060 wrote to memory of 2456	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	33
PID 1060 wrote to memory of 2456	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	33
PID 1060 wrote to memory of 2456	1060	{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe	33
PID 2644 wrote to memory of 1716	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	34
PID 2644 wrote to memory of 1716	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	34
PID 2644 wrote to memory of 1716	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	34
PID 2644 wrote to memory of 1716	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	34
PID 2644 wrote to memory of 2432	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	35
PID 2644 wrote to memory of 2432	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	35
PID 2644 wrote to memory of 2432	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	35
PID 2644 wrote to memory of 2432	2644	{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe	35
PID 1716 wrote to memory of 2988	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	36
PID 1716 wrote to memory of 2988	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	36
PID 1716 wrote to memory of 2988	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	36
PID 1716 wrote to memory of 2988	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	36
PID 1716 wrote to memory of 2924	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	37
PID 1716 wrote to memory of 2924	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	37
PID 1716 wrote to memory of 2924	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	37
PID 1716 wrote to memory of 2924	1716	{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe	37
PID 2988 wrote to memory of 268	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	38
PID 2988 wrote to memory of 268	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	38
PID 2988 wrote to memory of 268	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	38
PID 2988 wrote to memory of 268	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	38
PID 2988 wrote to memory of 984	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	39
PID 2988 wrote to memory of 984	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	39
PID 2988 wrote to memory of 984	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	39
PID 2988 wrote to memory of 984	2988	{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe	39
PID 268 wrote to memory of 1120	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	40
PID 268 wrote to memory of 1120	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	40
PID 268 wrote to memory of 1120	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	40
PID 268 wrote to memory of 1120	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	40
PID 268 wrote to memory of 876	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	41
PID 268 wrote to memory of 876	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	41
PID 268 wrote to memory of 876	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	41
PID 268 wrote to memory of 876	268	{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe	41
PID 1120 wrote to memory of 1748	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	42
PID 1120 wrote to memory of 1748	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	42
PID 1120 wrote to memory of 1748	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	42
PID 1120 wrote to memory of 1748	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	42
PID 1120 wrote to memory of 1664	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	43
PID 1120 wrote to memory of 1664	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	43
PID 1120 wrote to memory of 1664	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	43
PID 1120 wrote to memory of 1664	1120	{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe	43
PID 1748 wrote to memory of 2884	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	44
PID 1748 wrote to memory of 2884	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	44
PID 1748 wrote to memory of 2884	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	44
PID 1748 wrote to memory of 2884	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	44
PID 1748 wrote to memory of 2744	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	45
PID 1748 wrote to memory of 2744	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	45
PID 1748 wrote to memory of 2744	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	45
PID 1748 wrote to memory of 2744	1748	{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_5d9c26f0b1e0caa9403f28a639bfb7b8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300
- C:\Windows\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
  C:\Windows\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
    C:\Windows\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
      C:\Windows\{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
        
        C:\Windows\{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
        
        C:\Windows\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
        
        C:\Windows\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
        
        C:\Windows\{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
        
        C:\Windows\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
        
        C:\Windows\{23A531EC-90D7-4499-9479-DAA65986AC18}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
        
        C:\Windows\{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\{F693271A-D500-44e5-B322-A084D5551795}.exe
        
        C:\Windows\{F693271A-D500-44e5-B322-A084D5551795}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{BC40C597-4B47-49e5-88C2-1E962B108732}.exe
        
        C:\Windows\{BC40C597-4B47-49e5-88C2-1E962B108732}.exe
        13⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6932~1.EXE > nul
        13⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF302~1.EXE > nul
        12⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23A53~1.EXE > nul
        11⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7FD9~1.EXE > nul
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B8B6~1.EXE > nul
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C10FD~1.EXE > nul
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02A83~1.EXE > nul
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC428~1.EXE > nul
        6⤵
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C25~1.EXE > nul
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E59C~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76D76~1.EXE > nul
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02A83EE2-6E9C-4f10-B64D-3FBB20132765}.exe

Filesize
204KB

MD5
e575215259cd08ed132f34a78e1dd0fd

SHA1
ebadc2aebf71d3dfaf27aee9d73d462cbadc917a

SHA256
7adfffc0732efb12cbc09eab21875768a334da4d9e19bfca135a5a5915f2d0ea

SHA512
97075f1254d63b2f966878761ae2608e711b2aadd4379a3b044af198c3b00e1bd996eca7659d86b2453d6bf509b4c5905c92c4c116ad3eb089d07919f6d96cad

Download Submit
C:\Windows\{1B8B6197-06EE-4861-A921-4F538C3018C6}.exe

Filesize
204KB

MD5
a3ab00fc850ee96cc9005e2a31c60682

SHA1
6c6e900a2ede8e6d8045b87630aa5d93d3acc2dc

SHA256
9532bdbfce8883b962bde4ae3464067545607dca7740df5a5ad9aaa60ab384c6

SHA512
b80acaf69d952ac6c4e504fc2648ed2fcf591e9d7f1f2fa13916bb04866216dac44941932db1db684036a6c425db8862703a551823f481b277d09e7d1ea37840

Download Submit
C:\Windows\{23A531EC-90D7-4499-9479-DAA65986AC18}.exe

Filesize
204KB

MD5
340999aa828ee606ea92a6ec8999e49c

SHA1
431449de312126506e5b806cfb42ca9f656d9c4f

SHA256
cc526c3d40dc03180910acfaffffe11e1797212a92c1e8e4b285624c92ce6ea6

SHA512
fb632006e31c6b1ae7a9489efce575d1a946f7371ea1a0e91ecbeab684d2e1697f080e25e96396fc8c1d182d4ba02fe261adf42302e8373aa8af01fea7feb25d

Download Submit
C:\Windows\{52C25192-0B01-4bb7-BD2D-09FE821F5757}.exe

Filesize
204KB

MD5
84cf2d79c6dddc11aa4854be4a6a9db2

SHA1
2d9ba2341afd11950ba86d3adc2be8ae5a0f319e

SHA256
6fb5594b2af0de8bcab76b4c7afd3f67e05a9a8576081d8bd67baa478577d74b

SHA512
56cbdbbce610757d1a1a110219a37025b9a9217e0c616b970fa99b23e570680c30f3ef29f35ef06a8f276375b3fd51f9308605f661a3ee8729e665e1cf1d7edf

Download Submit
C:\Windows\{76D76A88-5C28-4ee9-9392-BA8FA2E211C2}.exe

Filesize
204KB

MD5
d3fed0f7a6671aefe5ab9d52a709dae6

SHA1
79a18e3c63bd3c80257b712fc26ba027a8e50d6f

SHA256
8def90099171667e6dee6b88a449960e3d61d932c16cf071ac4b58f4ef399396

SHA512
137766c11ed9a0f1dadd347295b4e277d28cc13ccf8c43611a065ae82ccce25fd1b277026fb0434fa3f354b92323dd277f2a0126d1b0b859f8c7b6e53076b7e6

Download Submit
C:\Windows\{9E59C126-CC00-4f4e-9C37-3E76EBEA1862}.exe

Filesize
204KB

MD5
a437e8db4c9f5b18f7f0d1b7129f7469

SHA1
4885277e6408700b4b6127d9ae428691f119e2df

SHA256
abad1747376ce453ee57f26d0b85ea4852721f53e26c9d4522122edf121f7a23

SHA512
0ac2f3fdbbe649d52a3a227ba0ff806d52b37bebd4b7cd7e95dd7ef99ab99eae6ad38a2b94166cd82ec74fbcde767e70b93d22bda153e1e3390a5eea45bc6486

Download Submit
C:\Windows\{BC40C597-4B47-49e5-88C2-1E962B108732}.exe

Filesize
204KB

MD5
678da7eeec706f7879536694a46e77d2

SHA1
ce55c550ae63b6fe7ade5adc225209a726e0fd34

SHA256
b49a0a979c6f624f409dc5738565fd462f7f6513a6ccff6cf50ade8654ffd4c7

SHA512
6cf0f034a6252a61bed85b0dd39bf2317796826301b6a0ea48631287a0d74c899108568a5579274a799ac17051e2bc14d1dfaf5d6b8041114f4323128cca6f16

Download Submit
C:\Windows\{C10FD102-2B27-4e0b-A6F4-B4B1AF2A6D4B}.exe

Filesize
204KB

MD5
43a6931f4a1330a0b1355f74de4e3cd5

SHA1
79f8fc84c0fddd89c164d735c74f284c8366c7ce

SHA256
a852951e6109deeebe43f103b66d22720a7aaa8aae0da5a2709d8b279f7fa9f5

SHA512
3b32d20e92b613915d30e6f72867fe16b2232b8f4ca78b08f1f3faddfca47dc7a077b0710c76dc4e7f5ab638b22012261ff0f50de6b088b2e54ba69d2ffac2e1

Download Submit
C:\Windows\{C7FD9AF3-9E41-411c-B50A-0BA94BC56E54}.exe

Filesize
204KB

MD5
ebab98812e607eff360b383e73fec5da

SHA1
7a89f6ff782cf88e25730cd0b554f87aa6cfd16a

SHA256
4deb2b5c1de865b946da40b37cf426c0931068b005cf64cb0e54cc5f664f2bb9

SHA512
5a7d2f9e23c47c826573d67b8b0b4ebcd0083b94999b6aecea9b603fafe8f6bbbf074f73a42195742e920f528530db7bf985f52d8b8fb06f96a031a263a4e71b

Download Submit
C:\Windows\{CC428F76-3129-4886-ACF4-DD1700BC846A}.exe

Filesize
204KB

MD5
10cd928ea79b1fe10559911f6d153e2f

SHA1
bb6e5535299e67f6810dda332ebf448ee8b7ab4d

SHA256
8d7c7a46be71bdf178949ec2658572203a0943e4933a5ce43139b3734c5af48d

SHA512
189079f778895aa59d0819b96f532befb16ee3ef2e8d462ff5a7d3a36cb27d8bb356a4258ed4f4c23d2d97184e83f74e30b96ce40e84ac26d4b72cecb324b87b

Download Submit
C:\Windows\{CF302C58-330E-46b6-AF4C-515096CD80FA}.exe

Filesize
204KB

MD5
1984c1f978280d1347e597323f0f83fe

SHA1
83bd99d8a02b4745d46bd27f3bac3cb59ac19793

SHA256
e9845baffe82b7ec73da98662373c724be82975e18f531a09db03d7be797f393

SHA512
7dae405bfac9e7e0567125213b456357882024c7c64c366072d9c6de35fb58d65532eee49418723496e911f2af209b6ea4a4ea4a0cbfbcaff5e28491a2fdb2d6

Download Submit
C:\Windows\{F693271A-D500-44e5-B322-A084D5551795}.exe

Filesize
204KB

MD5
ea824e8546c234292a85ff3b9b4d5153

SHA1
66d838f7f7693fee45883594a6057c08b988c8f0

SHA256
60b80d014eee8f3abc74a02dc8969ef7068fea7bd94997ae30fc534d032cf3c6

SHA512
00d4e99094e8b060bc0252da02a0cbf2eb38b1fbdf45035dce1e034022fe7156f3a2ad2f50ad09b437168fafe03c1cf8de52165b3c1c85e236cd10a35a42c4db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads