25fbd137fbe7aa263038728ab4956fdf032402ff0d8464650b4f0dfa1c1fe216

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 00:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
Size

197KB
MD5

cee876fe9234879e9cffb08d9af6d647
SHA1

2ee1f4751f9302f21f6c9d12aab29845a7b14f53
SHA256

25fbd137fbe7aa263038728ab4956fdf032402ff0d8464650b4f0dfa1c1fe216
SHA512

d148de841ae115be9398b819a1e50375d8f87cf2f4a202f5f33c271731280cf27ee5ba5cb4198fa6e65e6636853e4a184bafd49edfb9d167549f1aae46ee7796
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGJlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c4e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0015000000015cf9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002700000000b1f4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002800000000b1f4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}\stubpath = "C:\\Windows\\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe"	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}\stubpath = "C:\\Windows\\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe"	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85C12066-99DE-4b61-8534-1019C7E4829C}\stubpath = "C:\\Windows\\{85C12066-99DE-4b61-8534-1019C7E4829C}.exe"	{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}\stubpath = "C:\\Windows\\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe"	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}\stubpath = "C:\\Windows\\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe"	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}\stubpath = "C:\\Windows\\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe"	{082E833B-4115-487f-AF30-16A107381ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A31E9D-EC06-4674-A618-D19E830D0CC1}	{85C12066-99DE-4b61-8534-1019C7E4829C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}	{082E833B-4115-487f-AF30-16A107381ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55EDC23-5D70-4284-B914-E9E0D3C33447}	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}\stubpath = "C:\\Windows\\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe"	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082E833B-4115-487f-AF30-16A107381ABE}	{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082E833B-4115-487f-AF30-16A107381ABE}\stubpath = "C:\\Windows\\{082E833B-4115-487f-AF30-16A107381ABE}.exe"	{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85C12066-99DE-4b61-8534-1019C7E4829C}	{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55EDC23-5D70-4284-B914-E9E0D3C33447}\stubpath = "C:\\Windows\\{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe"	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}\stubpath = "C:\\Windows\\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe"	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}\stubpath = "C:\\Windows\\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe"	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A31E9D-EC06-4674-A618-D19E830D0CC1}\stubpath = "C:\\Windows\\{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe"	{85C12066-99DE-4b61-8534-1019C7E4829C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
2812	{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
1944	{082E833B-4115-487f-AF30-16A107381ABE}.exe
300	{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
2384	{85C12066-99DE-4b61-8534-1019C7E4829C}.exe
1072	{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
File created	C:\Windows\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
File created	C:\Windows\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
File created	C:\Windows\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
File created	C:\Windows\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
File created	C:\Windows\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
File created	C:\Windows\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
File created	C:\Windows\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
File created	C:\Windows\{082E833B-4115-487f-AF30-16A107381ABE}.exe	{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
File created	C:\Windows\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe	{082E833B-4115-487f-AF30-16A107381ABE}.exe
File created	C:\Windows\{85C12066-99DE-4b61-8534-1019C7E4829C}.exe	{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
File created	C:\Windows\{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe	{85C12066-99DE-4b61-8534-1019C7E4829C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
Token: SeIncBasePriorityPrivilege	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
Token: SeIncBasePriorityPrivilege	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
Token: SeIncBasePriorityPrivilege	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
Token: SeIncBasePriorityPrivilege	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
Token: SeIncBasePriorityPrivilege	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
Token: SeIncBasePriorityPrivilege	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
Token: SeIncBasePriorityPrivilege	2812	{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
Token: SeIncBasePriorityPrivilege	1944	{082E833B-4115-487f-AF30-16A107381ABE}.exe
Token: SeIncBasePriorityPrivilege	300	{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
Token: SeIncBasePriorityPrivilege	2384	{85C12066-99DE-4b61-8534-1019C7E4829C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1640	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	28
PID 2348 wrote to memory of 1640	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	28
PID 2348 wrote to memory of 1640	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	28
PID 2348 wrote to memory of 1640	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	28
PID 2348 wrote to memory of 2508	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	29
PID 2348 wrote to memory of 2508	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	29
PID 2348 wrote to memory of 2508	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	29
PID 2348 wrote to memory of 2508	2348	2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe	29
PID 1640 wrote to memory of 2448	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	32
PID 1640 wrote to memory of 2448	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	32
PID 1640 wrote to memory of 2448	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	32
PID 1640 wrote to memory of 2448	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	32
PID 1640 wrote to memory of 2756	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	33
PID 1640 wrote to memory of 2756	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	33
PID 1640 wrote to memory of 2756	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	33
PID 1640 wrote to memory of 2756	1640	{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe	33
PID 2448 wrote to memory of 2408	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	34
PID 2448 wrote to memory of 2408	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	34
PID 2448 wrote to memory of 2408	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	34
PID 2448 wrote to memory of 2408	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	34
PID 2448 wrote to memory of 2472	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	35
PID 2448 wrote to memory of 2472	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	35
PID 2448 wrote to memory of 2472	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	35
PID 2448 wrote to memory of 2472	2448	{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe	35
PID 2408 wrote to memory of 2928	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	36
PID 2408 wrote to memory of 2928	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	36
PID 2408 wrote to memory of 2928	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	36
PID 2408 wrote to memory of 2928	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	36
PID 2408 wrote to memory of 1628	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	37
PID 2408 wrote to memory of 1628	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	37
PID 2408 wrote to memory of 1628	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	37
PID 2408 wrote to memory of 1628	2408	{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe	37
PID 2928 wrote to memory of 2040	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	38
PID 2928 wrote to memory of 2040	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	38
PID 2928 wrote to memory of 2040	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	38
PID 2928 wrote to memory of 2040	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	38
PID 2928 wrote to memory of 2692	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	39
PID 2928 wrote to memory of 2692	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	39
PID 2928 wrote to memory of 2692	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	39
PID 2928 wrote to memory of 2692	2928	{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe	39
PID 2040 wrote to memory of 2788	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	40
PID 2040 wrote to memory of 2788	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	40
PID 2040 wrote to memory of 2788	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	40
PID 2040 wrote to memory of 2788	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	40
PID 2040 wrote to memory of 812	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	41
PID 2040 wrote to memory of 812	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	41
PID 2040 wrote to memory of 812	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	41
PID 2040 wrote to memory of 812	2040	{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe	41
PID 2788 wrote to memory of 2504	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	42
PID 2788 wrote to memory of 2504	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	42
PID 2788 wrote to memory of 2504	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	42
PID 2788 wrote to memory of 2504	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	42
PID 2788 wrote to memory of 680	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	43
PID 2788 wrote to memory of 680	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	43
PID 2788 wrote to memory of 680	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	43
PID 2788 wrote to memory of 680	2788	{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe	43
PID 2504 wrote to memory of 2812	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	44
PID 2504 wrote to memory of 2812	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	44
PID 2504 wrote to memory of 2812	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	44
PID 2504 wrote to memory of 2812	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	44
PID 2504 wrote to memory of 2736	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	45
PID 2504 wrote to memory of 2736	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	45
PID 2504 wrote to memory of 2736	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	45
PID 2504 wrote to memory of 2736	2504	{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_cee876fe9234879e9cffb08d9af6d647_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
  C:\Windows\{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
    C:\Windows\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
      C:\Windows\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
        
        C:\Windows\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
        
        C:\Windows\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
        
        C:\Windows\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
        
        C:\Windows\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
        
        C:\Windows\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{082E833B-4115-487f-AF30-16A107381ABE}.exe
        
        C:\Windows\{082E833B-4115-487f-AF30-16A107381ABE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
        
        C:\Windows\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\{85C12066-99DE-4b61-8534-1019C7E4829C}.exe
        
        C:\Windows\{85C12066-99DE-4b61-8534-1019C7E4829C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe
        
        C:\Windows\{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85C12~1.EXE > nul
        13⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19B17~1.EXE > nul
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{082E8~1.EXE > nul
        11⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BACCD~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41EAA~1.EXE > nul
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FC7~1.EXE > nul
        8⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93E06~1.EXE > nul
        7⤵
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C2A~1.EXE > nul
        6⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF92B~1.EXE > nul
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53190~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D55ED~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{082E833B-4115-487f-AF30-16A107381ABE}.exe

Filesize
197KB

MD5
19995a64ddd96083a608088c983d1058

SHA1
518f81ba4d0413c77f796d256db9e397248ce81a

SHA256
1986cd6de4c5442b806658ba2ba39703f917dedbdebabfe621f839789dff2f0b

SHA512
bb25bd965fe38ca1e8926e4fa455a81dd15d3b5afc69c6d1436521cf9b607797ee77418fad05e1dde3575d66320a3e4627162235776e28a1370b78a22ae9638e

Download Submit
C:\Windows\{19B17A18-ADF8-4ef4-8FC0-638B2A4F568C}.exe

Filesize
197KB

MD5
bb7ad116d13fc5a0fc963f9f77aa58e9

SHA1
6bc883cc8c88a17821d1a25b039e67555432e67b

SHA256
718c73d36bac6012c7098b6f1afb1a9cef2f99265e093b16a30bab48b96237d2

SHA512
69b90876830657dc7f5104bdd00f763aabcce4777739f9ce21fd701364238f24b3ce08723fee8771064bb40972070379e24d6f47a182cc1c36dcdc82a625f591

Download Submit
C:\Windows\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe

Filesize
85KB

MD5
4594f548dba2bae460371be2b5268633

SHA1
2ea391021b1b1b7271edd7558aede90ded031f29

SHA256
6c83087fe2a00376d0892bc60203c475f2b89cfc9a3abe7aff0678ef53098a10

SHA512
76069abd1f4414888d0c4b37560c1e864b588803b09e01fff9cd9d454ebea77adf316d94cd58ef2ac0c3ba907ffa2b3781ebf4d2ba4fb219343a82bd08d25c30

Download Submit
C:\Windows\{41EAA94E-7D2F-47f5-B9F7-73AE9BF65879}.exe

Filesize
197KB

MD5
1029fc3a653c37025f28aebadde76409

SHA1
81d49580821b9350f918717b6eb2d8bd60aab9ce

SHA256
5ea4418e1bf9d5e26644966974640a0bab949bc847a6ffce121ed69daacf9287

SHA512
508f233f3651922cdc3d400cd84750f68b74c8bd67b744734b65105f435994b667d18dea50702df8518152e340b4239b6b07245c60fb439540dca787bf09c9be

Download Submit
C:\Windows\{53190D7D-5BDF-4c84-9E52-CB5B7527A6D2}.exe

Filesize
197KB

MD5
317e110bf3689f8f2103367e8736c37d

SHA1
224ed6475091b1b7e59c2c95d183557a9ee232c8

SHA256
e7b64c9c4e79c3059e22bb13fadaef4be122d39562959d10df9f3c7d3b0f6558

SHA512
475005face7072891627d081db7faf06fa289c8a89493f5b0ace0c2b7e0f692b1fead9fadbf0033d7461279bd8facfb39b6027f235e7a35ebe93937daddcdf08

Download Submit
C:\Windows\{58A31E9D-EC06-4674-A618-D19E830D0CC1}.exe

Filesize
197KB

MD5
1a3f1359a88b305cd18184ba2c7973af

SHA1
dc6731a96c4a03ce797a73281b8139941ac4b2dd

SHA256
488f9b1dc4dc78e76c9060912722d6e4116a53206f1b1e931222eb415b2b1640

SHA512
871218e5d8186f132cfcddc29e06c4af36a47fff23bd17a1b68821d8e2287fef4ba8462d4d5ac041c9daa2cefb9a35941e40b00016c7e8b69489241667b5d6d1

Download Submit
C:\Windows\{85C12066-99DE-4b61-8534-1019C7E4829C}.exe

Filesize
197KB

MD5
654e3a32d528c01bf9e40fc4c0445b7b

SHA1
e7a50fbe36a7d7b96868ddee1ecdaa5f6bce538c

SHA256
4db4b9e96ca34604a30decc59be30e7f200055cdf9d69196164728c80a25f763

SHA512
df87c7a76d945d36dfafabfabcac3677b0bc8389756274eb39e051cae3fd7b434f5446e4548043e2f90f16d544b6d2ff5adde0cef9b58d5e18d659bc7a66209f

Download Submit
C:\Windows\{93E06B19-83E4-4342-9B02-FFD9DE58DE71}.exe

Filesize
197KB

MD5
a7ba12439e523fb85085cbdf21dded70

SHA1
35c37b39e0e7eb92c861e487215a903ae65ce32f

SHA256
a224a2faf7d83559fa0f1c072df6d650ffc88d6a1561985d637107b9290138ad

SHA512
8695ca7d64f53a4fa078896f2f5ea09de8a381b53c0b554ed2672d58bcd5a9e316db01895e9befca723006796e53b1c5a760d9e0c312119ad7f022276509583b

Download Submit
C:\Windows\{BACCD658-BB6D-4345-B9EB-B0800088FEF4}.exe

Filesize
197KB

MD5
4c6e7096e48e1ea3f2bbf50d444d6639

SHA1
473188d7e02d0d11ba6e02fed299fea7f2694fdf

SHA256
0837bcb876c6a7660066d7bbda04dd538987e4c6f042447db1ad22a0bf0602c5

SHA512
409f8670c1eb5eb3a043c4fe56e058102563be5066d74ddca15df02da52307f64c9c362a5421cd927d45d84f29ec524273475c20d058911554ff0cc7b6d06d81

Download Submit
C:\Windows\{D2FC7C22-A425-48aa-AD7B-AA3CDD6DF3FF}.exe

Filesize
197KB

MD5
99db9092b7bb64e5b6acccae5ec16f3d

SHA1
e2c47878d6a6c6392020b88b3ca87cb285e94351

SHA256
aebac60c920fcd060b46f8762908a08ad8621009d8112e14f572b4af5096ac58

SHA512
f818e50d12fd37987547498ea70ce9bd6b773eb0c32085b11a38f95c5ccb58d1cb4b76d87067c6a12e60ac68b3ce9fde7eaf0aa6ff885a7dcbcffd0c1e53e7fb

Download Submit
C:\Windows\{D55EDC23-5D70-4284-B914-E9E0D3C33447}.exe

Filesize
197KB

MD5
801b9d96847c6458338bc7f9196d860f

SHA1
918eba4a11adab349452d4fd86fbf52c16211e4e

SHA256
61f56cf408bec3ca61dffa582eca7717232e973f2d548cc5bf4abaa196e86b17

SHA512
3f95e2e3a0baa5dc4549d965e5a88b37f7cfe65f029534e80d32e3147b77fabc91fe1476b0ceab4de5ac7f99b4eb1817f446e45ee64f1954a93adfa0f800704b

Download Submit
C:\Windows\{D7C2AA84-A0AE-4403-935C-DDDBAD20A457}.exe

Filesize
197KB

MD5
2634d371914a659551514f9782212954

SHA1
c15058944bffb47da1fa7394180759150cee28d4

SHA256
4d690a1ecd257a82a82e7b95c725ed46c7c60fc71bc1074fb87d7eb8a61ad825

SHA512
6c77409712d730b8fa648f57f5e09712255342b2edd759402e307b3ab8a3f59eb5c7342d51fda282f975502ff9f8d57cc4a87f753c57a79b7264f72e38546215

Download Submit
C:\Windows\{FF92B483-7BE5-4365-98DE-6DDDE6DFDAF2}.exe

Filesize
197KB

MD5
401378b43dac46b4e2bd438ed56cd6bd

SHA1
6d88905b672c8dc73ad9257c3c48f0f18bc236a9

SHA256
205232c9af14544fce5d2b1a5384bc943ea38930faf314cb2e570eebab020e18

SHA512
4fc166cd3d784ef9f817e1d71ed6b22b0164538cd7b0ce9a0742dcefdb6591f33ae2d4273383ec089a9c921d8fa799824b44072b39a001e91a08dd2eb83d0969

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads