f6b6d58a1466a0e833d8add1484e13fab9df9ebe17f53958973a1e0898844b20

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
Size

168KB
MD5

1767c591ffb7955b482d6cb2750a34c7
SHA1

981d4e7b40602d378922266cdb7475feb3a38708
SHA256

f6b6d58a1466a0e833d8add1484e13fab9df9ebe17f53958973a1e0898844b20
SHA512

6f98e57f8f1125ee585de2667d204d64e8c61b522c09ff3c19801adb96a88289a69944736fcc08c04a4d178b580577928d4a4071289c481eeaf909c7ccaa4cd7
SSDEEP

1536:1EGh0oVli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015e9c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00050000000130fc-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000130fc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000130fc-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62165800-5825-4df0-8A9A-E0BA850C4DD6}	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}\stubpath = "C:\\Windows\\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe"	{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B064233F-B48C-4d2c-B232-07835F1A81D4}	{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B018B9E-0A68-44d5-B2EE-87789D04C683}	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}\stubpath = "C:\\Windows\\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe"	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A1C071-2F28-4347-BBA1-5B10E54F3486}	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A1C071-2F28-4347-BBA1-5B10E54F3486}\stubpath = "C:\\Windows\\{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe"	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62165800-5825-4df0-8A9A-E0BA850C4DD6}\stubpath = "C:\\Windows\\{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe"	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}\stubpath = "C:\\Windows\\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe"	{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}\stubpath = "C:\\Windows\\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe"	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FC9D523-0557-4b15-9B38-A936232F25AC}\stubpath = "C:\\Windows\\{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe"	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B018B9E-0A68-44d5-B2EE-87789D04C683}\stubpath = "C:\\Windows\\{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe"	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}\stubpath = "C:\\Windows\\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe"	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B064233F-B48C-4d2c-B232-07835F1A81D4}\stubpath = "C:\\Windows\\{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe"	{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}	{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA95B0AD-F62E-40f1-B092-427E820DA730}\stubpath = "C:\\Windows\\{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe"	{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FC9D523-0557-4b15-9B38-A936232F25AC}	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}\stubpath = "C:\\Windows\\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe"	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}	{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA95B0AD-F62E-40f1-B092-427E820DA730}	{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
2836	{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
1356	{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
2052	{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
1604	{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe
2292	{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe	{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
File created	C:\Windows\{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe	{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe
File created	C:\Windows\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
File created	C:\Windows\{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
File created	C:\Windows\{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
File created	C:\Windows\{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe	{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
File created	C:\Windows\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
File created	C:\Windows\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe	{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
File created	C:\Windows\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
File created	C:\Windows\{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
File created	C:\Windows\{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
File created	C:\Windows\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
Token: SeIncBasePriorityPrivilege	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
Token: SeIncBasePriorityPrivilege	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
Token: SeIncBasePriorityPrivilege	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
Token: SeIncBasePriorityPrivilege	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
Token: SeIncBasePriorityPrivilege	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
Token: SeIncBasePriorityPrivilege	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
Token: SeIncBasePriorityPrivilege	2836	{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
Token: SeIncBasePriorityPrivilege	1356	{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
Token: SeIncBasePriorityPrivilege	2052	{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
Token: SeIncBasePriorityPrivilege	1604	{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1996	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	28
PID 1424 wrote to memory of 1996	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	28
PID 1424 wrote to memory of 1996	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	28
PID 1424 wrote to memory of 1996	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	28
PID 1424 wrote to memory of 2568	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	29
PID 1424 wrote to memory of 2568	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	29
PID 1424 wrote to memory of 2568	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	29
PID 1424 wrote to memory of 2568	1424	2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe	29
PID 1996 wrote to memory of 2764	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	30
PID 1996 wrote to memory of 2764	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	30
PID 1996 wrote to memory of 2764	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	30
PID 1996 wrote to memory of 2764	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	30
PID 1996 wrote to memory of 2436	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	31
PID 1996 wrote to memory of 2436	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	31
PID 1996 wrote to memory of 2436	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	31
PID 1996 wrote to memory of 2436	1996	{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe	31
PID 2764 wrote to memory of 2504	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	34
PID 2764 wrote to memory of 2504	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	34
PID 2764 wrote to memory of 2504	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	34
PID 2764 wrote to memory of 2504	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	34
PID 2764 wrote to memory of 3048	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	35
PID 2764 wrote to memory of 3048	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	35
PID 2764 wrote to memory of 3048	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	35
PID 2764 wrote to memory of 3048	2764	{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe	35
PID 2504 wrote to memory of 2800	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	36
PID 2504 wrote to memory of 2800	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	36
PID 2504 wrote to memory of 2800	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	36
PID 2504 wrote to memory of 2800	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	36
PID 2504 wrote to memory of 700	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	37
PID 2504 wrote to memory of 700	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	37
PID 2504 wrote to memory of 700	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	37
PID 2504 wrote to memory of 700	2504	{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe	37
PID 2800 wrote to memory of 3000	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	38
PID 2800 wrote to memory of 3000	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	38
PID 2800 wrote to memory of 3000	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	38
PID 2800 wrote to memory of 3000	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	38
PID 2800 wrote to memory of 2988	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	39
PID 2800 wrote to memory of 2988	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	39
PID 2800 wrote to memory of 2988	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	39
PID 2800 wrote to memory of 2988	2800	{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe	39
PID 3000 wrote to memory of 2664	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	40
PID 3000 wrote to memory of 2664	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	40
PID 3000 wrote to memory of 2664	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	40
PID 3000 wrote to memory of 2664	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	40
PID 3000 wrote to memory of 1932	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	41
PID 3000 wrote to memory of 1932	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	41
PID 3000 wrote to memory of 1932	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	41
PID 3000 wrote to memory of 1932	3000	{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe	41
PID 2664 wrote to memory of 632	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	42
PID 2664 wrote to memory of 632	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	42
PID 2664 wrote to memory of 632	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	42
PID 2664 wrote to memory of 632	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	42
PID 2664 wrote to memory of 2604	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	43
PID 2664 wrote to memory of 2604	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	43
PID 2664 wrote to memory of 2604	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	43
PID 2664 wrote to memory of 2604	2664	{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe	43
PID 632 wrote to memory of 2836	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	44
PID 632 wrote to memory of 2836	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	44
PID 632 wrote to memory of 2836	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	44
PID 632 wrote to memory of 2836	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	44
PID 632 wrote to memory of 2824	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	45
PID 632 wrote to memory of 2824	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	45
PID 632 wrote to memory of 2824	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	45
PID 632 wrote to memory of 2824	632	{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_1767c591ffb7955b482d6cb2750a34c7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
  C:\Windows\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
    C:\Windows\{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
      C:\Windows\{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
        
        C:\Windows\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
        
        C:\Windows\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
        
        C:\Windows\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
        
        C:\Windows\{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
        
        C:\Windows\{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
        
        C:\Windows\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
        
        C:\Windows\{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe
        
        C:\Windows\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe
        
        C:\Windows\{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe
        13⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD65C~1.EXE > nul
        13⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0642~1.EXE > nul
        12⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05A1F~1.EXE > nul
        11⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62165~1.EXE > nul
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46A1C~1.EXE > nul
        9⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C4F~1.EXE > nul
        8⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFFB~1.EXE > nul
        7⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C56A3~1.EXE > nul
        6⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B018~1.EXE > nul
        5⤵
        
        PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC9D~1.EXE > nul
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09B8E~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe

Filesize
147KB

MD5
fd3925b926341b150fb5ff7c97f7d120

SHA1
897e251b01cf0a2d1f769365f515c51af3e07b6d

SHA256
4ba2387fec4a76cb21f669b48fd2f9164088c4d8016c6009f44b3286bcfd2070

SHA512
f0e1b8f170c4a14f6b5b81f05644a0b354b71183dd32d53b206eb117ca2fc86c6028e3a66d2726cae09bd7ded23d010e37de89916108a6af575fbbc02cb74190

Download Submit
C:\Windows\{05A1F7DA-A6A5-48d6-8B01-192FE13B378D}.exe

Filesize
168KB

MD5
9333df6daf07ecb2823b643f1df4ad58

SHA1
3d74b8139d7741ad9458c67b4974d67ec5412378

SHA256
2222b3f38adf67940b7de899e52d6b5f3bc460f586281c451b653821f39786ec

SHA512
1ccb5e87ecbcadf733ea2e029774cc8b624444cb6af54005e3d7dccc660aeff40e1cb54ffa47d5f05f3ea371c144c7bea876bf10aa664f28c2c0e0b06c95fa80

Download Submit
C:\Windows\{09B8E7E4-ED1C-4b4d-9AFF-F9D9D1084D3D}.exe

Filesize
168KB

MD5
ea50e33a861a3b6a25c9c04af5f22a11

SHA1
d159009be7cba3eea61a4692d975fad25f31955d

SHA256
e91bab73c86dacd3144b8b299d819a845390a2d1336b1814072f29376beb344c

SHA512
aa8c372f7f57a790c652052e7d7258f79b1d0e5ab28d634151e32ffd8eda5ad024c59be8414824fe66f26b0d6796e2bcf91b7186ddaa27904a717cdf1f3c1781

Download Submit
C:\Windows\{0B018B9E-0A68-44d5-B2EE-87789D04C683}.exe

Filesize
168KB

MD5
65daa6a731d57922bbd964fa9ccca023

SHA1
48e0a3fa9797d3431cfde5099d050972d7cf63ff

SHA256
156bbc5607cf2c4df1d9e57ee1c0fe17eb387129f45fdc0df5a94d2772fc4968

SHA512
aba3bb1558f9230c978a25eedae830a659cfc37b43d96e55a6b91e0e15c544d29ecc8f32e5ce32e09315ef684740f1e956aa92ebe703a39a17446646cdc85711

Download Submit
C:\Windows\{2FC9D523-0557-4b15-9B38-A936232F25AC}.exe

Filesize
168KB

MD5
70f0aa8b75475619816abbf92862bfcf

SHA1
b1c1ad0dc11e08d79646090961a15c3cb6720af6

SHA256
8066395d58b1560ddb2185ec7d9e6779f3f1e974a647c5924f839e52458cd90e

SHA512
3ff0017911e517fb06432ef64e0b98141ee6943c4a656c117e986ee0064118dcdd469380ae098e965fcdd096bf23e76b1c1d434182cd12ff622e24e08a99a203

Download Submit
C:\Windows\{46A1C071-2F28-4347-BBA1-5B10E54F3486}.exe

Filesize
168KB

MD5
10080d8cfa4be3ec45d677c2c56f56d7

SHA1
e967a4379b126a7a252d75aa342b5ddc7f201270

SHA256
f5d090ac91bd5fe390b653fc388858031b76170c99cfbe884015df7841e9ce4b

SHA512
a6702db8c164a5a1b49b3bd7b8496ac991a59f8496e1361f45cb9a378f0e9ee3b38379f523f1787270253647b40e3aca3e8c8e6534255301d97389595be0293d

Download Submit
C:\Windows\{62165800-5825-4df0-8A9A-E0BA850C4DD6}.exe

Filesize
168KB

MD5
1f720db198f4d8fb7394cc251dab021e

SHA1
32a315e11aceacb8dffeee17ffa427fefd36fbce

SHA256
967d9a8342258de0e01c70f2a5833785766e40518acae3e6768c0de41eb6f703

SHA512
0606b2c82c9f9449a978a9bd2728b7b327ed7b17b5359bca8adff96c158fb9efac2eb506d4d5c83ca4ca1204e9f69913be44938eb24fce464ad83470af515134

Download Submit
C:\Windows\{AD65C337-7464-4d7d-A0F1-81796E6D71BE}.exe

Filesize
168KB

MD5
7e31f1258dd714e85fd807178bc8036f

SHA1
8f3a648a1ad54bd9b32140fc983dd4d2dd5e9da9

SHA256
954c2034c986cfc9805e412139fc166ef74636c80deb0fb45b4d2fa2bbde3718

SHA512
7ae27dff47ec6a5a683aac14c6cf2d27d2d9f22918daa87c2bfa94dce9f4c41adf64021154a011da73f39f3d2d5d64d5634a1db7d4a9816664e6e05e5d373e90

Download Submit
C:\Windows\{B064233F-B48C-4d2c-B232-07835F1A81D4}.exe

Filesize
168KB

MD5
a0dbc5e629dbc21f054e195841714b67

SHA1
54627172ed929945172ae87cc4f87cb9e87ed876

SHA256
3aeaec67090c5fd3c639ba93ef15457b23ca03f3f0d8f07a366ba2472d862b5a

SHA512
a60ab9d37b9b23adf437d8c7b7963a254b657ecbae448c88b4aa2c8b7f2a9a040da2d0b6532ec48ad83bf80c0bcf33905a308aa5cbbe8b172999eed158aa474d

Download Submit
C:\Windows\{BA95B0AD-F62E-40f1-B092-427E820DA730}.exe

Filesize
168KB

MD5
bc27d892066fd25e2c53d4357159c4d1

SHA1
c86fa055c211e5ab3151e1c4100fe3d95e1ee663

SHA256
74a45f605e2a50dd40b804e3d9b39df705e7e85c2f22339c06f9da66d613f03c

SHA512
1a13d149d4670adbdf06a33ec902477c9655a0fd8d2a9efd12b2fa9e3cf11bcb4e9435530d981c97dfba6fa117b0cf76550b9a53b4358ceb04816095d8e5b3e1

Download Submit
C:\Windows\{C56A333C-C7FC-451c-B7CC-87C4F7C11F8D}.exe

Filesize
168KB

MD5
64f68857f21c2fe9fd946d7ab17bb989

SHA1
74dba15f44e7fa8b865858c8757467df980c85b1

SHA256
a64628b6dad768cfcdf072bd640ba5dfccd47a9fad287078cd37d0329d74ebdd

SHA512
b924dcb113d36664557c140c6c7a6216fc9be5fe2c9d574252745d6768db656fdcd31e28c0d90f066e7eb5409f7e01c9cac5d518bc6c1892372319101819c7ce

Download Submit
C:\Windows\{DBFFB72E-5C85-460b-BEB8-E028AD1E006E}.exe

Filesize
168KB

MD5
ee8bcb4c6a50d43a930e42cc19888620

SHA1
670866dfa7a02e133669051254686cf5f1b8660c

SHA256
172ea9227c858651533e0e2f506e76a4c6074a9d5df63b23e2ae23c73f516326

SHA512
fcde01d1de249fdf9d314304f6382ed86d7ae80646a0cabdfdd8636e58eb44abd7d8877e694c9e24630e51c6b0265e5f73ba9b25a67c1d93bf8fb4fac0d2b209

Download Submit
C:\Windows\{E9C4F59F-F976-41ce-A3FC-460DBD0B384D}.exe

Filesize
168KB

MD5
212ff4ce6f98bbb022f93e1d6c39fdbb

SHA1
be2be6f6db3d40634cc2ca210c2c6e1575f2b8d8

SHA256
142137f85c3b00e76922d4d7d34dfe5226cdeb59f068abf9b93b0584087f4c8f

SHA512
664c4a34134afeabb87eda4214124f2afa7b850ee053febce78f530c170be86093098506be434d6abb4ced4b6fd7280e2d7970e700832ff475c72b9944f3eedb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads