74af924ef49817a8c3faa6957e597388300a4e829bde8813d836784b39c1e815

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
Size

180KB
MD5

5fab7a588ed5578467f9df0cd449cf5c
SHA1

71f47554ae911854fa8f112347ab5e5ccb8f0a00
SHA256

74af924ef49817a8c3faa6957e597388300a4e829bde8813d836784b39c1e815
SHA512

9e7f40b76e834f861ebae0ffbd7706eec93e4c9286a270b06161efeb0fe9c3204d6469673ac0e23db4350171864e9d87c4126e66124e1586898c852c6a496c14
SSDEEP

3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012249-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012265-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012249-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012249-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012249-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012249-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012249-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00160000000055a2-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F53A5C61-5A98-4371-B214-6F63574F5496}	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3493B7CE-6957-4358-A243-BC04130268B3}\stubpath = "C:\\Windows\\{3493B7CE-6957-4358-A243-BC04130268B3}.exe"	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E26B826-D6F1-483e-9115-9061F5CEC65A}	{3493B7CE-6957-4358-A243-BC04130268B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}	{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFD11F7-B828-4094-93DC-CAA0914784D3}	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFD11F7-B828-4094-93DC-CAA0914784D3}\stubpath = "C:\\Windows\\{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe"	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}\stubpath = "C:\\Windows\\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe"	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}\stubpath = "C:\\Windows\\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe"	{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}\stubpath = "C:\\Windows\\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe"	{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}	{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}\stubpath = "C:\\Windows\\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe"	{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8234966-F743-4ae8-832B-5DE7ACDBC947}	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}\stubpath = "C:\\Windows\\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe"	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3493B7CE-6957-4358-A243-BC04130268B3}	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E26B826-D6F1-483e-9115-9061F5CEC65A}\stubpath = "C:\\Windows\\{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe"	{3493B7CE-6957-4358-A243-BC04130268B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}\stubpath = "C:\\Windows\\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe"	{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}	{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8234966-F743-4ae8-832B-5DE7ACDBC947}\stubpath = "C:\\Windows\\{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe"	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}\stubpath = "C:\\Windows\\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe"	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F53A5C61-5A98-4371-B214-6F63574F5496}\stubpath = "C:\\Windows\\{F53A5C61-5A98-4371-B214-6F63574F5496}.exe"	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}	{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe
2812	{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
944	{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
548	{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
2176	{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
1528	{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
File created	C:\Windows\{3493B7CE-6957-4358-A243-BC04130268B3}.exe	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
File created	C:\Windows\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe	{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
File created	C:\Windows\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe	{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
File created	C:\Windows\{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe	{3493B7CE-6957-4358-A243-BC04130268B3}.exe
File created	C:\Windows\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe	{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
File created	C:\Windows\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe	{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
File created	C:\Windows\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
File created	C:\Windows\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
File created	C:\Windows\{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
File created	C:\Windows\{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
File created	C:\Windows\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
Token: SeIncBasePriorityPrivilege	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
Token: SeIncBasePriorityPrivilege	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
Token: SeIncBasePriorityPrivilege	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
Token: SeIncBasePriorityPrivilege	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
Token: SeIncBasePriorityPrivilege	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
Token: SeIncBasePriorityPrivilege	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe
Token: SeIncBasePriorityPrivilege	2812	{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
Token: SeIncBasePriorityPrivilege	944	{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
Token: SeIncBasePriorityPrivilege	548	{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
Token: SeIncBasePriorityPrivilege	2176	{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1640	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	28
PID 1740 wrote to memory of 2220	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe	29
PID 1640 wrote to memory of 2532	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	30
PID 1640 wrote to memory of 2532	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	30
PID 1640 wrote to memory of 2532	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	30
PID 1640 wrote to memory of 2532	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	30
PID 1640 wrote to memory of 2624	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	31
PID 1640 wrote to memory of 2624	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	31
PID 1640 wrote to memory of 2624	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	31
PID 1640 wrote to memory of 2624	1640	{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe	31
PID 2532 wrote to memory of 2524	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	34
PID 2532 wrote to memory of 2524	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	34
PID 2532 wrote to memory of 2524	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	34
PID 2532 wrote to memory of 2524	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	34
PID 2532 wrote to memory of 2660	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	35
PID 2532 wrote to memory of 2660	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	35
PID 2532 wrote to memory of 2660	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	35
PID 2532 wrote to memory of 2660	2532	{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe	35
PID 2524 wrote to memory of 2464	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	36
PID 2524 wrote to memory of 2464	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	36
PID 2524 wrote to memory of 2464	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	36
PID 2524 wrote to memory of 2464	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	36
PID 2524 wrote to memory of 2544	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	37
PID 2524 wrote to memory of 2544	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	37
PID 2524 wrote to memory of 2544	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	37
PID 2524 wrote to memory of 2544	2524	{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe	37
PID 2464 wrote to memory of 1604	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	38
PID 2464 wrote to memory of 1604	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	38
PID 2464 wrote to memory of 1604	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	38
PID 2464 wrote to memory of 1604	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	38
PID 2464 wrote to memory of 2760	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	39
PID 2464 wrote to memory of 2760	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	39
PID 2464 wrote to memory of 2760	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	39
PID 2464 wrote to memory of 2760	2464	{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe	39
PID 1604 wrote to memory of 2708	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	40
PID 1604 wrote to memory of 2708	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	40
PID 1604 wrote to memory of 2708	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	40
PID 1604 wrote to memory of 2708	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	40
PID 1604 wrote to memory of 1104	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	41
PID 1604 wrote to memory of 1104	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	41
PID 1604 wrote to memory of 1104	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	41
PID 1604 wrote to memory of 1104	1604	{F53A5C61-5A98-4371-B214-6F63574F5496}.exe	41
PID 2708 wrote to memory of 1228	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	42
PID 2708 wrote to memory of 1228	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	42
PID 2708 wrote to memory of 1228	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	42
PID 2708 wrote to memory of 1228	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	42
PID 2708 wrote to memory of 1868	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	43
PID 2708 wrote to memory of 1868	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	43
PID 2708 wrote to memory of 1868	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	43
PID 2708 wrote to memory of 1868	2708	{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe	43
PID 1228 wrote to memory of 2812	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	44
PID 1228 wrote to memory of 2812	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	44
PID 1228 wrote to memory of 2812	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	44
PID 1228 wrote to memory of 2812	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	44
PID 1228 wrote to memory of 1160	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	45
PID 1228 wrote to memory of 1160	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	45
PID 1228 wrote to memory of 1160	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	45
PID 1228 wrote to memory of 1160	1228	{3493B7CE-6957-4358-A243-BC04130268B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_5fab7a588ed5578467f9df0cd449cf5c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
  C:\Windows\{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
    C:\Windows\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
      C:\Windows\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
        
        C:\Windows\{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
        
        C:\Windows\{F53A5C61-5A98-4371-B214-6F63574F5496}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
        
        C:\Windows\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{3493B7CE-6957-4358-A243-BC04130268B3}.exe
        
        C:\Windows\{3493B7CE-6957-4358-A243-BC04130268B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
        
        C:\Windows\{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
        
        C:\Windows\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
        
        C:\Windows\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
        
        C:\Windows\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe
        
        C:\Windows\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe
        13⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75B25~1.EXE > nul
        13⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B01C9~1.EXE > nul
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45739~1.EXE > nul
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E26B~1.EXE > nul
        10⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3493B~1.EXE > nul
        9⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC599~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F53A5~1.EXE > nul
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCFD1~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC55~1.EXE > nul
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{05B2D~1.EXE > nul
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8234~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B2DA8C-617F-4bcb-AA37-938883F8F12E}.exe

Filesize
180KB

MD5
ce1cffb19fe68c29b66b28ced3b762ab

SHA1
c7f2721d86c2ce3c3dda6defda371b9b015e0761

SHA256
690e7412d2aec41a6b13c997462600907cef2cf0d708ff72300958ee1b1728e7

SHA512
b950f01cf6c7258d210494a51d184927cca460748687d3695e17ee2c17b4d4b8103cee16b491588f6c7c6d2937833f36de76358db030e8429267b19c280d7315

Download Submit
C:\Windows\{3493B7CE-6957-4358-A243-BC04130268B3}.exe

Filesize
180KB

MD5
d3221f1fa26f933306957feb049a53d8

SHA1
be8ceb5c9ba2bd1f848e640b45b9d6a7c8f14fb2

SHA256
7a32beb2fcf08ecde831a1d6191f00ad56a3a8877fb706c35a840caceb810489

SHA512
1bfa060335e725cad0c084e8e17ec3efa4a658d9a13dcab71e7155b0c2bf52abbb2c2c47ad9179c6ce1a3bfd64d17f19b7cfccbafd7bf9ab562e628c99a1a8ec

Download Submit
C:\Windows\{457398BD-CCCD-41e2-8CD9-60CEF1B4C97F}.exe

Filesize
180KB

MD5
d3f1303ecbb227505bd39e0a6433a977

SHA1
b7610a8684aa0c90d126d07f1ae79bb81753bf78

SHA256
04a885b5473df2c4d6a23cf50523b5b2e4f1c7c95e2853b1b2573dd9d411db65

SHA512
e1e04785777e3aa11e81b2b7310e4a29008e22c06f7215f141952cc3fae0022e28078f7ca1d1c0113a8bbedaef5de97ffe1b482f56de3f323ec56b3b43115c1b

Download Submit
C:\Windows\{50410AFD-EE99-4c34-AA50-39F1DBD8B2FE}.exe

Filesize
180KB

MD5
97bb9fab9b772f81e157561bbcb42a3d

SHA1
a3861a6c1151b39e680fcf083e4f80f9790fd537

SHA256
b213137a01f577c270fe49fb70fa6160a1b4a49e84dd15f1ca0078aa43b1a9cf

SHA512
dda2d22440cdcf35e96eea151d04095ee4a1929cfb2660a91ff36fe1f06209bde84e84b8e0d28c2a4055ebc06e0db42a5429469c3cecf60b90a4b4fe6bff0e70

Download Submit
C:\Windows\{75B25EA7-54F8-4e9a-B9F0-5C4E0F8D737F}.exe

Filesize
180KB

MD5
7cbe7d0d38700777f5a80b38f29c5afe

SHA1
64b8f22b5d97c8805395d2d1c1f685a045781bf6

SHA256
e2de0012ce9cec4c141af2f2a2f6ba7d722ded4da10f4179a3574de16eb4e910

SHA512
d8d86e28c5bb39bf1631cef9354550889940c64947d39dd8310247379431f21dbf6ee0221caaf59a4c4cc45c20f4df0614e801a5f905162e08f4358467d65cd7

Download Submit
C:\Windows\{7E26B826-D6F1-483e-9115-9061F5CEC65A}.exe

Filesize
180KB

MD5
d1ec74d78bec8e0d18417e36ecc20e50

SHA1
e4bfb2d654c6c9f851cc93e1f776be464d34449a

SHA256
ec744b7a29daee37b0259466d1e588806a72a91b548b52c172ca5794458e208e

SHA512
8bc139cadb221e9af5212f0f177a2aa3c804cca5e370b334c66194153eab75a908273a4709cc29882cc794f1ad6e6aad9558dc10bb2e8dc8d51085f25e15993f

Download Submit
C:\Windows\{AC5999E1-C20D-45b2-BF4F-EF6AC254253C}.exe

Filesize
180KB

MD5
41deaeac8248f1fc1aa8defbdef80d23

SHA1
f408929d47f881a2370b8375764c95c63b6282ab

SHA256
ed938322461f288a3c9f37d7ff1749f22b5ce179528944a50ae6d5deefeda9d8

SHA512
94c5472293271f144abe10c48727f632c4d2f8fb547dddcc28d66a1a4193fb59af0499efc104a96044a31ea1e7c997f4748b6f111b12a8d594895359a79120f1

Download Submit
C:\Windows\{AEC550AF-235C-4c07-9A5A-BACDBA8BD7AF}.exe

Filesize
180KB

MD5
d01d58119de7f42348cb9f9c932a710f

SHA1
cbcd5b6063616346f6da815aa8d2abd3a32574d0

SHA256
90d70b283b844f4b0e46daf3c23d1f985f42689fbfc008cfed300f0a94aeff58

SHA512
d4759e52512bf2b8211caefa5610034aa7de6d31216c9d35e62a0fa52bce43eafb01055e795d812ed4d9bb452122c5d5a683b2bf9d65263b255216d34f73beb3

Download Submit
C:\Windows\{B01C9E9D-D633-47d3-8C04-9F98E964B5A0}.exe

Filesize
180KB

MD5
52b8411ba028f7c2f6e2255953636669

SHA1
9a37a87ff2ff71500ed787691a886658e3eb0775

SHA256
2da6fd7c9800651f448b5b8a84aefa1ed4400ef6a7b16c3ea2a74396037690d5

SHA512
8dbf083b3fa77389f358259f9866d81a086769942729be80fb04d28d0044609740f532d1ffd40e713fcc777727d8790c46aba837ffab33e9375b0dd64bb0e3dc

Download Submit
C:\Windows\{BCFD11F7-B828-4094-93DC-CAA0914784D3}.exe

Filesize
180KB

MD5
81d1be5c7112597b4032340aa40959ad

SHA1
d396a9912ccc0c6b2efd6ead87b249e266993e5c

SHA256
a462ad9cf8fd346b7e8809689434c2b13a576bc5f000732eba80932de31798dc

SHA512
c8177893a0933671ba4fbefcb059baff67785b2ca77986b06ace15d7cb6b2f51455fde8af84f58b513f3e030861677367d77f286684596c321def853c657817b

Download Submit
C:\Windows\{E8234966-F743-4ae8-832B-5DE7ACDBC947}.exe

Filesize
180KB

MD5
3d3044cca79b0d3a54bdfd3a82102bcf

SHA1
f7a995c23d23917876c196f790f3022a4a5ee8da

SHA256
918de10b66b5e438b41de1596b3e2debbe689e63009ea568e7cbc8a19b879c68

SHA512
e5ca7e8d0b7861b49be9462f8a6e048bc63c6db65945c49b334ec71905806a46ed5bec5648773f1038d07f0edac694ae8dcb16d09603be08a2416922ae65f3af

Download Submit
C:\Windows\{F53A5C61-5A98-4371-B214-6F63574F5496}.exe

Filesize
180KB

MD5
0670810c758b7887c47089f5066f42fb

SHA1
e67c23f70e75c80f96bd85d85a95607e4e0e5c7d

SHA256
6fe05cba87a417f3b17fbccfd67fedc3a094c53cf34367e33a62d9d49c8605db

SHA512
6e5c59306c27c2a997a48ba1819c07415622fee00561854e465363e5cb055f6859632fca8efe0f7d0620aac0c08a71e8450e846b4f2d0a8930ade7182e51cba7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads