8ce01d7b24d0a14f904f29150094de8b96cb5a8306d166b0fbb866f899d3e617

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
Size

408KB
MD5

27ea3b252482e9d439c34ff3f987631e
SHA1

e3ba08fc6774908c0ef5619b79eb4380b2818d9e
SHA256

8ce01d7b24d0a14f904f29150094de8b96cb5a8306d166b0fbb866f899d3e617
SHA512

fae06a6facbe57875bb08033c726fba4e1455f15545bb90ebb8eea0f89201f8d2c44a0171be6d83402db63b47a4257c5898dabaa9ad163e1c5d7dc1a6f5dfd83
SSDEEP

3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGildOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8EF24833-7BD5-439a-8200-561294520AF5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe{8EF24833-7BD5-439a-8200-561294520AF5}.exe{90F35489-35A2-4c56-A7F5-35E905A55797}.exe2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD7CDB0-57F3-4b90-B806-5623092D1998}	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD7CDB0-57F3-4b90-B806-5623092D1998}\stubpath = "C:\\Windows\\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe"	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF24833-7BD5-439a-8200-561294520AF5}\stubpath = "C:\\Windows\\{8EF24833-7BD5-439a-8200-561294520AF5}.exe"	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}	{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}\stubpath = "C:\\Windows\\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe"	{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}	{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}\stubpath = "C:\\Windows\\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe"	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90F35489-35A2-4c56-A7F5-35E905A55797}\stubpath = "C:\\Windows\\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe"	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}\stubpath = "C:\\Windows\\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe"	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90F35489-35A2-4c56-A7F5-35E905A55797}	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}\stubpath = "C:\\Windows\\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe"	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF24833-7BD5-439a-8200-561294520AF5}	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91DE390E-FADF-43a2-A851-35AA237FE6AB}	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91DE390E-FADF-43a2-A851-35AA237FE6AB}\stubpath = "C:\\Windows\\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe"	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}\stubpath = "C:\\Windows\\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe"	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}\stubpath = "C:\\Windows\\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe"	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}\stubpath = "C:\\Windows\\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe"	{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe

Executes dropped EXE 11 IoCs

Processes:

{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe{8EF24833-7BD5-439a-8200-561294520AF5}.exe{90F35489-35A2-4c56-A7F5-35E905A55797}.exe{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe

pid	process
2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
2488	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
620	{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
2132	{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
2128	{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe

Drops file in Windows directory 11 IoCs

Processes:

{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe{8EF24833-7BD5-439a-8200-561294520AF5}.exe{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe{90F35489-35A2-4c56-A7F5-35E905A55797}.exe{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe

description	ioc	process
File created	C:\Windows\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe	{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
File created	C:\Windows\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
File created	C:\Windows\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
File created	C:\Windows\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
File created	C:\Windows\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
File created	C:\Windows\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
File created	C:\Windows\{8EF24833-7BD5-439a-8200-561294520AF5}.exe	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
File created	C:\Windows\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
File created	C:\Windows\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
File created	C:\Windows\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
File created	C:\Windows\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe	{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe{8EF24833-7BD5-439a-8200-561294520AF5}.exe{90F35489-35A2-4c56-A7F5-35E905A55797}.exe{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
Token: SeIncBasePriorityPrivilege	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
Token: SeIncBasePriorityPrivilege	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
Token: SeIncBasePriorityPrivilege	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
Token: SeIncBasePriorityPrivilege	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
Token: SeIncBasePriorityPrivilege	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
Token: SeIncBasePriorityPrivilege	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
Token: SeIncBasePriorityPrivilege	2488	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
Token: SeIncBasePriorityPrivilege	620	{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
Token: SeIncBasePriorityPrivilege	2132	{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1900 wrote to memory of 2528	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
PID 1900 wrote to memory of 2528	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
PID 1900 wrote to memory of 2528	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
PID 1900 wrote to memory of 2528	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
PID 1900 wrote to memory of 2312	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	cmd.exe
PID 1900 wrote to memory of 2312	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	cmd.exe
PID 1900 wrote to memory of 2312	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	cmd.exe
PID 1900 wrote to memory of 2312	1900	2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe	cmd.exe
PID 2528 wrote to memory of 2544	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
PID 2528 wrote to memory of 2544	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
PID 2528 wrote to memory of 2544	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
PID 2528 wrote to memory of 2544	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
PID 2528 wrote to memory of 2680	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	cmd.exe
PID 2528 wrote to memory of 2680	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	cmd.exe
PID 2528 wrote to memory of 2680	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	cmd.exe
PID 2528 wrote to memory of 2680	2528	{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe	cmd.exe
PID 2544 wrote to memory of 2464	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
PID 2544 wrote to memory of 2464	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
PID 2544 wrote to memory of 2464	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
PID 2544 wrote to memory of 2464	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
PID 2544 wrote to memory of 2572	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	cmd.exe
PID 2544 wrote to memory of 2572	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	cmd.exe
PID 2544 wrote to memory of 2572	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	cmd.exe
PID 2544 wrote to memory of 2572	2544	{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe	cmd.exe
PID 2464 wrote to memory of 2416	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
PID 2464 wrote to memory of 2416	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
PID 2464 wrote to memory of 2416	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
PID 2464 wrote to memory of 2416	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
PID 2464 wrote to memory of 2212	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	cmd.exe
PID 2464 wrote to memory of 2212	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	cmd.exe
PID 2464 wrote to memory of 2212	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	cmd.exe
PID 2464 wrote to memory of 2212	2464	{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe	cmd.exe
PID 2416 wrote to memory of 2536	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
PID 2416 wrote to memory of 2536	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
PID 2416 wrote to memory of 2536	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
PID 2416 wrote to memory of 2536	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
PID 2416 wrote to memory of 2876	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe	cmd.exe
PID 2536 wrote to memory of 1624	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
PID 2536 wrote to memory of 1624	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
PID 2536 wrote to memory of 1624	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
PID 2536 wrote to memory of 1624	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
PID 2536 wrote to memory of 1920	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	cmd.exe
PID 2536 wrote to memory of 1920	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	cmd.exe
PID 2536 wrote to memory of 1920	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	cmd.exe
PID 2536 wrote to memory of 1920	2536	{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe	cmd.exe
PID 1624 wrote to memory of 2188	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
PID 1624 wrote to memory of 2188	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
PID 1624 wrote to memory of 2188	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
PID 1624 wrote to memory of 2188	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	{8EF24833-7BD5-439a-8200-561294520AF5}.exe
PID 1624 wrote to memory of 664	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	cmd.exe
PID 1624 wrote to memory of 664	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	cmd.exe
PID 1624 wrote to memory of 664	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	cmd.exe
PID 1624 wrote to memory of 664	1624	{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe	cmd.exe
PID 2188 wrote to memory of 2488	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
PID 2188 wrote to memory of 2488	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
PID 2188 wrote to memory of 2488	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
PID 2188 wrote to memory of 2488	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
PID 2188 wrote to memory of 1060	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	cmd.exe
PID 2188 wrote to memory of 1060	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	cmd.exe
PID 2188 wrote to memory of 1060	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	cmd.exe
PID 2188 wrote to memory of 1060	2188	{8EF24833-7BD5-439a-8200-561294520AF5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_27ea3b252482e9d439c34ff3f987631e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
C:\Windows\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
C:\Windows\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
C:\Windows\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
C:\Windows\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
C:\Windows\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
C:\Windows\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\{8EF24833-7BD5-439a-8200-561294520AF5}.exe
C:\Windows\{8EF24833-7BD5-439a-8200-561294520AF5}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
C:\Windows\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
C:\Windows\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
C:\Windows\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe
C:\Windows\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe
12⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D2AE8~1.EXE > nul
12⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B08~1.EXE > nul
11⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90F35~1.EXE > nul
10⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8EF24~1.EXE > nul
9⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3EE~1.EXE > nul
8⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD7C~1.EXE > nul
7⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{07586~1.EXE > nul
6⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A1F4~1.EXE > nul
5⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74EF5~1.EXE > nul
4⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91DE3~1.EXE > nul
3⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2312

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{075860B2-4DE0-4cc6-8AB2-BCF9037F577C}.exe
Filesize
408KB

MD5
f9327b58c95f132c9d06e7bad135c378

SHA1
8c50df61c259892f76248198848660f3a65d518c

SHA256
22c80204c7e9c39eaa3c064efeb65bd8129a29ad9d34a61f4b40cc015d5643bd

SHA512
3128079d04ad765676959d18f72e41763c1ed2b95ffc6bfb8fe2a86778eb0c73f7621d497c7c17c98f596c3b88f9c68c28cdac8eb796cd69be89dece3f1b724c

Download Submit
C:\Windows\{2A1F4907-B61D-4ce0-B63A-EA67C1FE8242}.exe
Filesize
408KB

MD5
81268cf135fdfe31376256264f222753

SHA1
caa9679187253fc0daeac98558f5103abcc5e4ef

SHA256
5caa8b1d75cf2c13bbf3baa24daebc8736ce487799c4d0102d875c71787f1b31

SHA512
afca6a090129b470ffdb6ab3a8ceeb77d227ec6d75c95e3f06fd8c0b5fce16a1d727ef73a4521bf1918304f08ff5691967d8027049596560be9a92dd9e6e3208

Download Submit
C:\Windows\{74EF5FCE-89CA-40c6-BD6D-4B86BD293A71}.exe
Filesize
408KB

MD5
1999f0a3aed6b03abeaadcb789a127a5

SHA1
55ebf779d43cb4ae6f64b544fb775466b532c181

SHA256
bc917f5959e2bfe291c8e4028cb4be843d004d9032d10b4300d7ed3e80e1b5ca

SHA512
f563d681af9899170022ef306caf0cadb39af80ea447e76693062680e7bf281ea7f72be54a2d0e97d7ff51bef7c379a66a6ab03d8dfeecd5ba3d6170d2f6efc4

Download Submit
C:\Windows\{8EF24833-7BD5-439a-8200-561294520AF5}.exe
Filesize
408KB

MD5
fa01d1f970f764dbe7da4a6e0cedc50e

SHA1
1b1553f9071fb923a83d2b0a3d5b5ef81285abde

SHA256
6ae1de514949fcc370774f183b2af7f2a0924a8ef876135e54cfdee9a6830fd4

SHA512
18e3aec0acf0d737b815721ad6ac6cd1bc50a5c5c1a68bc2a3e4ba5ccfe6c72038debf7b392eff3926d68187159a9504a9f6db81e582ce545ff985e342a2eb7f

Download Submit
C:\Windows\{90F35489-35A2-4c56-A7F5-35E905A55797}.exe
Filesize
408KB

MD5
23d6bf48722e5aa8811652347267ec99

SHA1
5b5b6968d38aa35c63edc516bf4c370446112e43

SHA256
27a5a72c5c364cefc29e725b42bb755652208c16a87ece17077a799406464441

SHA512
668357bbbc11db79deeb4522d634419f5dab08a005a9b87d8959e5a56aaac607941807b2813f12e9ab707b69f0165a52a18680c9159c74de0e2103055f036cfb

Download Submit
C:\Windows\{91DE390E-FADF-43a2-A851-35AA237FE6AB}.exe
Filesize
408KB

MD5
9faea6aa4a4cdc6eade4cb027451f377

SHA1
eac3a3641a31f4cd6e6af1ded137a6d318014d04

SHA256
ae98d18950d895d29f826cf36554afaf0fe484d05cd4acfaf864574c458ae84d

SHA512
791ab9e32e7d0ec140a873b9e37bf9670d0462c8e979d6d00d8e46a06f682f923934ad7da99bef29c5bf97573d35a3cfe27755635e65b3bf4a03190d05c0c113

Download Submit
C:\Windows\{9F3EE9C5-AD7A-4340-940F-E5D8714B5308}.exe
Filesize
408KB

MD5
919e882f10e948421aeeb90f0d9c6d8a

SHA1
f8616e08bce9e255e71a2589d80aec4a973fbb60

SHA256
2b73fbaab498c4619124972406a0795b9529093cbd704024e78337ac18dcd6d2

SHA512
a7fee68956307f663c1dda2f6560ef7c787a34ebdfc033798414720cac29f63fbdd9be66cd311ac4b18e05f6c453d659bae05db4977348a587e6022810199a51

Download Submit
C:\Windows\{C5B083C9-42F0-41c3-B894-A8E95239EF6D}.exe
Filesize
408KB

MD5
1374166e3ac0d7b8c1f2e67dd349bae3

SHA1
7efeeaf2eaace2d4ac803a5653ca86b64455a0b7

SHA256
b218f05e26c44c9244ee6cd9450f1693e81b57466d02695447c638ee743bd322

SHA512
6523bc739ec3a7ecb96b7965a771412ab29e2262aa007a757d2b4f1ab01e425aad6ba4fd8fa021058a011cd0a62dc6aa29d7dd10f7a00c57916a3c4855ced369

Download Submit
C:\Windows\{D2AE8CB7-AA24-4dee-8EBB-BFE57F5C0AC0}.exe
Filesize
408KB

MD5
23fdb31b6b936af86a8a527321e444b0

SHA1
403ecc24cfdb793577aaaa9f02458550fa1423a0

SHA256
b0daa4c9034d4e4ef54d5188ffad3e468fbeaaa2b1f4426874c331619fb3c219

SHA512
1e4844f5a182d7c1ce2601ad7b7a02f941b1939785ad4e5f51266f73abedf1094b12d6ceb80da900c6e8e1cccfd552f03483fc1505e94e83003ca66d1ed3baa8

Download Submit
C:\Windows\{EBD2472A-0DC3-4cb6-8C4C-3C9A52CB1685}.exe
Filesize
408KB

MD5
1ac749bd3bfe60e608ba3a8378037a32

SHA1
e0f4e8a054f5849b379adfa63e1de73c8cf7478a

SHA256
f5ed18a5becf1586744d8bf6a64635b300670ce08361b64a19452182ecb66cba

SHA512
9005f65507a0246400fdf6a8637ea70104693c276f63428525e39ce727891c04b4e56212983af93be22d193e904817e0726ddb8785d9320c06d3a202dc7db029

Download Submit
C:\Windows\{EBD7CDB0-57F3-4b90-B806-5623092D1998}.exe
Filesize
408KB

MD5
96a2f9422023e790e4cd2bf5655d946f

SHA1
606a9dcc82841519e00e11e2045ed02c644ab929

SHA256
f3b9ded4b0a63e0fda45aee214571bfc752e431562e56ff7559ce9964987abc9

SHA512
78996dc81c5939585d0231e7c5977c39c3754b0f683a65a8ad7012a13138e51f83c0b9be96d242045522064c93ab2c2d1b4a0baad8b43db37b8000a83407a3bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads