452252f66fe1100f3ae1dcebefd24a8d1ddd099a4fea68260e08d0a5b2f4f0ca

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Size

344KB
MD5

b58f875eeb051d5b64adcae5f66ff507
SHA1

ae4b843ecc3be28acf53251c5b69db99e3561339
SHA256

452252f66fe1100f3ae1dcebefd24a8d1ddd099a4fea68260e08d0a5b2f4f0ca
SHA512

5ece80002880fabebb89af00f4d268cab0554433240c0609b4bbc9aa60b8a7a4ec3d41c5064d7541b3b84737b2d61cbda06490243e99ef025ae684d6b74eb62a
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016432-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f0000000165e5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016432-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016432-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016432-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000167f6-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDED7056-D736-4a52-B01E-C49675A1E7E8}\stubpath = "C:\\Windows\\{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe"	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368EEA23-CC32-4cec-BC39-F4A193867268}\stubpath = "C:\\Windows\\{368EEA23-CC32-4cec-BC39-F4A193867268}.exe"	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}	{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}\stubpath = "C:\\Windows\\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe"	{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}\stubpath = "C:\\Windows\\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe"	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}\stubpath = "C:\\Windows\\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe"	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}	{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}	{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}\stubpath = "C:\\Windows\\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe"	{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42084653-D74B-4f27-9720-99FAD41FA456}	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42084653-D74B-4f27-9720-99FAD41FA456}\stubpath = "C:\\Windows\\{42084653-D74B-4f27-9720-99FAD41FA456}.exe"	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{491D14E9-FE37-4404-B420-F3617AF34DB5}	{42084653-D74B-4f27-9720-99FAD41FA456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368EEA23-CC32-4cec-BC39-F4A193867268}	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}\stubpath = "C:\\Windows\\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe"	{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}	{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}\stubpath = "C:\\Windows\\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe"	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDED7056-D736-4a52-B01E-C49675A1E7E8}	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{491D14E9-FE37-4404-B420-F3617AF34DB5}\stubpath = "C:\\Windows\\{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe"	{42084653-D74B-4f27-9720-99FAD41FA456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}\stubpath = "C:\\Windows\\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe"	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}\stubpath = "C:\\Windows\\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe"	{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe
1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
2756	{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe
312	{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
2228	{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
1972	{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
1564	{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	{42084653-D74B-4f27-9720-99FAD41FA456}.exe
File created	C:\Windows\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
File created	C:\Windows\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe	{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
File created	C:\Windows\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe	{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
File created	C:\Windows\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe	{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
File created	C:\Windows\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
File created	C:\Windows\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
File created	C:\Windows\{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
File created	C:\Windows\{42084653-D74B-4f27-9720-99FAD41FA456}.exe	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
File created	C:\Windows\{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
File created	C:\Windows\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
File created	C:\Windows\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe	{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
Token: SeIncBasePriorityPrivilege	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
Token: SeIncBasePriorityPrivilege	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
Token: SeIncBasePriorityPrivilege	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe
Token: SeIncBasePriorityPrivilege	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
Token: SeIncBasePriorityPrivilege	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
Token: SeIncBasePriorityPrivilege	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
Token: SeIncBasePriorityPrivilege	2756	{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe
Token: SeIncBasePriorityPrivilege	312	{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
Token: SeIncBasePriorityPrivilege	2228	{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
Token: SeIncBasePriorityPrivilege	1972	{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3048	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	28
PID 2380 wrote to memory of 3048	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	28
PID 2380 wrote to memory of 3048	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	28
PID 2380 wrote to memory of 3048	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	28
PID 2380 wrote to memory of 2508	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	29
PID 2380 wrote to memory of 2508	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	29
PID 2380 wrote to memory of 2508	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	29
PID 2380 wrote to memory of 2508	2380	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	29
PID 3048 wrote to memory of 2868	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	30
PID 3048 wrote to memory of 2868	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	30
PID 3048 wrote to memory of 2868	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	30
PID 3048 wrote to memory of 2868	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	30
PID 3048 wrote to memory of 2412	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	31
PID 3048 wrote to memory of 2412	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	31
PID 3048 wrote to memory of 2412	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	31
PID 3048 wrote to memory of 2412	3048	{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe	31
PID 2868 wrote to memory of 2016	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	34
PID 2868 wrote to memory of 2016	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	34
PID 2868 wrote to memory of 2016	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	34
PID 2868 wrote to memory of 2016	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	34
PID 2868 wrote to memory of 2524	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	35
PID 2868 wrote to memory of 2524	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	35
PID 2868 wrote to memory of 2524	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	35
PID 2868 wrote to memory of 2524	2868	{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe	35
PID 2016 wrote to memory of 2028	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	36
PID 2016 wrote to memory of 2028	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	36
PID 2016 wrote to memory of 2028	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	36
PID 2016 wrote to memory of 2028	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	36
PID 2016 wrote to memory of 584	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	37
PID 2016 wrote to memory of 584	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	37
PID 2016 wrote to memory of 584	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	37
PID 2016 wrote to memory of 584	2016	{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe	37
PID 2028 wrote to memory of 1480	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	38
PID 2028 wrote to memory of 1480	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	38
PID 2028 wrote to memory of 1480	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	38
PID 2028 wrote to memory of 1480	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	38
PID 2028 wrote to memory of 2664	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	39
PID 2028 wrote to memory of 2664	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	39
PID 2028 wrote to memory of 2664	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	39
PID 2028 wrote to memory of 2664	2028	{42084653-D74B-4f27-9720-99FAD41FA456}.exe	39
PID 1480 wrote to memory of 1336	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	40
PID 1480 wrote to memory of 1336	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	40
PID 1480 wrote to memory of 1336	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	40
PID 1480 wrote to memory of 1336	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	40
PID 1480 wrote to memory of 2128	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	41
PID 1480 wrote to memory of 2128	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	41
PID 1480 wrote to memory of 2128	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	41
PID 1480 wrote to memory of 2128	1480	{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe	41
PID 1336 wrote to memory of 332	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	42
PID 1336 wrote to memory of 332	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	42
PID 1336 wrote to memory of 332	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	42
PID 1336 wrote to memory of 332	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	42
PID 1336 wrote to memory of 2592	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	43
PID 1336 wrote to memory of 2592	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	43
PID 1336 wrote to memory of 2592	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	43
PID 1336 wrote to memory of 2592	1336	{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe	43
PID 332 wrote to memory of 2756	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	44
PID 332 wrote to memory of 2756	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	44
PID 332 wrote to memory of 2756	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	44
PID 332 wrote to memory of 2756	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	44
PID 332 wrote to memory of 1836	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	45
PID 332 wrote to memory of 1836	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	45
PID 332 wrote to memory of 1836	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	45
PID 332 wrote to memory of 1836	332	{368EEA23-CC32-4cec-BC39-F4A193867268}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
  C:\Windows\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
    C:\Windows\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
      C:\Windows\{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\{42084653-D74B-4f27-9720-99FAD41FA456}.exe
        
        C:\Windows\{42084653-D74B-4f27-9720-99FAD41FA456}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
        
        C:\Windows\{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
        
        C:\Windows\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
        
        C:\Windows\{368EEA23-CC32-4cec-BC39-F4A193867268}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe
        
        C:\Windows\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
        
        C:\Windows\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
        
        C:\Windows\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
        
        C:\Windows\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe
        
        C:\Windows\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe
        13⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5048~1.EXE > nul
        13⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EBC8~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73DCC~1.EXE > nul
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF504~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{368EE~1.EXE > nul
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F85~1.EXE > nul
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{491D1~1.EXE > nul
        7⤵
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42084~1.EXE > nul
        6⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDED7~1.EXE > nul
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AEBE5~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60119~1.EXE > nul
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{368EEA23-CC32-4cec-BC39-F4A193867268}.exe

Filesize
344KB

MD5
807bb78a3fc0e9f9082338497458044a

SHA1
8ee24844ffcb7dc1ba02553073638815fcc19c73

SHA256
b953852f03abb89b6ad033176ea80f30fb8dc1e0d320d006bea33e4be864a37e

SHA512
7baebc5bc7eadfa834b9c69596c3922b688c6193d3533b8990012eeecc2ce91db53f68414ed3bc8d43e9344a7072705ae796d765daa0f5f5f2a2eb43899b6049

Download Submit
C:\Windows\{42084653-D74B-4f27-9720-99FAD41FA456}.exe

Filesize
344KB

MD5
810d4bc0b4cc8f2f02ba4def8d1ec505

SHA1
100ff47bf52c3a2215c84c23839acbbfb6635283

SHA256
de29824f598a1f5bba7341e68a62a17d7d09ed06de1b780dfde989999509fb72

SHA512
d04be0d78af1d62e2956c37feefd6af268de1eed8dd3c5974bbb2e38048d7823c6293eeb813d94ebb5323b3b169dbddaf6ed041d9d5de6cb8b63b448fb88baf3

Download Submit
C:\Windows\{491D14E9-FE37-4404-B420-F3617AF34DB5}.exe

Filesize
344KB

MD5
0efb360ab08866f0fdb1a621045fd2d3

SHA1
5faaab78bffa579e9e82918b2df289a4afb95910

SHA256
3f02990a056524f3b3b5ced79670587e51d476ebebfb77c1afe3e86403dcb69d

SHA512
b019dde3f50c8738dcc2da77d00b95c67f4b127436085909b99c4bb148dc5b1d39d215ec488e21861b39d2b2a4fcb2cbc7cea786b967547fdce7825eaf3169db

Download Submit
C:\Windows\{6011967A-3B8D-49c9-BD60-B04A8DF2AF2B}.exe

Filesize
344KB

MD5
e4d88a78a2afe02041c1ef3c7afe0738

SHA1
bea2b2b3070d7dfaaad4fcab962b9d7963cf6fd0

SHA256
7ee165c2238cab2748c12109374f0518a4a458d14c543be0b45735aad4df23cb

SHA512
67bb49b91ba66c0c65f4204e07032b78e0c84f09b3d42278756b7aa0bf7be4040c389e65c74f887085db487fd0183ed5587f29fbcd00ea4b92b34babd1a62488

Download Submit
C:\Windows\{73DCC51A-899F-4ba5-8385-A84EF4EA6761}.exe

Filesize
344KB

MD5
045aab88b9c668afd75061d9e8039660

SHA1
e527b83457a62ea9a672b444d12cd28e17943b33

SHA256
e47db5ba87882c13d988e1e3270fe0e8df2033b1443f48c96cf8a5b2a4ed3671

SHA512
953604c2a62fdbd85eeca37fe550908f573051f4ae15a708fb047d6a92023c9a6ba2911be37784cd6479bb2e55fab52de46ee1d9e44d7f690f35f97fbe253730

Download Submit
C:\Windows\{8EBC87A6-B84D-49ed-920F-A21A5862DBD9}.exe

Filesize
344KB

MD5
688c4653c4897217ebfcab3615e5a05b

SHA1
75285a5eb1e65cecce3c994c855598eae68e3d23

SHA256
6bf960af55435e4b10ef43fec88272b669a0d7c43a4ce0366b1ad786d8c813ac

SHA512
37fc2b8d6331bc653dfaa2cadeb17674389238858126371aabafc4c10a29650115c3c89feb567a3f0bce88c06c5d27e1473b81aafc8f1d7d0a29340546260942

Download Submit
C:\Windows\{AEBE5DEB-FA60-4182-B2CF-5B42B17632E7}.exe

Filesize
344KB

MD5
80f5c18db1c5085415baa9518f540c4c

SHA1
843f89c28ebdefa7836840039216f19fb21f4e9b

SHA256
8891c8f6559c4cb69271a0b5ac71fa779439b002821251e965cd306057a23da9

SHA512
d4eb4796455d7fc1878ba42419e74048bf46f1da6fc3a516668e5ad9d68f3df26dd1ea23266e3ceffd0a03d4c47ebc18cce19931708c2747b56db6fee437acf3

Download Submit
C:\Windows\{AF504F06-67A2-4f28-B9C5-2A2BAC3953CC}.exe

Filesize
344KB

MD5
cdd02ef301c47ce8eb589ae92cba9b7f

SHA1
832f858f3b2eab31758ba328f1b22999c336d566

SHA256
e43409ceec3717fe15c0db36e59716b9cb13ce0be787903e89cce263b3856521

SHA512
9735d862f96272ffa8f7eb2fa0c6fab128d8991249fd8078463183cd322a41da86130a3615b7ebe8aff0e58af685ed0e35aa0546838fe129a447fb7619aa52fb

Download Submit
C:\Windows\{C5048F1C-4E01-4950-8CC4-09A234FDCCCE}.exe

Filesize
344KB

MD5
97d48ff0dd76540c0962e409d5d3dc8c

SHA1
73198010d6fef8b30f81c23f2790ea87f801b626

SHA256
b13202ab7e798849b7a834153a738573e661a12ce212cc91dd3ce0eda2ff2466

SHA512
c4799725d5e16dd899a6df296a2d02b88b77a1a8ae49f3ef94362acaa05e8db0fd08d3bdd22ec42e6094d12554a0653b0df66ce0bce8d152bc8596402b3cba19

Download Submit
C:\Windows\{D6F85B8C-BD46-4fb7-A33B-DD963BC3144D}.exe

Filesize
344KB

MD5
3a177d799ed4b6d2fa7428e71b8c553e

SHA1
678ac4b00a38c6b7c81f075255698437c581e103

SHA256
389aa27db970a40a5f2efbc91416637aa7225cc50fcaa6ec4a9d8b8e67fa0e6e

SHA512
d8ae228b1f02d3091955b0a3b5e700af514dd5048d2b703ced0293b1a7bda29f656ae2f90fc5c297afccad6b92f39a54caaa4e389ad2ff023917b45c96f8878b

Download Submit
C:\Windows\{DFBA08F1-3EFC-47c3-BB3C-8377FBDF88A8}.exe

Filesize
344KB

MD5
0fc02a9bcec40bed595b2d768c24d7f4

SHA1
5d12f697244ad8f96544ab9e2e70dadfb78185d4

SHA256
aaaf3c3a421a3a178e1c84d76966edc0b8cd3da6604046ee2ad73e1eef4d7887

SHA512
4cc25e2fe9bd2e4122b52170216c208b8abb5b199206c7a1aa62a3dff161e28b85561c617655e134fa3f6b60785b2e03e83ef35485bc7bff869ea28b259ef57d

Download Submit
C:\Windows\{EDED7056-D736-4a52-B01E-C49675A1E7E8}.exe

Filesize
344KB

MD5
647a0aeb9e13680aa5678c89d84c5c8e

SHA1
2c5bc52136691f76da49f33151b6d09e854db964

SHA256
d7f913a4cf5c991a3ac54689bc3d1ce40d291a35b22cb37d33b345152578043d

SHA512
2c9a2bbd074a166cca1206a575e59b912ab78d45920d4196abdf75272d23d40251818e8434af2fb47503f68fe77fa3cf8d01b65f38944b45104e079c5e072cda

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads