638f540e1aafdd9366176599556ab5741bca3a7ce97a101d2e6a415a21993c9a

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Size

344KB
MD5

013d27dac742e27278a05905184d6ba7
SHA1

8e44bc1bf997f4244667aec72beb5d665301d964
SHA256

638f540e1aafdd9366176599556ab5741bca3a7ce97a101d2e6a415a21993c9a
SHA512

e9dce493c6b3cd8024a11e37bcbbbf417f6605b4e8dca592f38fe7fab291c47884240fc8952d54e0425f53e1c0513707c4316fa76fc16c9b09d507fa7ecefb14
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGQlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000900000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c49-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c49-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}\stubpath = "C:\\Windows\\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe"	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800C755D-BC1F-4cf1-B566-17780566A718}\stubpath = "C:\\Windows\\{800C755D-BC1F-4cf1-B566-17780566A718}.exe"	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9663581A-2666-43b8-8B91-62CE587CD826}	{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B765F66E-38B3-4650-9615-8E9125FDCA1A}	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B765F66E-38B3-4650-9615-8E9125FDCA1A}\stubpath = "C:\\Windows\\{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe"	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}\stubpath = "C:\\Windows\\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe"	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9663581A-2666-43b8-8B91-62CE587CD826}\stubpath = "C:\\Windows\\{9663581A-2666-43b8-8B91-62CE587CD826}.exe"	{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}	{9663581A-2666-43b8-8B91-62CE587CD826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}\stubpath = "C:\\Windows\\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe"	{9663581A-2666-43b8-8B91-62CE587CD826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}\stubpath = "C:\\Windows\\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe"	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}\stubpath = "C:\\Windows\\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe"	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}	{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}\stubpath = "C:\\Windows\\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe"	{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}\stubpath = "C:\\Windows\\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe"	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{800C755D-BC1F-4cf1-B566-17780566A718}	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}\stubpath = "C:\\Windows\\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe"	{800C755D-BC1F-4cf1-B566-17780566A718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}	{800C755D-BC1F-4cf1-B566-17780566A718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}	{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}\stubpath = "C:\\Windows\\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe"	{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe

Deletes itself 1 IoCs

pid	Process
1668	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe
2724	{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
1336	{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
2256	{9663581A-2666-43b8-8B91-62CE587CD826}.exe
1844	{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe
1052	{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
File created	C:\Windows\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
File created	C:\Windows\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe	{9663581A-2666-43b8-8B91-62CE587CD826}.exe
File created	C:\Windows\{800C755D-BC1F-4cf1-B566-17780566A718}.exe	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
File created	C:\Windows\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe	{800C755D-BC1F-4cf1-B566-17780566A718}.exe
File created	C:\Windows\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe	{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
File created	C:\Windows\{9663581A-2666-43b8-8B91-62CE587CD826}.exe	{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
File created	C:\Windows\{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
File created	C:\Windows\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
File created	C:\Windows\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
File created	C:\Windows\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
File created	C:\Windows\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe	{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
Token: SeIncBasePriorityPrivilege	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
Token: SeIncBasePriorityPrivilege	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
Token: SeIncBasePriorityPrivilege	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
Token: SeIncBasePriorityPrivilege	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
Token: SeIncBasePriorityPrivilege	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
Token: SeIncBasePriorityPrivilege	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe
Token: SeIncBasePriorityPrivilege	2724	{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
Token: SeIncBasePriorityPrivilege	1336	{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
Token: SeIncBasePriorityPrivilege	2256	{9663581A-2666-43b8-8B91-62CE587CD826}.exe
Token: SeIncBasePriorityPrivilege	1844	{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 788	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	28
PID 1464 wrote to memory of 788	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	28
PID 1464 wrote to memory of 788	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	28
PID 1464 wrote to memory of 788	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	28
PID 1464 wrote to memory of 1668	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	29
PID 1464 wrote to memory of 1668	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	29
PID 1464 wrote to memory of 1668	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	29
PID 1464 wrote to memory of 1668	1464	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	29
PID 788 wrote to memory of 2532	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	30
PID 788 wrote to memory of 2532	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	30
PID 788 wrote to memory of 2532	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	30
PID 788 wrote to memory of 2532	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	30
PID 788 wrote to memory of 3040	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	31
PID 788 wrote to memory of 3040	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	31
PID 788 wrote to memory of 3040	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	31
PID 788 wrote to memory of 3040	788	{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe	31
PID 2532 wrote to memory of 1664	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	34
PID 2532 wrote to memory of 1664	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	34
PID 2532 wrote to memory of 1664	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	34
PID 2532 wrote to memory of 1664	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	34
PID 2532 wrote to memory of 2528	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	35
PID 2532 wrote to memory of 2528	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	35
PID 2532 wrote to memory of 2528	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	35
PID 2532 wrote to memory of 2528	2532	{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe	35
PID 1664 wrote to memory of 1792	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	36
PID 1664 wrote to memory of 1792	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	36
PID 1664 wrote to memory of 1792	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	36
PID 1664 wrote to memory of 1792	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	36
PID 1664 wrote to memory of 2764	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	37
PID 1664 wrote to memory of 2764	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	37
PID 1664 wrote to memory of 2764	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	37
PID 1664 wrote to memory of 2764	1664	{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe	37
PID 1792 wrote to memory of 2760	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	38
PID 1792 wrote to memory of 2760	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	38
PID 1792 wrote to memory of 2760	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	38
PID 1792 wrote to memory of 2760	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	38
PID 1792 wrote to memory of 608	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	39
PID 1792 wrote to memory of 608	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	39
PID 1792 wrote to memory of 608	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	39
PID 1792 wrote to memory of 608	1792	{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe	39
PID 2760 wrote to memory of 1300	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	40
PID 2760 wrote to memory of 1300	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	40
PID 2760 wrote to memory of 1300	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	40
PID 2760 wrote to memory of 1300	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	40
PID 2760 wrote to memory of 2040	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	41
PID 2760 wrote to memory of 2040	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	41
PID 2760 wrote to memory of 2040	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	41
PID 2760 wrote to memory of 2040	2760	{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe	41
PID 1300 wrote to memory of 1620	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	42
PID 1300 wrote to memory of 1620	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	42
PID 1300 wrote to memory of 1620	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	42
PID 1300 wrote to memory of 1620	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	42
PID 1300 wrote to memory of 752	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	43
PID 1300 wrote to memory of 752	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	43
PID 1300 wrote to memory of 752	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	43
PID 1300 wrote to memory of 752	1300	{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe	43
PID 1620 wrote to memory of 2724	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	44
PID 1620 wrote to memory of 2724	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	44
PID 1620 wrote to memory of 2724	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	44
PID 1620 wrote to memory of 2724	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	44
PID 1620 wrote to memory of 1004	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	45
PID 1620 wrote to memory of 1004	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	45
PID 1620 wrote to memory of 1004	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	45
PID 1620 wrote to memory of 1004	1620	{800C755D-BC1F-4cf1-B566-17780566A718}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
  C:\Windows\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
    C:\Windows\{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
      C:\Windows\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
        
        C:\Windows\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
        
        C:\Windows\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
        
        C:\Windows\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{800C755D-BC1F-4cf1-B566-17780566A718}.exe
        
        C:\Windows\{800C755D-BC1F-4cf1-B566-17780566A718}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
        
        C:\Windows\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
        
        C:\Windows\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{9663581A-2666-43b8-8B91-62CE587CD826}.exe
        
        C:\Windows\{9663581A-2666-43b8-8B91-62CE587CD826}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe
        
        C:\Windows\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe
        
        C:\Windows\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe
        13⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CA7~1.EXE > nul
        13⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96635~1.EXE > nul
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA76A~1.EXE > nul
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD681~1.EXE > nul
        10⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{800C7~1.EXE > nul
        9⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48DC8~1.EXE > nul
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83665~1.EXE > nul
        7⤵
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4078D~1.EXE > nul
        6⤵
        
        PID:608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD147~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B765F~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F89B~1.EXE > nul
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F89B813-43D4-4c46-B72D-3D5F28CBC830}.exe

Filesize
344KB

MD5
37d4a0418bc7e5326fcda1c56ddff2b6

SHA1
cbd76f4a3dec51694781ab1b1ac80bd5213f414d

SHA256
e9a7e169476552ab771411919557dbdc9924d534584098303d9dc8a3101c7955

SHA512
213f58af5dfbfa672e84d332fa39d28aafba4569e4a9e70ca050a11a63ff915b3964e2934edf67517c4fa620a14a0c2987fde05cceb386b93fea44c1172b702b

Download Submit
C:\Windows\{4078DA9E-BDB3-4c25-8220-C6A536669BA6}.exe

Filesize
344KB

MD5
73e7f64f47c79de17fa969c055c72d11

SHA1
63591aa9e4a4da1b14dbf5129ea9b3e88f7cca75

SHA256
36f7a58fb8e531d79187633b27066db64849ee6cfa5be9f5921c34ad3157f25c

SHA512
da59c21209758213cba50cc143bccbcc525b99037d052f204e97d91721756b4619bd218106b37cec24f7e1a3353ab1c06a159a3d0a2920dec7045ba6de06836a

Download Submit
C:\Windows\{48DC8A24-FC6F-4dd0-8E18-0845B958FE51}.exe

Filesize
344KB

MD5
64737f75d3c4a80558fda6dd6f18ce44

SHA1
5f571ded7655037dabe7fec37c7f749ad71ea47f

SHA256
606c53c965d46cc3cdf5e64cc5af5135aed515982ebdcab2fad93e1065716c59

SHA512
a16125a0c34485da9c1aa4682b3f8abd11a07d48536f1adc3d350ceb77161a8499c5141f7a74c6a29a5911e4be74f79f953225a912f109e021eb448bde6e05b3

Download Submit
C:\Windows\{800C755D-BC1F-4cf1-B566-17780566A718}.exe

Filesize
344KB

MD5
dcbd800152a9c6323532f7c3fe552b25

SHA1
bbc50438abab2c3608f7c8857ecfe11436d379af

SHA256
89a4cb68dc225818f93e13a78a910eb8b77456887be579601f87af7dc7b3e12e

SHA512
c188c16a91471834bc4e96da554f63d6884cae6777b00cb9faec963d034b8385886641e0487c98118dcf48c9f6a55303c62df71b86ca9c5c6b07ad92ceb4fa1d

Download Submit
C:\Windows\{836659F4-3BD6-4d70-AB2B-F3D405E60F8F}.exe

Filesize
344KB

MD5
954e6408df7b4c28571f81a881bcf6e5

SHA1
4de8e2bdd8c956b4dc8de816fa2b1a67fdba86e0

SHA256
f752a989c5bafbcf0f5042bf70340dc83c01175338b3e4b252ca5aeeeee31285

SHA512
eff19769a797675592decd93f7f2ce72984ca53992e05fbff5e747abb4bfbc6b72b3c835c42ec4782abce867f6a3283be71804b50fe72c8f5b96dbb6039f8abe

Download Submit
C:\Windows\{9663581A-2666-43b8-8B91-62CE587CD826}.exe

Filesize
344KB

MD5
8170b92c3838c950523189de8b8e69dc

SHA1
ed071e84e4720384ff87ee97c84438877b8bbb23

SHA256
5a2c5bb1754cb277913c162334107009bfce9746fc6f192beec043fc2457a635

SHA512
3fe7f545d903bb7857f1cc98d4d1dba175dd4214685e5b5798a9cd2dffb76a79d19ba9b50f9641a758dfe21c7ad396b1acdfe55f9f193ed565f89da2547292a2

Download Submit
C:\Windows\{A5CA7401-F220-4f1c-9352-F75AA9B70E90}.exe

Filesize
344KB

MD5
011a6be6ef6a76f1b42a002d28de6705

SHA1
962bffba683d69ee8c46e9a7e7f280fa250bbad1

SHA256
c83b01761e021212c53d2365cffa99ffbd19d0275bcaa30446d1f2082ae8811b

SHA512
3b32ce771fc2bf50303f85d2b5920aa4b0ab1e5ad6fb7ab45aba85fea8b71156aab762ea361e75abb29c49ded3628bb96c08c39e7c1cced329b057087279f0e1

Download Submit
C:\Windows\{AD147A18-84FB-4505-AFCF-8D0D414EEC5C}.exe

Filesize
344KB

MD5
f8889b9e2e27c81948fdab222e3a9056

SHA1
b75a6f94cd323cd41b24dc0489beb0f354663eeb

SHA256
7b3d931c6125cfe33a6d22d5338bb2674b3a9837d2e46dd6c9caaf4c38df191d

SHA512
382d99075a839596b1a69b5bb235aaf8bb3fbf47651b12b8b2e052f2591a87d9d831562e3cfab5797cfebab95e2864762ce731f18f16bcb2b1bc14a7b6cd4b0a

Download Submit
C:\Windows\{AD681D4E-FA61-4ed6-8FCF-F7FF213E713E}.exe

Filesize
344KB

MD5
abbe8bbf2f659ec90ff3526a907cb7ad

SHA1
c49ed4e227f652da15debb2262551173735d067f

SHA256
c9c0aa556ea2408efa919dc40fb610ddb254143f937f240fb96eb7b0c3176d00

SHA512
411475f5ba1c657b82180b18f326504303b6320358e4a3124d26ce722f2ad449e3ff3ec581a23bb23af0d0b6db3e873ebda15296f6152e9a3021f01bc73431a0

Download Submit
C:\Windows\{B765F66E-38B3-4650-9615-8E9125FDCA1A}.exe

Filesize
344KB

MD5
fa26175ef56c9ee49a75ae089e85a364

SHA1
75bfb43e1291351490ffb748b70455376549d4ea

SHA256
a0e13a2ba0a6222a3b0910e7ff15011029f7806cc556f10c444a61bf14ce2194

SHA512
7bcde91ca9cebe820f1706f22fb424b0c00ec5baa6f29a8f2731e3246fc47dd7ab1efff75ec5b98c39e46f1af58e7dc5b6e0d71e1833deaf5febf8da7fc299aa

Download Submit
C:\Windows\{BA76A9F1-28F7-4ba1-A32C-9E8DA590A9A9}.exe

Filesize
344KB

MD5
ba26db1c67231a7ded38a8835eb383af

SHA1
4b0322f8e1829404f28e63391dbd2933713a7c6e

SHA256
970d9bfef35da333ddf4d213f35ec2ab654d61db3a749a9fd237f8be0730e915

SHA512
ac773d30dd9073aa0c31fa33d84bab28f1c813c8d6a4612762638c36615830a2629acb97ca307160d81228489762dbb8a79decbc1b47e294af0e809ad0bf99c1

Download Submit
C:\Windows\{C44EAE1D-8513-4f0e-B0F0-FB166579AA44}.exe

Filesize
344KB

MD5
5834c16f03eac88c924720395069faaa

SHA1
817821914af8477018084127fed9de312caf5574

SHA256
7cf253d4cd9b185615ed332c8221d7418986b4a9bf12bf6f4959d20834066253

SHA512
a4f964deb0127090eb0ccb38828dc70451710f7404a71b70121c7262b849370b3a7e10e00a81980299a63eb9725dba2175eacf63dafcb19c3297b7eda0f155c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads