410fe386b8a73c2fe31360338629d61d01a44ef80d781cae1470b9d0fe7f5a5d

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Size

168KB
MD5

ee5b303eaabfaad6215e31c52a0acbf3
SHA1

fd82920c63b3929b5cf578838ac71c84bd6cd741
SHA256

410fe386b8a73c2fe31360338629d61d01a44ef80d781cae1470b9d0fe7f5a5d
SHA512

b4f288cb6c931b9c5959a668e319978638ac086644e36b23636fd26fd7e634ec7b6b9b2e48eacee40f089bac231a5302bb5c2fadc5fc216872c63b6a1a42cde9
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00050000000130fc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000130fc-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000130fc-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000130fc-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798BF7FD-10CD-432d-854B-52FE95BDBE63}\stubpath = "C:\\Windows\\{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe"	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{416CCB93-9876-40fa-92D9-3D49566D9DB1}\stubpath = "C:\\Windows\\{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe"	{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}\stubpath = "C:\\Windows\\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe"	{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}	{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}\stubpath = "C:\\Windows\\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe"	{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}\stubpath = "C:\\Windows\\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe"	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF177097-7589-4ce9-8131-F182427BAD6F}	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798BF7FD-10CD-432d-854B-52FE95BDBE63}	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}\stubpath = "C:\\Windows\\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe"	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}\stubpath = "C:\\Windows\\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe"	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}\stubpath = "C:\\Windows\\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe"	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42A4E65-B64B-4500-974A-B7BB01319353}\stubpath = "C:\\Windows\\{F42A4E65-B64B-4500-974A-B7BB01319353}.exe"	{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF177097-7589-4ce9-8131-F182427BAD6F}\stubpath = "C:\\Windows\\{CF177097-7589-4ce9-8131-F182427BAD6F}.exe"	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F42A4E65-B64B-4500-974A-B7BB01319353}	{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}\stubpath = "C:\\Windows\\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe"	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}\stubpath = "C:\\Windows\\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe"	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{416CCB93-9876-40fa-92D9-3D49566D9DB1}	{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}	{F42A4E65-B64B-4500-974A-B7BB01319353}.exe

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
2740	{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
860	{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
1552	{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
1464	{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe
2292	{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
File created	C:\Windows\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
File created	C:\Windows\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
File created	C:\Windows\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
File created	C:\Windows\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
File created	C:\Windows\{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe	{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
File created	C:\Windows\{F42A4E65-B64B-4500-974A-B7BB01319353}.exe	{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
File created	C:\Windows\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
File created	C:\Windows\{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
File created	C:\Windows\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
File created	C:\Windows\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe	{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
File created	C:\Windows\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe	{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
Token: SeIncBasePriorityPrivilege	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
Token: SeIncBasePriorityPrivilege	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
Token: SeIncBasePriorityPrivilege	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
Token: SeIncBasePriorityPrivilege	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
Token: SeIncBasePriorityPrivilege	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
Token: SeIncBasePriorityPrivilege	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
Token: SeIncBasePriorityPrivilege	2740	{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
Token: SeIncBasePriorityPrivilege	860	{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
Token: SeIncBasePriorityPrivilege	1552	{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
Token: SeIncBasePriorityPrivilege	1464	{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3028	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	28
PID 2120 wrote to memory of 3028	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	28
PID 2120 wrote to memory of 3028	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	28
PID 2120 wrote to memory of 3028	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	28
PID 2120 wrote to memory of 2592	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	29
PID 2120 wrote to memory of 2592	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	29
PID 2120 wrote to memory of 2592	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	29
PID 2120 wrote to memory of 2592	2120	2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe	29
PID 3028 wrote to memory of 2888	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	30
PID 3028 wrote to memory of 2888	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	30
PID 3028 wrote to memory of 2888	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	30
PID 3028 wrote to memory of 2888	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	30
PID 3028 wrote to memory of 2524	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	31
PID 3028 wrote to memory of 2524	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	31
PID 3028 wrote to memory of 2524	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	31
PID 3028 wrote to memory of 2524	3028	{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe	31
PID 2888 wrote to memory of 2468	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	34
PID 2888 wrote to memory of 2468	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	34
PID 2888 wrote to memory of 2468	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	34
PID 2888 wrote to memory of 2468	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	34
PID 2888 wrote to memory of 3008	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	35
PID 2888 wrote to memory of 3008	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	35
PID 2888 wrote to memory of 3008	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	35
PID 2888 wrote to memory of 3008	2888	{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe	35
PID 2468 wrote to memory of 1140	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	36
PID 2468 wrote to memory of 1140	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	36
PID 2468 wrote to memory of 1140	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	36
PID 2468 wrote to memory of 1140	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	36
PID 2468 wrote to memory of 796	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	37
PID 2468 wrote to memory of 796	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	37
PID 2468 wrote to memory of 796	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	37
PID 2468 wrote to memory of 796	2468	{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe	37
PID 1140 wrote to memory of 2776	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	38
PID 1140 wrote to memory of 2776	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	38
PID 1140 wrote to memory of 2776	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	38
PID 1140 wrote to memory of 2776	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	38
PID 1140 wrote to memory of 2796	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	39
PID 1140 wrote to memory of 2796	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	39
PID 1140 wrote to memory of 2796	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	39
PID 1140 wrote to memory of 2796	1140	{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe	39
PID 2776 wrote to memory of 1480	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	40
PID 2776 wrote to memory of 1480	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	40
PID 2776 wrote to memory of 1480	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	40
PID 2776 wrote to memory of 1480	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	40
PID 2776 wrote to memory of 1788	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	41
PID 2776 wrote to memory of 1788	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	41
PID 2776 wrote to memory of 1788	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	41
PID 2776 wrote to memory of 1788	2776	{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe	41
PID 1480 wrote to memory of 1144	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	42
PID 1480 wrote to memory of 1144	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	42
PID 1480 wrote to memory of 1144	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	42
PID 1480 wrote to memory of 1144	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	42
PID 1480 wrote to memory of 308	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	43
PID 1480 wrote to memory of 308	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	43
PID 1480 wrote to memory of 308	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	43
PID 1480 wrote to memory of 308	1480	{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe	43
PID 1144 wrote to memory of 2740	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	44
PID 1144 wrote to memory of 2740	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	44
PID 1144 wrote to memory of 2740	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	44
PID 1144 wrote to memory of 2740	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	44
PID 1144 wrote to memory of 2780	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	45
PID 1144 wrote to memory of 2780	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	45
PID 1144 wrote to memory of 2780	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	45
PID 1144 wrote to memory of 2780	1144	{CF177097-7589-4ce9-8131-F182427BAD6F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_ee5b303eaabfaad6215e31c52a0acbf3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
  C:\Windows\{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
    C:\Windows\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
      C:\Windows\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
        
        C:\Windows\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
        
        C:\Windows\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
        
        C:\Windows\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
        
        C:\Windows\{CF177097-7589-4ce9-8131-F182427BAD6F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
        
        C:\Windows\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
        
        C:\Windows\{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
        
        C:\Windows\{F42A4E65-B64B-4500-974A-B7BB01319353}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe
        
        C:\Windows\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe
        
        C:\Windows\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEA0~1.EXE > nul
        13⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F42A4~1.EXE > nul
        12⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{416CC~1.EXE > nul
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{494A6~1.EXE > nul
        10⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF177~1.EXE > nul
        9⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E2E6~1.EXE > nul
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9F6A~1.EXE > nul
        7⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87543~1.EXE > nul
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB07~1.EXE > nul
        5⤵
        
        PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BF2F~1.EXE > nul
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{798BF~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{416CCB93-9876-40fa-92D9-3D49566D9DB1}.exe

Filesize
168KB

MD5
129516f7995859c00d8375d6e2b38262

SHA1
9ed13c0487a79c346723d2c9c3541bc5c0b1471d

SHA256
3c3ab1ac6a802d07de58909c5d9b6b25d7080dca076be84108b33131815c17ef

SHA512
d45671a37e6a6c4124c485dd9e4436886becf26cce1ae60b30e7bb353b395e9ac8c9932821f9fe9c1c4d6e4e5bde46151b41f5f65a7463c7341954da96d00087

Download Submit
C:\Windows\{494A6A39-63AC-4e3e-938D-A6B8B9EFA9D7}.exe

Filesize
168KB

MD5
054715763d1f272c375f5db28ce8d806

SHA1
b968a9c340054639864a305b308d06208234e64f

SHA256
c0fba8625a234337f0ec840dc11c02a9c9d2f6418920fbad399ef53719351231

SHA512
749851d23d24da6b1dd3c23dea05539816cd4fe48239fec4be497fc4a5a0679660676f35ddf4fc9b8fdd4393e7ec2f93199330b0e309c7cc18363634abf0b63f

Download Submit
C:\Windows\{5E2E6425-25B8-41b5-93F4-89CFE3A1862C}.exe

Filesize
168KB

MD5
4e799dbc2d380f72b143b9c9ab902316

SHA1
d53194ea36cdf174f5d47b70d56b4131ea10b630

SHA256
1fe06404ad1dfa90d3b1da74b43fc0ccc3fa6abeedb18d8e863162ce3442340b

SHA512
f7c84edc57f9054bf5c555d8917575bc0bfef3a096414f1b68a371b03e7889960d0b54689bf839b5831d1a609982e9471369f5b48e844c147efede96f3baa11f

Download Submit
C:\Windows\{798BF7FD-10CD-432d-854B-52FE95BDBE63}.exe

Filesize
168KB

MD5
95f77521b854c5240312ff6f12efb59f

SHA1
5134b2bd59fcdc71d3dae3a32afeb7087e8365de

SHA256
b43bb769b14e8780831163bc0231f91a180f9b46b36ff0a33f416c02d0cad672

SHA512
d21a29268383242374c3d8f02db8da411c6a17086e31b9f70a390c3e513426d94888f308706ea57b99ae0fa1141dc5c673c679161b121ad9dcaab42bed04f1ae

Download Submit
C:\Windows\{87543838-28C4-4ac0-97FD-9E867AC8A3BD}.exe

Filesize
168KB

MD5
8d9a01da2ab8958a7adc80305b5f21de

SHA1
f33221f8be9b15e6f36261f68ead9daec116f763

SHA256
be76fe6334e1446a2de17c270f895318c31afb2b994a71121484ea88cb1e1cc4

SHA512
dda2cc1289455b793e133f2e9538d30543644d9635e297f951d659d8e3c3abe28f421c09fbea90d4a6910cb7b12a1281b2b967080b8a654c6db9d0532bf1f14f

Download Submit
C:\Windows\{8BF2FDD4-CC2B-4085-9231-6098E5E417E6}.exe

Filesize
168KB

MD5
b693adbdd1b06e57916c65adf20e622e

SHA1
9dd1a0781e4077c1f52538cd75ed35f9971d1ddf

SHA256
7f84099b46b148d0805f0e9560e13dedb8a41929edc875cd8f1577452e9640c9

SHA512
f1c88c45e177fc6fbd938943489883dccf5d5fbde46de2ab743f470d26c17014d141e598c750e957ac2da0c71f45d9b8915e311dd79526816775418cf1b1fc8d

Download Submit
C:\Windows\{A4F5CA14-02C9-4fdd-9322-1F05B7B711F0}.exe

Filesize
168KB

MD5
3350a00fa327353701c354713b83d5db

SHA1
51e89ccc8e7aba187e67bd80e13aa158c29b0374

SHA256
4aa4e943a1537001363a8a6095cf5a9083cfc49b7344a809728b072bc91039a5

SHA512
048aac3e9d2c5205ec6e9f352d4f821ae89ef4e4210e3adc15a92a155a0c95f745ae40bfda1518226141d0ca98623b30b3c2643ab044d7437b1446b9f6dc94ce

Download Submit
C:\Windows\{ADEA0210-8A0D-4777-BFC2-7BCE429C8261}.exe

Filesize
168KB

MD5
6ed995606d4c6a44664f8548c41f5fe6

SHA1
2d186c1b0d4c8fbc5c22729ad421ab86d776f46a

SHA256
cdd86009abf607808dcc52152aaadc39ae6f2027a82a2bfb092fde0a1a45e5e4

SHA512
dd41de9005e8e34bce4cbb900b6dc3cc59670d47663132b2be2dbaeac0d8a7c4404d5cefd208e2244cd634fb739fdd3de9776c09f112dc3a0340e29f8fb7ce91

Download Submit
C:\Windows\{BBB076D5-5D02-41c0-AED9-9FB3D5CAF80D}.exe

Filesize
168KB

MD5
4b173706eccd908290c440f13709c390

SHA1
7830635a75bad23a14f0245d7670a8156d9401ef

SHA256
00ffd28881849ac03726a06ce3f23d3bdef13159ed0b395a4566f775887f52c3

SHA512
160f4105f259336d1b8623954731d4032fdf78221ad4a50d63d024f88e17de9cf5a7c6b81c2cd2292b642e37c6b0978de115aa70640965134408c070cc1e33d9

Download Submit
C:\Windows\{CF177097-7589-4ce9-8131-F182427BAD6F}.exe

Filesize
168KB

MD5
2b679ed679acd96c761ced59bdf9f5a9

SHA1
56a3158d4c473bb0a19736bec0ced966a0e8c139

SHA256
b0ba16625b868eea605478f05eef68ef0ca2fb6e474af3c087e332a5c98ffb1b

SHA512
1c3d59c9ea0c61d51ea834d75199162b74f601eb2aac5f54ef5541a7d2471b61abd3405d5cfb680a103f048ede2680eb3983b968e686a6b9eb2f4c31ae2441f9

Download Submit
C:\Windows\{F42A4E65-B64B-4500-974A-B7BB01319353}.exe

Filesize
168KB

MD5
861e587e7bfa2d7c3f4421b37d8a3f35

SHA1
14c8890486910891d02f6d104083bd718f1d1439

SHA256
c2fdf03698efbfe8cd8ade2073a6fd4e7791d2a0d64b35aa64160514024217f4

SHA512
25f012abac7ed12ff48daaa2ebf6bf58e21ccf0d7eccf247ebfc433fdfb4706ed9e2b92c4d431f4cefccb092944eac967abe0d776567250af6dce065fd8ce562

Download Submit
C:\Windows\{F9F6AB06-2784-41ec-A70E-1F4527AC7F4F}.exe

Filesize
168KB

MD5
022fbff132f2e3566063e3521804966c

SHA1
813880e935e80fd609232ccc27bc80e5179c4f31

SHA256
98ba9e615d99eeafa61c2b26d4f0cad87bfe82c31043575ee1853435dbfdbe63

SHA512
bbaf56de3f8473d91798b4fc497e04a6b2d9a60733d91fb5b8df42dc49f001b45e9a53ce1a89183c3a025a2bba451ca86b807c42435099a31406c39668728bb6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads