46563d7a08ec151c3257b511d82690b3dcaebfee4cdc2f8200e02bd5f86b7707

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Size

216KB
MD5

aa0e28ed0a69f03b99c8fbe84b24f7d2
SHA1

a4f3e1c9535483fb74480c755d89dfc5743724c3
SHA256

46563d7a08ec151c3257b511d82690b3dcaebfee4cdc2f8200e02bd5f86b7707
SHA512

13df4711cb0bc14d3a3b6c3664239242334abbf7174327339a291fc5bb2fc159dc4bd0faa7235cf3416a26cf4655845ff191635e43e1ea7e6b3c91fa62f00e8b
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012265-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e0000000161a3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001635e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f0000000161a3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000161a3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00310000000161a3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000161a3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00160000000055a2-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}\stubpath = "C:\\Windows\\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe"	{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72022A99-47D5-493d-B497-A34BE69D8560}\stubpath = "C:\\Windows\\{72022A99-47D5-493d-B497-A34BE69D8560}.exe"	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E135963-98BE-41cd-AF9B-5EF501F570F5}	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E135963-98BE-41cd-AF9B-5EF501F570F5}\stubpath = "C:\\Windows\\{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe"	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011DA113-DD3D-48ad-81F7-91774CF1995A}	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA4C460E-8789-471b-B171-B0932DC27C11}\stubpath = "C:\\Windows\\{BA4C460E-8789-471b-B171-B0932DC27C11}.exe"	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02AF408-0B9C-437e-89B0-04E693A3B155}\stubpath = "C:\\Windows\\{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe"	{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C05BB434-58D7-475a-8505-CC8D3E05E758}\stubpath = "C:\\Windows\\{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe"	{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72022A99-47D5-493d-B497-A34BE69D8560}	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}\stubpath = "C:\\Windows\\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe"	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}	{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011DA113-DD3D-48ad-81F7-91774CF1995A}\stubpath = "C:\\Windows\\{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe"	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}\stubpath = "C:\\Windows\\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe"	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}	{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA4C460E-8789-471b-B171-B0932DC27C11}	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}\stubpath = "C:\\Windows\\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe"	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02AF408-0B9C-437e-89B0-04E693A3B155}	{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}\stubpath = "C:\\Windows\\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe"	{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C05BB434-58D7-475a-8505-CC8D3E05E758}	{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}	{72022A99-47D5-493d-B497-A34BE69D8560}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}\stubpath = "C:\\Windows\\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe"	{72022A99-47D5-493d-B497-A34BE69D8560}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe
2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
292	{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
932	{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
2204	{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
2072	{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
1956	{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
File created	C:\Windows\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
File created	C:\Windows\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe	{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
File created	C:\Windows\{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe	{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
File created	C:\Windows\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe	{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
File created	C:\Windows\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
File created	C:\Windows\{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe	{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
File created	C:\Windows\{72022A99-47D5-493d-B497-A34BE69D8560}.exe	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
File created	C:\Windows\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	{72022A99-47D5-493d-B497-A34BE69D8560}.exe
File created	C:\Windows\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
File created	C:\Windows\{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
File created	C:\Windows\{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe
Token: SeIncBasePriorityPrivilege	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
Token: SeIncBasePriorityPrivilege	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
Token: SeIncBasePriorityPrivilege	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
Token: SeIncBasePriorityPrivilege	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
Token: SeIncBasePriorityPrivilege	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
Token: SeIncBasePriorityPrivilege	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
Token: SeIncBasePriorityPrivilege	292	{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
Token: SeIncBasePriorityPrivilege	932	{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
Token: SeIncBasePriorityPrivilege	2204	{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
Token: SeIncBasePriorityPrivilege	2072	{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2952	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	28
PID 2352 wrote to memory of 2952	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	28
PID 2352 wrote to memory of 2952	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	28
PID 2352 wrote to memory of 2952	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	28
PID 2352 wrote to memory of 2520	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	29
PID 2352 wrote to memory of 2520	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	29
PID 2352 wrote to memory of 2520	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	29
PID 2352 wrote to memory of 2520	2352	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	29
PID 2952 wrote to memory of 2516	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	30
PID 2952 wrote to memory of 2516	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	30
PID 2952 wrote to memory of 2516	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	30
PID 2952 wrote to memory of 2516	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	30
PID 2952 wrote to memory of 2104	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	31
PID 2952 wrote to memory of 2104	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	31
PID 2952 wrote to memory of 2104	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	31
PID 2952 wrote to memory of 2104	2952	{72022A99-47D5-493d-B497-A34BE69D8560}.exe	31
PID 2516 wrote to memory of 2428	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	34
PID 2516 wrote to memory of 2428	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	34
PID 2516 wrote to memory of 2428	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	34
PID 2516 wrote to memory of 2428	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	34
PID 2516 wrote to memory of 2484	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	35
PID 2516 wrote to memory of 2484	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	35
PID 2516 wrote to memory of 2484	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	35
PID 2516 wrote to memory of 2484	2516	{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe	35
PID 2428 wrote to memory of 2424	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	36
PID 2428 wrote to memory of 2424	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	36
PID 2428 wrote to memory of 2424	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	36
PID 2428 wrote to memory of 2424	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	36
PID 2428 wrote to memory of 2644	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	37
PID 2428 wrote to memory of 2644	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	37
PID 2428 wrote to memory of 2644	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	37
PID 2428 wrote to memory of 2644	2428	{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe	37
PID 2424 wrote to memory of 2884	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	38
PID 2424 wrote to memory of 2884	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	38
PID 2424 wrote to memory of 2884	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	38
PID 2424 wrote to memory of 2884	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	38
PID 2424 wrote to memory of 2940	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	39
PID 2424 wrote to memory of 2940	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	39
PID 2424 wrote to memory of 2940	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	39
PID 2424 wrote to memory of 2940	2424	{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe	39
PID 2884 wrote to memory of 2064	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	40
PID 2884 wrote to memory of 2064	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	40
PID 2884 wrote to memory of 2064	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	40
PID 2884 wrote to memory of 2064	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	40
PID 2884 wrote to memory of 2588	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	41
PID 2884 wrote to memory of 2588	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	41
PID 2884 wrote to memory of 2588	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	41
PID 2884 wrote to memory of 2588	2884	{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe	41
PID 2064 wrote to memory of 2804	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	42
PID 2064 wrote to memory of 2804	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	42
PID 2064 wrote to memory of 2804	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	42
PID 2064 wrote to memory of 2804	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	42
PID 2064 wrote to memory of 1548	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	43
PID 2064 wrote to memory of 1548	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	43
PID 2064 wrote to memory of 1548	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	43
PID 2064 wrote to memory of 1548	2064	{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe	43
PID 2804 wrote to memory of 292	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	44
PID 2804 wrote to memory of 292	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	44
PID 2804 wrote to memory of 292	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	44
PID 2804 wrote to memory of 292	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	44
PID 2804 wrote to memory of 2836	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	45
PID 2804 wrote to memory of 2836	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	45
PID 2804 wrote to memory of 2836	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	45
PID 2804 wrote to memory of 2836	2804	{BA4C460E-8789-471b-B171-B0932DC27C11}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\{72022A99-47D5-493d-B497-A34BE69D8560}.exe
  C:\Windows\{72022A99-47D5-493d-B497-A34BE69D8560}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
    C:\Windows\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
      C:\Windows\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
        
        C:\Windows\{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
        
        C:\Windows\{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
        
        C:\Windows\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
        
        C:\Windows\{BA4C460E-8789-471b-B171-B0932DC27C11}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
        
        C:\Windows\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
        
        C:\Windows\{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
        
        C:\Windows\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
        
        C:\Windows\{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe
        
        C:\Windows\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe
        13⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05BB~1.EXE > nul
        13⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E0D~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A02AF~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E306~1.EXE > nul
        10⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA4C4~1.EXE > nul
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC38~1.EXE > nul
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E135~1.EXE > nul
        7⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{011DA~1.EXE > nul
        6⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6267D~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25F17~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72022~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011DA113-DD3D-48ad-81F7-91774CF1995A}.exe

Filesize
216KB

MD5
26f36f177b000cf6528361512b27319a

SHA1
425e3e6230320983350f624e0755bff0d444f011

SHA256
8ef7f385352f76c7f6ca15490bc0836395c019fccb9545ad3125731b61c4edd1

SHA512
a435e5803cca1662446473150f0214187a562ce3a2aa992b462bfad0ea25547ba23cac86af498d2612ad873c3d48ff54d0777200bcbe6a36616af84f7f04b9c7

Download Submit
C:\Windows\{0BC38C4A-12D5-4cf7-8E75-3C6338C069CE}.exe

Filesize
216KB

MD5
0273114a59b24295d6f58858d9eea072

SHA1
f5100e7d515e2591bb84066321e917e0c1218d60

SHA256
1a79351ade4f0610cf0a003e05562e2d1063e08d212265ffd6fd069ece02c891

SHA512
8fbdadbc237fd8782d9b2e7d0b9bfebfbad353270402483dcaf77d967d91201f36f0717c6067caef54180e5d1f7429ca2282584ea2afb6e6833a452d50d5f9e3

Download Submit
C:\Windows\{0E306D95-B86E-4339-AA02-CED0A2B71ABC}.exe

Filesize
216KB

MD5
1245da66b7cec1369d8c743fec68c46b

SHA1
d4229d3d9ab1d42a1532f19b0ab139e630e98198

SHA256
695e94be5b647d12dd8477d473ebfe8ebbf0064b9a3922bc356cf7f9fbb0e63f

SHA512
0add9a5a60bae1a4f592c7be4ae033f3280ddc9e8b493d8bb67f7dc6bf5d041c2c5319a6268e64556cbc7caaecd582869a8b8069cbcded888b9853483ed35946

Download Submit
C:\Windows\{25F179D2-66EB-4a9c-9BD5-A8438EBB4C0D}.exe

Filesize
216KB

MD5
b0e23f1db28fd1b0e7ad5bb2680665f1

SHA1
7c678e2e9b2c86133110299ede0aa2206511f03a

SHA256
8d38cfedc1f603f3080c292c11e076703549a1072d591fd52ffc66706fa73a8e

SHA512
cc980f39e4c3b19a5806556974505f0b6a7709d3e2156afeaa36c46c98501334bd2b61f09daaab62d468a377ca97c1f4b031a856c4f632d68846ba9576e5a066

Download Submit
C:\Windows\{51BE5C6D-3D06-4c38-A3CC-7B5F5AFBA6AD}.exe

Filesize
216KB

MD5
dfe742731383aaf2aa1d3667d942fbee

SHA1
7937ffce635ec80327ef7f52dabd92fe1e0e6fa7

SHA256
c75a0540733b37d49667ed84960810b91a387a4d03faf68fa009d723c04ddd9f

SHA512
efe494fa8f868439677676f53fd6ce1609b3fac1a5984f7b4e797c7369de52aa6babb1ca920d5e79e26576d3a1e9f3a09aed47b215d3e6d56a4dd99a88d06026

Download Submit
C:\Windows\{6267D4FB-5D63-4c9d-8D85-D4A37B01E25C}.exe

Filesize
216KB

MD5
8ab6679351ce1c2051358df12fe806ec

SHA1
d301033267330629df59b6f296564d47ea9f5a33

SHA256
65cc95d2b5bfb5a6f0e370c4fbb5189daae70a18be52ef57128a5c51f1728868

SHA512
db74a23183b342c33c46a8cfd267ce6ca83ff0b8a21d7682385e6fd5eff5dbcd3974f9f07d3d928ffd730d132b261fffb1999786248d65373f132dda2eb727c5

Download Submit
C:\Windows\{72022A99-47D5-493d-B497-A34BE69D8560}.exe

Filesize
216KB

MD5
ee1a304dc021568a643dde74c198aee7

SHA1
aae06f4be38a778f06b9999ee5a6bccef744bad3

SHA256
d9ec877b096eae8e1da4595a2f1c7965b6970a866d1152680ff2853842d7346b

SHA512
ab7f947c7fea194abd66b9bc7773ba0c56dbd9826a5f95f04b493df7304d8e5e79ba6cf2e06d9c3c258f1cbb6eff7ad45cdcd78202e440f6894ed403bc159b66

Download Submit
C:\Windows\{8E135963-98BE-41cd-AF9B-5EF501F570F5}.exe

Filesize
216KB

MD5
34ec7fff19867bca3655d1fd87e8860e

SHA1
76a89c7099908307073693604fe89b8e31b5e413

SHA256
5eb2530f1102705f6bacf36bc2addbd705a70ada981ee081d56ab28a219b5b7c

SHA512
dae751954ff0aa114aa4b7b07e152708190810edf6b0b4d6116e85e858c0cc1bd489050dbca91729ee6a75fc6cd99c36ce008f0b3c0fc201e82d18c77753f0fa

Download Submit
C:\Windows\{A02AF408-0B9C-437e-89B0-04E693A3B155}.exe

Filesize
216KB

MD5
8e615002d50d0ffd41f9fdf1b6a03840

SHA1
da405cd5cfd7e7f58134ffb76647dc105eb3e74f

SHA256
efdc661e705b483f05ea1a2a90cc301d5dba1bc377becb01b9e40bcf66c1d59f

SHA512
8017634150692d2bca1fe9976592fbebbbf9961d974376030e256de6bec625fbe86e4c7fe27e0d80f61297fcc1b41bb7e11f26521be8ba1ba67f7d377d40a105

Download Submit
C:\Windows\{BA4C460E-8789-471b-B171-B0932DC27C11}.exe

Filesize
216KB

MD5
493478d54f2b8dceb36404095dbb1fc0

SHA1
9d37dae32d1860e40cd6351e22eb645a893a2c42

SHA256
d74fe96ce0c596519d56cec12f7b676186dfe69c2f36e130df6080de6045e264

SHA512
04fe953c08c836e1a879a886f6820e55351500c3d888f2209b3893102bd20113aee5112fb951ef4dc8259bdf296e4263bcc1bc925d2917e2cfeb8950dba4adb8

Download Submit
C:\Windows\{C05BB434-58D7-475a-8505-CC8D3E05E758}.exe

Filesize
216KB

MD5
74a2c0246a977b310b82110e2fd5366c

SHA1
61b863fe220d14508f7eb2fac27974ed240bd93d

SHA256
b33467131ef5e35988e920094322f3dcbef52643c1eb3d02f0d6d984c671e960

SHA512
fd8ce5bb8d09c0e61aa552dd4592490d70807c5eeddd98d4e0e191bea69348d741fb9c6e5d42b52396e9f4509d58c1c02d95fb603f3c10b1c16bef74ffe5b815

Download Submit
C:\Windows\{C0E0D254-2D62-41a1-9BA2-91BB1F74A50D}.exe

Filesize
216KB

MD5
5bef7ccb48ca571bdf1e37cf8d89b8fe

SHA1
33b4e0b6c390c19205adbdec6c87e961c272e9f5

SHA256
c9ec8c8019c12b673f0286a77632ac9f50b6d84ad15e2bab6ecc9ea4926bb0e3

SHA512
0572f8d89205ef8c5a4bf8fd6eb1bbee0aeee148b2cfa2a617b8913bf384b0f7ff61e31433cac0808b6e0b62ebf7a89c056d8be0fd4b77240f2276116656debc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads