131576bee4fa688e4445a3de1b1343e5da90f80d6bbb6939f5bc7fed1625001d

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Size

204KB
MD5

3aa4105943ff24d0842cfa1b57f7134b
SHA1

1284b01e2938e19ecab9c4ece9b1d073f98ce3a5
SHA256

131576bee4fa688e4445a3de1b1343e5da90f80d6bbb6939f5bc7fed1625001d
SHA512

7fe3cf7a84aca26a4ad1855d4e1a93c47efd44503466c6a634ed845b99660a82577be7cff4593f76977491000b173840a9e091fc1168fb233e70b2eb0f29e0c4
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oll1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015f0e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000016644-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000016644-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000016644-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000016644-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c000000016644-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00160000000055a2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003d000000016644-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06140FBA-9002-4067-806D-7629F5F3C940}\stubpath = "C:\\Windows\\{06140FBA-9002-4067-806D-7629F5F3C940}.exe"	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}\stubpath = "C:\\Windows\\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe"	{06140FBA-9002-4067-806D-7629F5F3C940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1240AD98-2180-47ee-87AE-9974DC6DE192}\stubpath = "C:\\Windows\\{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe"	{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}\stubpath = "C:\\Windows\\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe"	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}	{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA05D93C-E77B-42da-897E-79AA119FBE9D}	{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA05D93C-E77B-42da-897E-79AA119FBE9D}\stubpath = "C:\\Windows\\{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe"	{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}\stubpath = "C:\\Windows\\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe"	{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}	{06140FBA-9002-4067-806D-7629F5F3C940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6350A1-8908-491c-80C9-33FAD56D290C}\stubpath = "C:\\Windows\\{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe"	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}\stubpath = "C:\\Windows\\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe"	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}\stubpath = "C:\\Windows\\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe"	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}\stubpath = "C:\\Windows\\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe"	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}\stubpath = "C:\\Windows\\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe"	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06140FBA-9002-4067-806D-7629F5F3C940}	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6350A1-8908-491c-80C9-33FAD56D290C}	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1240AD98-2180-47ee-87AE-9974DC6DE192}	{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}\stubpath = "C:\\Windows\\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe"	{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}	{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe
3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
2480	{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
1072	{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
956	{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
2032	{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe
2960	{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
File created	C:\Windows\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe	{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
File created	C:\Windows\{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe	{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
File created	C:\Windows\{06140FBA-9002-4067-806D-7629F5F3C940}.exe	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
File created	C:\Windows\{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
File created	C:\Windows\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
File created	C:\Windows\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
File created	C:\Windows\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe	{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe
File created	C:\Windows\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	{06140FBA-9002-4067-806D-7629F5F3C940}.exe
File created	C:\Windows\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
File created	C:\Windows\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
File created	C:\Windows\{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe	{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe
Token: SeIncBasePriorityPrivilege	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
Token: SeIncBasePriorityPrivilege	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
Token: SeIncBasePriorityPrivilege	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
Token: SeIncBasePriorityPrivilege	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
Token: SeIncBasePriorityPrivilege	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
Token: SeIncBasePriorityPrivilege	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
Token: SeIncBasePriorityPrivilege	2480	{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
Token: SeIncBasePriorityPrivilege	1072	{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
Token: SeIncBasePriorityPrivilege	956	{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
Token: SeIncBasePriorityPrivilege	2032	{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3060	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	28
PID 2332 wrote to memory of 3060	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	28
PID 2332 wrote to memory of 3060	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	28
PID 2332 wrote to memory of 3060	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	28
PID 2332 wrote to memory of 2644	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	29
PID 2332 wrote to memory of 2644	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	29
PID 2332 wrote to memory of 2644	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	29
PID 2332 wrote to memory of 2644	2332	2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe	29
PID 3060 wrote to memory of 3000	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	30
PID 3060 wrote to memory of 3000	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	30
PID 3060 wrote to memory of 3000	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	30
PID 3060 wrote to memory of 3000	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	30
PID 3060 wrote to memory of 1208	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	31
PID 3060 wrote to memory of 1208	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	31
PID 3060 wrote to memory of 1208	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	31
PID 3060 wrote to memory of 1208	3060	{06140FBA-9002-4067-806D-7629F5F3C940}.exe	31
PID 3000 wrote to memory of 2356	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	34
PID 3000 wrote to memory of 2356	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	34
PID 3000 wrote to memory of 2356	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	34
PID 3000 wrote to memory of 2356	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	34
PID 3000 wrote to memory of 2920	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	35
PID 3000 wrote to memory of 2920	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	35
PID 3000 wrote to memory of 2920	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	35
PID 3000 wrote to memory of 2920	3000	{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe	35
PID 2356 wrote to memory of 524	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	36
PID 2356 wrote to memory of 524	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	36
PID 2356 wrote to memory of 524	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	36
PID 2356 wrote to memory of 524	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	36
PID 2356 wrote to memory of 472	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	37
PID 2356 wrote to memory of 472	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	37
PID 2356 wrote to memory of 472	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	37
PID 2356 wrote to memory of 472	2356	{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe	37
PID 524 wrote to memory of 1204	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	38
PID 524 wrote to memory of 1204	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	38
PID 524 wrote to memory of 1204	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	38
PID 524 wrote to memory of 1204	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	38
PID 524 wrote to memory of 592	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	39
PID 524 wrote to memory of 592	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	39
PID 524 wrote to memory of 592	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	39
PID 524 wrote to memory of 592	524	{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe	39
PID 1204 wrote to memory of 284	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	40
PID 1204 wrote to memory of 284	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	40
PID 1204 wrote to memory of 284	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	40
PID 1204 wrote to memory of 284	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	40
PID 1204 wrote to memory of 2804	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	41
PID 1204 wrote to memory of 2804	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	41
PID 1204 wrote to memory of 2804	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	41
PID 1204 wrote to memory of 2804	1204	{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe	41
PID 284 wrote to memory of 936	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	42
PID 284 wrote to memory of 936	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	42
PID 284 wrote to memory of 936	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	42
PID 284 wrote to memory of 936	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	42
PID 284 wrote to memory of 2200	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	43
PID 284 wrote to memory of 2200	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	43
PID 284 wrote to memory of 2200	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	43
PID 284 wrote to memory of 2200	284	{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe	43
PID 936 wrote to memory of 2480	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	44
PID 936 wrote to memory of 2480	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	44
PID 936 wrote to memory of 2480	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	44
PID 936 wrote to memory of 2480	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	44
PID 936 wrote to memory of 1600	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	45
PID 936 wrote to memory of 1600	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	45
PID 936 wrote to memory of 1600	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	45
PID 936 wrote to memory of 1600	936	{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_3aa4105943ff24d0842cfa1b57f7134b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{06140FBA-9002-4067-806D-7629F5F3C940}.exe
  C:\Windows\{06140FBA-9002-4067-806D-7629F5F3C940}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
    C:\Windows\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
      C:\Windows\{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
        
        C:\Windows\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
        
        C:\Windows\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
        
        C:\Windows\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
        
        C:\Windows\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
        
        C:\Windows\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
        
        C:\Windows\{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
        
        C:\Windows\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe
        
        C:\Windows\{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe
        
        C:\Windows\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe
        13⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA05D~1.EXE > nul
        13⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B61~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1240A~1.EXE > nul
        11⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F06FC~1.EXE > nul
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B6AD~1.EXE > nul
        9⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEE1~1.EXE > nul
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{246BD~1.EXE > nul
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8461~1.EXE > nul
        6⤵
        
        PID:592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E635~1.EXE > nul
        5⤵
        
        PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{978C2~1.EXE > nul
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06140~1.EXE > nul
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06140FBA-9002-4067-806D-7629F5F3C940}.exe

Filesize
204KB

MD5
5afac13258e994d30e340d4bfe3b9665

SHA1
734fbe00842b2dd15a951cfa43aea99ee863f48b

SHA256
a620e98f546a7f37717308a2a1262789be56e3ab2980721437cc4d2b8187be17

SHA512
9ec023daf3796be6b90a8dc505b7275749143516c2c25464333422664d4c8d90ff17fb17c3f8d781b54d13bb00ed28a4abb6791e03c8f55c7d0d02c4f41bf8c5

Download Submit
C:\Windows\{1240AD98-2180-47ee-87AE-9974DC6DE192}.exe

Filesize
204KB

MD5
d03a37d32886943ec9bd840912aa78dc

SHA1
bd685c09ca05e91eaeb1dabbda7c25cd0471a9fe

SHA256
4fb8b3686d03e580061e9337c8a9c48808871702a4f8eb1ce3180370dda958ab

SHA512
ed22ee25a297f0b902805649d7661c335ca6e29f174142dc05389b367c53bce03ee9a47a3af0da5506c18eaf3513095cf28cc178c2e00c0e656f98342b2cb664

Download Submit
C:\Windows\{1AEE1AEF-A774-46fc-B209-B2239990D1C4}.exe

Filesize
204KB

MD5
13e654797aa265b452beff208d510804

SHA1
71bc94ac495d117c54cc44876c104eaea68ba27b

SHA256
494cdad00266320ea70af38c0207703b36b476e8be2c09a12785b83cf00fcd74

SHA512
a9db6dc2722725d771059501ea8320396ac26a9d108031f43f80f8449fd9494f2afa5453cd575b86c7e639159bcd39b3ffe39e1cb4d6938e45a59da6e256dabb

Download Submit
C:\Windows\{246BDE17-17C3-4e89-9E4D-E7FFFFC2A59B}.exe

Filesize
204KB

MD5
82a14448b5da33c3fb05fd9993a0fa88

SHA1
cdcd468c1bed4ef2707ada8fb5630dac572e7014

SHA256
4f3e444e59f34790b0aa04884ac9466b8e9ce6f96d5fd959bc58dad5c05830ce

SHA512
05d318003e769252b8181df01750a43decff32a0710622d62eecda372b9c119b4043491197fd153059eaf7be6e3d2395ee0cbd7202efc8f9d64f7493938cbfcb

Download Submit
C:\Windows\{45B61CF5-E722-4384-9AA4-AC25A28E6CE6}.exe

Filesize
204KB

MD5
b404eca667ccc1db00d048e4c1840865

SHA1
41551888a39023f0a54564037af8cf2b356cf40d

SHA256
9bf80c6d5860bfbc8c8a9e0a1ba455dcc31710861f22deac36466c689c8f46d8

SHA512
5ab79edc2bbaacbb713936091d24b2554d9b88973309a2295c4ae27b09c00442ecaf54850a3620ae035c0cde33477ea75b38b32efec75eb4d6dd2de7bdefdfcb

Download Submit
C:\Windows\{6B6ADE5F-8C08-4777-99AB-3C38BAD3B73F}.exe

Filesize
204KB

MD5
43c4b5805ce061861386defb661f3c34

SHA1
9aedc7e51ca1b2317db0d4db3a4ae15355e94c0a

SHA256
5f4e69fdd5076b1ff6d7938872956f10aedd19d9e1cd0681be560a7c42c6272a

SHA512
33c1fe473279648e0e2843e1fd892477099666cf2419322f6d3042d30bd5b538917c9d05f5c27d41d06cab6871999d6c1404a601172698845564b75f8dd1fa0a

Download Submit
C:\Windows\{8E6350A1-8908-491c-80C9-33FAD56D290C}.exe

Filesize
204KB

MD5
93be462f48f14e45d71007da9547d3cc

SHA1
3a41852c026841e34ce08170d2b3b4ba1d0cf2a3

SHA256
a7b794942f8aa2834c65df5e356bf3c13912c8bc7a6c4834f7d00afe28b3cd81

SHA512
7872c414361c16519828863579e96127db32fc19d106b022ea0551bf5b61d3638235970294f2320707ecc4774c4b494f10b6ae5753b2277fe2eb6aeba49c8df1

Download Submit
C:\Windows\{978C2471-DEDA-47ad-99DA-CDF7BD4F65C9}.exe

Filesize
204KB

MD5
43ec996dbd9c0fb1092b58951a3388a9

SHA1
0b7fbac03f198c5725a1f9be1190f4bdb0c3882b

SHA256
cce4ccb6a5bead585811db7cf78d7bd6c01d4df3f290a669bf5506f0fff646db

SHA512
49ad7bb107b9bd0dff71e2dfced90c156ae51000bbd5e09a7452852cdd2eeef7abae3e32a47c4c49c939f33e501e0c727aa9d97badd756820c9c8b4873e101dc

Download Submit
C:\Windows\{BA05D93C-E77B-42da-897E-79AA119FBE9D}.exe

Filesize
204KB

MD5
b0fb0d2a327e58ec32fdcfa315aef16c

SHA1
3365b3932b98eae379a214410bc84e939af5f0cc

SHA256
a316442811f93dce5ce5ba2f30e48f0827fbd0cfce265cb638c744912c123343

SHA512
8b9ce01208fc292752b5b91403825f1e8de91eec560ea9a8741b63b34596094d62b8ead8558537e9e6f633b2facc7745808ba00a149a9724bbe29783baf0091d

Download Submit
C:\Windows\{C8461DFB-368D-4147-96E8-0C4D05CE29E4}.exe

Filesize
204KB

MD5
1d92ed2185a272cc1f33a41bb4c8824f

SHA1
8ae95a28ba243abf754864e9523126946c320a9b

SHA256
d7d60d22501898a983512b4b7ea8d839c759082b5aba040c7ee8c5d9f26c8c20

SHA512
dd3ea42904c5ebd68891e4d10adaabcbb499e0e62ff32d56ecc0d6d4f39ca0b59121edb02bf98320048e95890be6be86a69e946242f50a4be297602498cbfbe1

Download Submit
C:\Windows\{E0E9C651-F66F-4871-A14B-CA86F73D54E3}.exe

Filesize
204KB

MD5
e4a3a17dbb4340fc777e34d12b9eba71

SHA1
8df87cae59976efb111aabd66bd5958074b6f2f6

SHA256
cfa415d60087f4a22efae474cc530525c690867c64a7592c71f5322c73f194fa

SHA512
452aca6dd8947d22d92ee4093eb34a013696570f6b37ed114e620d58b25b85582aef5e57a6f7331e091334d30fca8f363076553201832427e208abdea2872c97

Download Submit
C:\Windows\{F06FC2A3-0E8E-436f-A94F-EEF6BF155BAA}.exe

Filesize
204KB

MD5
ce231862d5a2912974fdb452a08ed096

SHA1
f4d60978f37009577ae9d00402aa405620b49bc2

SHA256
f56b4e515b572ea693d6a3e7e4c426ccd2ba7029d03a371310b243a5fce61f8f

SHA512
9fda31a9ff9b369f1dc108cdf6b970f92837ca8b10f9f1986279a6895b6e84c049c9a5493877f846103bdd7416bc45094e4f9783dc20b3f75b5d78d942e58af2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads