3470714f07b75c3321611a6546b4e603b42bd04d6fe2c14163b1b34fecd0245a

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
Size

168KB
MD5

2a2faca0b7bc1d964561ee6d6671cfd0
SHA1

6e4366f05b67f2c14e8b9bcf7fca45975e46f1d9
SHA256

3470714f07b75c3321611a6546b4e603b42bd04d6fe2c14163b1b34fecd0245a
SHA512

87ac3a867a02bb3cf0b74fbd891ac5be8c0c6cf5ce145dd17c58d3dde0839c9ca2e5ca41dd8e15b0b2ce7fa3c00cf9887d7b5bd7603c675ef3fdbdd3fcd57937
SSDEEP

1536:1EGh0oRlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oRlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001434f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014688-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014a37-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000014a37-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014ac4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014ac4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014b41-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000000f6f2-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9267B468-3083-4b07-8E67-4773E479C8B3}	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9267B468-3083-4b07-8E67-4773E479C8B3}\stubpath = "C:\\Windows\\{9267B468-3083-4b07-8E67-4773E479C8B3}.exe"	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AC7EF5-72A5-4c53-B921-82676B72AE47}	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}\stubpath = "C:\\Windows\\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe"	{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}	{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}\stubpath = "C:\\Windows\\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe"	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EED852-1619-40e4-A969-99175B3E2B3A}\stubpath = "C:\\Windows\\{61EED852-1619-40e4-A969-99175B3E2B3A}.exe"	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}	{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392C138A-43E3-4286-B189-FC875ADE78B1}\stubpath = "C:\\Windows\\{392C138A-43E3-4286-B189-FC875ADE78B1}.exe"	{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F60FA15-B890-49e3-A508-5830D74A774F}	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}\stubpath = "C:\\Windows\\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe"	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178759EA-FF2E-4a65-9555-99E5C73D4707}	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392C138A-43E3-4286-B189-FC875ADE78B1}	{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}\stubpath = "C:\\Windows\\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe"	{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}\stubpath = "C:\\Windows\\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe"	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178759EA-FF2E-4a65-9555-99E5C73D4707}\stubpath = "C:\\Windows\\{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe"	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}	{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}\stubpath = "C:\\Windows\\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe"	{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F60FA15-B890-49e3-A508-5830D74A774F}\stubpath = "C:\\Windows\\{4F60FA15-B890-49e3-A508-5830D74A774F}.exe"	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EED852-1619-40e4-A969-99175B3E2B3A}	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AC7EF5-72A5-4c53-B921-82676B72AE47}\stubpath = "C:\\Windows\\{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe"	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
2792	{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
1392	{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
2000	{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
928	{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe
1560	{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
File created	C:\Windows\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
File created	C:\Windows\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
File created	C:\Windows\{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
File created	C:\Windows\{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
File created	C:\Windows\{392C138A-43E3-4286-B189-FC875ADE78B1}.exe	{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
File created	C:\Windows\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe	{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
File created	C:\Windows\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
File created	C:\Windows\{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
File created	C:\Windows\{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
File created	C:\Windows\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe	{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
File created	C:\Windows\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe	{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
Token: SeIncBasePriorityPrivilege	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
Token: SeIncBasePriorityPrivilege	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
Token: SeIncBasePriorityPrivilege	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
Token: SeIncBasePriorityPrivilege	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
Token: SeIncBasePriorityPrivilege	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
Token: SeIncBasePriorityPrivilege	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
Token: SeIncBasePriorityPrivilege	2792	{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
Token: SeIncBasePriorityPrivilege	1392	{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
Token: SeIncBasePriorityPrivilege	2000	{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
Token: SeIncBasePriorityPrivilege	928	{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2296	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	28
PID 1964 wrote to memory of 2296	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	28
PID 1964 wrote to memory of 2296	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	28
PID 1964 wrote to memory of 2296	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	28
PID 1964 wrote to memory of 1720	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	29
PID 1964 wrote to memory of 1720	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	29
PID 1964 wrote to memory of 1720	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	29
PID 1964 wrote to memory of 1720	1964	2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe	29
PID 2296 wrote to memory of 2524	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	30
PID 2296 wrote to memory of 2524	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	30
PID 2296 wrote to memory of 2524	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	30
PID 2296 wrote to memory of 2524	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	30
PID 2296 wrote to memory of 2552	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	31
PID 2296 wrote to memory of 2552	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	31
PID 2296 wrote to memory of 2552	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	31
PID 2296 wrote to memory of 2552	2296	{4F60FA15-B890-49e3-A508-5830D74A774F}.exe	31
PID 2524 wrote to memory of 2460	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	34
PID 2524 wrote to memory of 2460	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	34
PID 2524 wrote to memory of 2460	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	34
PID 2524 wrote to memory of 2460	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	34
PID 2524 wrote to memory of 2984	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	35
PID 2524 wrote to memory of 2984	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	35
PID 2524 wrote to memory of 2984	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	35
PID 2524 wrote to memory of 2984	2524	{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe	35
PID 2460 wrote to memory of 2620	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	36
PID 2460 wrote to memory of 2620	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	36
PID 2460 wrote to memory of 2620	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	36
PID 2460 wrote to memory of 2620	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	36
PID 2460 wrote to memory of 2780	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	37
PID 2460 wrote to memory of 2780	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	37
PID 2460 wrote to memory of 2780	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	37
PID 2460 wrote to memory of 2780	2460	{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe	37
PID 2620 wrote to memory of 472	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	38
PID 2620 wrote to memory of 472	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	38
PID 2620 wrote to memory of 472	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	38
PID 2620 wrote to memory of 472	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	38
PID 2620 wrote to memory of 2968	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	39
PID 2620 wrote to memory of 2968	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	39
PID 2620 wrote to memory of 2968	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	39
PID 2620 wrote to memory of 2968	2620	{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe	39
PID 472 wrote to memory of 1888	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	40
PID 472 wrote to memory of 1888	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	40
PID 472 wrote to memory of 1888	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	40
PID 472 wrote to memory of 1888	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	40
PID 472 wrote to memory of 1912	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	41
PID 472 wrote to memory of 1912	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	41
PID 472 wrote to memory of 1912	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	41
PID 472 wrote to memory of 1912	472	{61EED852-1619-40e4-A969-99175B3E2B3A}.exe	41
PID 1888 wrote to memory of 2616	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	42
PID 1888 wrote to memory of 2616	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	42
PID 1888 wrote to memory of 2616	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	42
PID 1888 wrote to memory of 2616	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	42
PID 1888 wrote to memory of 2776	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	43
PID 1888 wrote to memory of 2776	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	43
PID 1888 wrote to memory of 2776	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	43
PID 1888 wrote to memory of 2776	1888	{9267B468-3083-4b07-8E67-4773E479C8B3}.exe	43
PID 2616 wrote to memory of 2792	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	44
PID 2616 wrote to memory of 2792	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	44
PID 2616 wrote to memory of 2792	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	44
PID 2616 wrote to memory of 2792	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	44
PID 2616 wrote to memory of 1684	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	45
PID 2616 wrote to memory of 1684	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	45
PID 2616 wrote to memory of 1684	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	45
PID 2616 wrote to memory of 1684	2616	{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_2a2faca0b7bc1d964561ee6d6671cfd0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
  C:\Windows\{4F60FA15-B890-49e3-A508-5830D74A774F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
    C:\Windows\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
      C:\Windows\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
        
        C:\Windows\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
        
        C:\Windows\{61EED852-1619-40e4-A969-99175B3E2B3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
        
        C:\Windows\{9267B468-3083-4b07-8E67-4773E479C8B3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
        
        C:\Windows\{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
        
        C:\Windows\{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
        
        C:\Windows\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
        
        C:\Windows\{392C138A-43E3-4286-B189-FC875ADE78B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe
        
        C:\Windows\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe
        
        C:\Windows\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe
        13⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0847~1.EXE > nul
        13⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{392C1~1.EXE > nul
        12⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C55CF~1.EXE > nul
        11⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17875~1.EXE > nul
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26AC7~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9267B~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61EED~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CCF4~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7CB~1.EXE > nul
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2567D~1.EXE > nul
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F60F~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{178759EA-FF2E-4a65-9555-99E5C73D4707}.exe

Filesize
168KB

MD5
10e84a5c18e9a716d9afcccfea36c9cc

SHA1
c644b66dd02f7732d134eb16327a83a4edffa699

SHA256
3dff91b8006eec9447a3b63654cf93f8e8ebd3e9030b66efab715d753ac45e1d

SHA512
611ceb438185bca876dc96f151079ba98f1bd6587a871f8107e4cfaecd5560b15d36906becf742ea90b15a87e62aa13810021467f172261659a26636b6f4478d

Download Submit
C:\Windows\{1CCF485C-C5EB-462e-BFAE-B3AD6C06159C}.exe

Filesize
168KB

MD5
b669607694a36e8484ac07e38be6b6ba

SHA1
a6eb40a3e860a09d87f410a6346ed422b269d8e1

SHA256
d12c9db18ce038a28dcea2999760ac1af2337d2d5db44bd70b2271b9b19ee4f3

SHA512
7b8ca873ea4139b2e19d07eb8f0616caf281334e4f47a996cc2a1fba17c00afb440d9701ebef76474019281b0b6cd2246907f5ff0f49701fd71ed66680efe302

Download Submit
C:\Windows\{225AAC8C-FB28-4a0c-9FA5-F8B0E3078F05}.exe

Filesize
168KB

MD5
ce9867543862cb832645d5f632414999

SHA1
4f98cfbdfaf1111906b3efa76c1092e8428f8ffe

SHA256
3c0a3b36aa0e081b31bef0d93560d2e60b5d1bab3aae7fc7e2f078b7c330b716

SHA512
305cd9361f6f52403f2d432a71b090528f05e3dd3ae17f7922c426a6e69f3d2a98dfbe4199b4d9ed0fdc6ee3dcf8a1b22c6223140e7bfbc8df7a72ca2bc28c98

Download Submit
C:\Windows\{2567D3DC-8A77-437a-BF8A-E1E9B44F5156}.exe

Filesize
168KB

MD5
7e21692b0efe737e236784d5aab888da

SHA1
8570fc553e7d2f1bce19801bdcb7b702dc526769

SHA256
1f8c17e935631906dc5bb7643dcb4f412fbbf52c7ead2d90b60f89a66dbe8231

SHA512
f814e6116c32af4eb41fb87096d31a021d231d72927fab606c18bae84dff015aa9ec3bafac7c188fe0d5e3742f16bbec22eff135264eca9017999035650cf3e0

Download Submit
C:\Windows\{26AC7EF5-72A5-4c53-B921-82676B72AE47}.exe

Filesize
168KB

MD5
ff05d6e0a29fc2db211a9aba51e6d799

SHA1
d8b13a1e739f0adb8a141df2da78740d3a36c64c

SHA256
f78a8f99e5771d1093c090171828d2619822f02f4f856bce1293f7a9303ec6ce

SHA512
bababd1f1d09d9c1bb712795628a3039a9efad08cd7a6c2a7d7b1c9884cf2b4669adc3c994979adc30864f5fbdd64e8444b66007a506c6d2d6cdcfbdd8538cc1

Download Submit
C:\Windows\{392C138A-43E3-4286-B189-FC875ADE78B1}.exe

Filesize
168KB

MD5
ba20dfb1f8d77980a214ba152ee334e6

SHA1
a4179c6afd67a07c720681dfb7c6f9ed6f7caba8

SHA256
1f025940c9ca0ab18f0c5ed1f695ebb0681595ebaf9bea2dc1457066758f165e

SHA512
2c6758405e0758c67cb7e23a832568c6c353612b47491834a2c2117531af42f5ab296a487d3a89856470694be193030e1adb646940253a38036bf40e7e173337

Download Submit
C:\Windows\{4F60FA15-B890-49e3-A508-5830D74A774F}.exe

Filesize
168KB

MD5
1b52bcfb34bba2d6d01eed86cd103413

SHA1
bfcb5bc72dacc387226b9284e3bef830d63af4d1

SHA256
cefb8988ffb00fb197c621ce8593b5d29b64a219be95740a91f2d342af083ba2

SHA512
c487c526dd4ff4c615442cb9a38b5346ea3a35962506ba8973e92b07f2dcdc23bfe114eadefdcca351bb3d79d66958e9306746492d548890334c18a10ee0c84c

Download Submit
C:\Windows\{61EED852-1619-40e4-A969-99175B3E2B3A}.exe

Filesize
168KB

MD5
7d7001c19b1bdd9e626cc649138fd8d1

SHA1
67ed96e9c7905da50c51edc563c06e0ef8f8cc48

SHA256
993312b2514099e96d64c1aa492c5a3c0f7d3839f253c4f98167c0294910d926

SHA512
2b15579d0bfe6d01bc7a7236f6dffb52a476da391361f52e7b14319a22a54b7a4641111c8e81ac626aab68ee734a78387b7d37baf5b3a12cc8165a89f8715f88

Download Submit
C:\Windows\{6D7CBA0E-4610-4d60-958A-16CBD3FEEF63}.exe

Filesize
168KB

MD5
2ecb2dd00cc21b2fbe3252dfaa702e77

SHA1
21741e03cdf42a17608618a3d5b34788bf72919c

SHA256
342bde5790b8f02ef0239664f5192aa4bd94b9f429058ee6df92cf75ebd27893

SHA512
676e1a24b331dfa5a4a431346d862fe866e34ab8f2a0cee2ba319b5927c640f3d3f79b88dea0892cea8d52ffca53a07fc22a613b1b0298efce2c61ef1e83744e

Download Submit
C:\Windows\{9267B468-3083-4b07-8E67-4773E479C8B3}.exe

Filesize
168KB

MD5
8b603252decee4eb4cba63371bbcf3ec

SHA1
0064047a06dc4d328fb4f5298fc4f2f208b26b21

SHA256
d8796a029bfba5c04e3d0de055e5042c67422a4783871cb7f98b42484e49867e

SHA512
4edfc99e474506ab0db44ac1e117fd85447c757a2f2bff1f5c75faf498f35a4994bfd9aabddf148145db8409f63d11893b9a2e0b9de8dabffffacef5d0f15804

Download Submit
C:\Windows\{C55CF76D-D9D6-423c-8DEA-72EB9843ABEB}.exe

Filesize
168KB

MD5
c8167b2cb1f2a1d9b92fed6afd0695c1

SHA1
8779cf4d2b1fa4c83b1c392dce91238e76896f8f

SHA256
78a164764e3efe42734052d40132a2519ad2278797c8963ac04267c942c73f3e

SHA512
4e618a498edbbd74cdfc361a8acef69bc28df061fbdb88b8e84cbb0a231da3e7769ec7f6631fe958365e317e5610b5a422752f1a848ae86a9aac489f6297789a

Download Submit
C:\Windows\{D0847820-D76B-48ce-9C12-70DF1DB6BB52}.exe

Filesize
168KB

MD5
90865cf1da5cd3f7eaafede80753e436

SHA1
d0dbb4b1803e882dca809833b76bb1d64e1b487b

SHA256
1ab44bf54615aa3bf2f29b782d6b0d4ade0bdaf8b0943ae6b2f5a0e0245dac4c

SHA512
9f4390f311a62ff2887bae29af2faa7520766dfea1ed9304ea88eac135930c37d41840af5e5670b39b869357aaced4d16cebec54ea9e9ccfe99fd71ef898e67e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads