876cd2d3429a994e3e9d70991198dffabdb8e828f0539c037246f60051d4e00a

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
Size

372KB
MD5

4c46c1968360c0c8ddf32a0eb0ee1828
SHA1

7d2281d5d009f8df6e21d872c7bf81cdebe67b84
SHA256

876cd2d3429a994e3e9d70991198dffabdb8e828f0539c037246f60051d4e00a
SHA512

45195ef579498f9219b881b66c18339c01a28027ca15c439cff3e29815a3239daf0f92db6a913d12d849a8194a7141bb6b0df3b1fc9467eeb556f9bd79ff438b
SSDEEP

3072:CEGh0oslMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGylkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012240-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014a55-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014a55-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014a55-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014a55-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014a94-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014a55-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014b6d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}\stubpath = "C:\\Windows\\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe"	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}\stubpath = "C:\\Windows\\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe"	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6142CB11-3893-43de-89CF-61BB8A9E53C5}\stubpath = "C:\\Windows\\{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe"	{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}\stubpath = "C:\\Windows\\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe"	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2875564-C4DB-4519-BB58-70B6C98B1450}\stubpath = "C:\\Windows\\{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe"	{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}\stubpath = "C:\\Windows\\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe"	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}\stubpath = "C:\\Windows\\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe"	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB42ABB0-78A6-47cb-B296-BCF868B3143B}\stubpath = "C:\\Windows\\{EB42ABB0-78A6-47cb-B296-BCF868B3143B}.exe"	{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2875564-C4DB-4519-BB58-70B6C98B1450}	{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6142CB11-3893-43de-89CF-61BB8A9E53C5}	{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}\stubpath = "C:\\Windows\\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe"	{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}\stubpath = "C:\\Windows\\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe"	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}\stubpath = "C:\\Windows\\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe"	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB42ABB0-78A6-47cb-B296-BCF868B3143B}	{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D36118-0802-442a-9117-B9C7E8FC2126}	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D36118-0802-442a-9117-B9C7E8FC2126}\stubpath = "C:\\Windows\\{71D36118-0802-442a-9117-B9C7E8FC2126}.exe"	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}	{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe

Deletes itself 1 IoCs

pid	Process
1072	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
760	{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
840	{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
2756	{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe
1104	{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe	{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
File created	C:\Windows\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe	{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe
File created	C:\Windows\{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
File created	C:\Windows\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
File created	C:\Windows\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
File created	C:\Windows\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
File created	C:\Windows\{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe	{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
File created	C:\Windows\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
File created	C:\Windows\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
File created	C:\Windows\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
File created	C:\Windows\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
File created	C:\Windows\{EB42ABB0-78A6-47cb-B296-BCF868B3143B}.exe	{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
Token: SeIncBasePriorityPrivilege	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
Token: SeIncBasePriorityPrivilege	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
Token: SeIncBasePriorityPrivilege	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
Token: SeIncBasePriorityPrivilege	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
Token: SeIncBasePriorityPrivilege	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
Token: SeIncBasePriorityPrivilege	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
Token: SeIncBasePriorityPrivilege	760	{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
Token: SeIncBasePriorityPrivilege	840	{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
Token: SeIncBasePriorityPrivilege	2756	{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2908	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	28
PID 2248 wrote to memory of 2908	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	28
PID 2248 wrote to memory of 2908	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	28
PID 2248 wrote to memory of 2908	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	28
PID 2248 wrote to memory of 1072	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	29
PID 2248 wrote to memory of 1072	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	29
PID 2248 wrote to memory of 1072	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	29
PID 2248 wrote to memory of 1072	2248	2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe	29
PID 2908 wrote to memory of 2404	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	32
PID 2908 wrote to memory of 2404	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	32
PID 2908 wrote to memory of 2404	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	32
PID 2908 wrote to memory of 2404	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	32
PID 2908 wrote to memory of 2556	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	33
PID 2908 wrote to memory of 2556	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	33
PID 2908 wrote to memory of 2556	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	33
PID 2908 wrote to memory of 2556	2908	{71D36118-0802-442a-9117-B9C7E8FC2126}.exe	33
PID 2404 wrote to memory of 2444	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	34
PID 2404 wrote to memory of 2444	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	34
PID 2404 wrote to memory of 2444	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	34
PID 2404 wrote to memory of 2444	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	34
PID 2404 wrote to memory of 2820	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	35
PID 2404 wrote to memory of 2820	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	35
PID 2404 wrote to memory of 2820	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	35
PID 2404 wrote to memory of 2820	2404	{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe	35
PID 2444 wrote to memory of 2364	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	36
PID 2444 wrote to memory of 2364	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	36
PID 2444 wrote to memory of 2364	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	36
PID 2444 wrote to memory of 2364	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	36
PID 2444 wrote to memory of 556	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	37
PID 2444 wrote to memory of 556	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	37
PID 2444 wrote to memory of 556	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	37
PID 2444 wrote to memory of 556	2444	{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe	37
PID 2364 wrote to memory of 564	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	38
PID 2364 wrote to memory of 564	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	38
PID 2364 wrote to memory of 564	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	38
PID 2364 wrote to memory of 564	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	38
PID 2364 wrote to memory of 2596	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	39
PID 2364 wrote to memory of 2596	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	39
PID 2364 wrote to memory of 2596	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	39
PID 2364 wrote to memory of 2596	2364	{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe	39
PID 564 wrote to memory of 2804	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	40
PID 564 wrote to memory of 2804	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	40
PID 564 wrote to memory of 2804	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	40
PID 564 wrote to memory of 2804	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	40
PID 564 wrote to memory of 2916	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	41
PID 564 wrote to memory of 2916	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	41
PID 564 wrote to memory of 2916	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	41
PID 564 wrote to memory of 2916	564	{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe	41
PID 2804 wrote to memory of 1912	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	42
PID 2804 wrote to memory of 1912	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	42
PID 2804 wrote to memory of 1912	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	42
PID 2804 wrote to memory of 1912	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	42
PID 2804 wrote to memory of 2284	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	43
PID 2804 wrote to memory of 2284	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	43
PID 2804 wrote to memory of 2284	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	43
PID 2804 wrote to memory of 2284	2804	{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe	43
PID 1912 wrote to memory of 760	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	44
PID 1912 wrote to memory of 760	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	44
PID 1912 wrote to memory of 760	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	44
PID 1912 wrote to memory of 760	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	44
PID 1912 wrote to memory of 1628	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	45
PID 1912 wrote to memory of 1628	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	45
PID 1912 wrote to memory of 1628	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	45
PID 1912 wrote to memory of 1628	1912	{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_4c46c1968360c0c8ddf32a0eb0ee1828_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
  C:\Windows\{71D36118-0802-442a-9117-B9C7E8FC2126}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
    C:\Windows\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
      C:\Windows\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
        
        C:\Windows\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
        
        C:\Windows\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
        
        C:\Windows\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
        
        C:\Windows\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
        
        C:\Windows\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
        
        C:\Windows\{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe
        
        C:\Windows\{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe
        
        C:\Windows\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6142C~1.EXE > nul
        12⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2875~1.EXE > nul
        11⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF519~1.EXE > nul
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC95~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92DA9~1.EXE > nul
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C087~1.EXE > nul
        7⤵
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7B00~1.EXE > nul
        6⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{300DD~1.EXE > nul
        5⤵
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCCC~1.EXE > nul
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71D36~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0595B9B1-9116-4d9e-98C7-2F9D120D91AD}.exe

Filesize
372KB

MD5
1f4cf27bf660f58ef091de74430b29c3

SHA1
f49c26611a82522a6e9eda1a682a16854f76a43f

SHA256
8b0dfc4bd9a63ed981f517e8fc2ea30bc5404237559f5ee5b3f9e9904139bcb1

SHA512
3bb138a8e5e070ffcfd83184109556254c55e13dec6b474e4213b51b8f8f64a68440435f9a4ef9f3e07ca78f9541cb3bade0c8462e3c155e1c005c9d94e2dc29

Download Submit
C:\Windows\{2C087CF6-9701-4a4b-B9EE-D5E4CCC95815}.exe

Filesize
372KB

MD5
eb5190ea5ffb93468f6201150ff23675

SHA1
ca827036703a935388b95a9e865c5703fbb6ca7e

SHA256
d24e828a5c7db7cfc5836850e4305565a5a5f4be123476552550bb611adc02ad

SHA512
9d6df02fc8de88dc57d1fdaafe5516de5cfad021c00bd2df351a3c60f6fa3a8342160e4a1e5ff52faaeefe04413d096c9452025b62683b054ef4a58037d0b16a

Download Submit
C:\Windows\{300DDF3D-CEA1-4bfd-B92B-EDE78B2EFB2E}.exe

Filesize
372KB

MD5
8b05d19e6a699870ae4ea9dd64a561ba

SHA1
4312a8f44664040089a4cd8386c26a784e560d51

SHA256
b11480f32cb72b0dce607edad9d64f1be7b3ba674d59bc2d2dd6660aa69e9fe0

SHA512
60476423102ec509269de80fb9589e21c78b25be0e12d382a7fa9dcb19a4b535e150e48da4d80c4aa2138c28a287d5b9f48657554d42b8ab140973c80922e2bb

Download Submit
C:\Windows\{3DCCCACD-7A34-4a58-9785-F67B1DFC9896}.exe

Filesize
372KB

MD5
020f76c1ffe1e00479145cfcb8b387e6

SHA1
7698c4da4ad43a1224a0fd7a4d7cb77caeca4ca7

SHA256
15fa007ce28053fb343e431386778bbd6076de1b694de64084a96421b974a76f

SHA512
d51eb1fc9d9374f88745ee90a8952a476877c22fc3efb33fae89ea6d30c30b3e4d8072723f5f3b0c2cb93383a22833b5a61738312a4e4ac794aeb832c295ebc1

Download Submit
C:\Windows\{6142CB11-3893-43de-89CF-61BB8A9E53C5}.exe

Filesize
372KB

MD5
a546d5248412458a5f965bef15112064

SHA1
e24ea3b9d950e85490ebbb7c849e9cb456a184f0

SHA256
f6cd03bf6fada7cb1b08040ae7750713375161bc2eff7ebeff83d0febc93ef48

SHA512
35816e07f75332d68ead04f1504362ad996873a3c70c7d461e767cf9e8eb5f84988dc9fcb085e8b13974215611a9c74d082edaabbe1250b6971f6dc0e598dc87

Download Submit
C:\Windows\{71D36118-0802-442a-9117-B9C7E8FC2126}.exe

Filesize
372KB

MD5
128348757c2253c847a0d5240b838d7e

SHA1
bdbb35ec2dad475645557b07da6037e24c28574a

SHA256
6042b1551f3f73305c5e446085701158de59198aae6272a05af0ee2a9f239758

SHA512
c5edc12ffd2d497eab79ef99b43eb09cc6a87ff710ae235188762cfd007d4db8e9912852645a4165b0ff8ae1649fa75e4e1b0c4c67fdf57471de2d1c38ee6959

Download Submit
C:\Windows\{92DA9CB2-7BD3-4904-84EC-77BC086AE515}.exe

Filesize
372KB

MD5
0ccaddae1cfab78a8cb0cd5235f2f6c2

SHA1
31bec4245f53525d59c24bea5fc50e63f7c416b7

SHA256
3bf6a0804407df378f9d46109e5bf341ff39e0a59e31020a784a0dfc0361da47

SHA512
9d40a491219a1225e9832344a405d6f056437573bdef6b65052b10c4a10fe56a24eb9dce186e1fd911a271708798223de23788a22c6390a9f83b864712739ecb

Download Submit
C:\Windows\{A2875564-C4DB-4519-BB58-70B6C98B1450}.exe

Filesize
372KB

MD5
da1793d33ef656b390bbd16fa57a34a1

SHA1
4eb4614f3d7d8203babb8849a18a105cf262fbfc

SHA256
fc0733fd737c60aa66f5d05c80771ca18f9aaeb58cb4d322680ba972286dd9c3

SHA512
464dbaef84cd72ad91379c33515217f269f267ed20d3e15bb895e81c2a70992f02c3468840a75f659ad7a86ac802cb3846a35d261f9b916cde6ecbcde9132bc3

Download Submit
C:\Windows\{AAC95C7A-4DB3-4817-9B93-6A438DAC0259}.exe

Filesize
372KB

MD5
d6c9ba36a80456cd373c89f7e0817fd7

SHA1
5e93e0941368ff501389993ccc7053061cf57de3

SHA256
669d7073da0a2633dcc62be31d1da0d45fa8162a13b50b66c12660afc49acd74

SHA512
e2b242d4cc168686aa06525a127c4f7bbd8a16558c9ebf9bd46ea71c6bcfdfdf7dac19f60967d39404534d68298111bfaba39d4e64eebaeb36b06ed684838899

Download Submit
C:\Windows\{D7B00B60-B69D-43c0-A4D6-AE44F66A9E7F}.exe

Filesize
372KB

MD5
5748255f4f2e4c43d66eb703d55c05ff

SHA1
7762ceb7c5149bbb743a2e532ad59de493d8f34f

SHA256
b3ecf4b3e9dafe34c55cb549345a33707b7c39c58929d5b63c9dfe9ea21fdd4e

SHA512
535d6b90a5d8ad697dc3bed227968e3988fdcc0c3daeb0b478361b9e8014d4f6ceba1814f3dbbd7a740047debce448efa5c92322e1339b6d7eefdec585b670c1

Download Submit
C:\Windows\{EF5196F7-D186-497f-AD97-F7BFA21CA7CE}.exe

Filesize
372KB

MD5
00930808ac4b2f3377e7cea2efce932d

SHA1
7a789c593a19f7ba8c563a7f5ca7553918881160

SHA256
bd375787276feafc1d8045539ba07f34e5e5d6d5525388c537af9dfdc4edab79

SHA512
1f2182d388e77b12c74e38fda93ffaee5063e300d55d2c8fea1d10a4c3ee604344cd64cb9e22c7d7df5918cc6c17a8d240a0eb485c724453ae649c5b6cf51d1b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads