ce6bab3ba47a7b6f5b33ea349c8decdd50ed76465b7234ca0f8276762f6acc2e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Size

408KB
MD5

01f6ebaff4bf8f0ef17677f45e31501f
SHA1

3662ede85a29195cf1876a8641fda9400906bf3e
SHA256

ce6bab3ba47a7b6f5b33ea349c8decdd50ed76465b7234ca0f8276762f6acc2e
SHA512

0ef8aed1094cddff916ff566d9ec8efaec426e305afdf235a5cb071d81227af0e72d16b21bb37eb873da679f944228d5899710429bb9d6279068e4391b534514
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGSldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}\stubpath = "C:\\Windows\\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe"	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}	{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}	{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}\stubpath = "C:\\Windows\\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe"	{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7686D72-347E-4b2d-94BE-973A23DCD914}	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D01B6F-80BC-43e6-9E97-971CE44A4104}	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AAE247C-26FA-4d54-8E4E-38864E29671D}\stubpath = "C:\\Windows\\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe"	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A22AEED-56E6-4d41-B2F0-77784B334D90}	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF842058-4A3C-41da-AC84-D698EAED39D1}\stubpath = "C:\\Windows\\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe"	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}\stubpath = "C:\\Windows\\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe"	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B09E6E7-CF95-4370-B883-A67DB42F2738}	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0AFD15F-B04B-46e4-A86F-90AE32897119}	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0AFD15F-B04B-46e4-A86F-90AE32897119}\stubpath = "C:\\Windows\\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe"	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AAE247C-26FA-4d54-8E4E-38864E29671D}	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A22AEED-56E6-4d41-B2F0-77784B334D90}\stubpath = "C:\\Windows\\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe"	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF842058-4A3C-41da-AC84-D698EAED39D1}	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}\stubpath = "C:\\Windows\\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe"	{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B09E6E7-CF95-4370-B883-A67DB42F2738}\stubpath = "C:\\Windows\\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe"	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7686D72-347E-4b2d-94BE-973A23DCD914}\stubpath = "C:\\Windows\\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe"	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D01B6F-80BC-43e6-9E97-971CE44A4104}\stubpath = "C:\\Windows\\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe"	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3056 cmd.exe

pid	process
3056	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe

pid	process
3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
840	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
2932	{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
380	{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
1396	{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe

Drops file in Windows directory 11 IoCs

Processes:

{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe

description	ioc	process
File created	C:\Windows\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe	{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
File created	C:\Windows\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
File created	C:\Windows\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
File created	C:\Windows\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
File created	C:\Windows\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
File created	C:\Windows\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
File created	C:\Windows\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
File created	C:\Windows\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
File created	C:\Windows\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
File created	C:\Windows\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
File created	C:\Windows\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe	{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
Token: SeIncBasePriorityPrivilege	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
Token: SeIncBasePriorityPrivilege	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
Token: SeIncBasePriorityPrivilege	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
Token: SeIncBasePriorityPrivilege	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
Token: SeIncBasePriorityPrivilege	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
Token: SeIncBasePriorityPrivilege	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
Token: SeIncBasePriorityPrivilege	840	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
Token: SeIncBasePriorityPrivilege	2932	{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
Token: SeIncBasePriorityPrivilege	380	{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2236 wrote to memory of 3032	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
PID 2236 wrote to memory of 3032	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
PID 2236 wrote to memory of 3032	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
PID 2236 wrote to memory of 3032	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
PID 2236 wrote to memory of 3056	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 2236 wrote to memory of 3056	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 2236 wrote to memory of 3056	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 2236 wrote to memory of 3056	2236	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 3032 wrote to memory of 2560	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
PID 3032 wrote to memory of 2560	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
PID 3032 wrote to memory of 2560	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
PID 3032 wrote to memory of 2560	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
PID 3032 wrote to memory of 2788	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe	cmd.exe
PID 2560 wrote to memory of 2476	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
PID 2560 wrote to memory of 2476	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
PID 2560 wrote to memory of 2476	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
PID 2560 wrote to memory of 2476	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
PID 2560 wrote to memory of 2496	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe	cmd.exe
PID 2476 wrote to memory of 1700	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
PID 2476 wrote to memory of 1700	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
PID 2476 wrote to memory of 1700	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
PID 2476 wrote to memory of 1700	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
PID 2476 wrote to memory of 1356	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	cmd.exe
PID 2476 wrote to memory of 1356	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	cmd.exe
PID 2476 wrote to memory of 1356	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	cmd.exe
PID 2476 wrote to memory of 1356	2476	{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe	cmd.exe
PID 1700 wrote to memory of 2764	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
PID 1700 wrote to memory of 2764	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
PID 1700 wrote to memory of 2764	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
PID 1700 wrote to memory of 2764	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
PID 1700 wrote to memory of 1584	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	cmd.exe
PID 1700 wrote to memory of 1584	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	cmd.exe
PID 1700 wrote to memory of 1584	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	cmd.exe
PID 1700 wrote to memory of 1584	1700	{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe	cmd.exe
PID 2764 wrote to memory of 1500	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
PID 2764 wrote to memory of 1500	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
PID 2764 wrote to memory of 1500	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
PID 2764 wrote to memory of 1500	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
PID 2764 wrote to memory of 2244	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	cmd.exe
PID 2764 wrote to memory of 2244	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	cmd.exe
PID 2764 wrote to memory of 2244	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	cmd.exe
PID 2764 wrote to memory of 2244	2764	{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe	cmd.exe
PID 1500 wrote to memory of 1504	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
PID 1500 wrote to memory of 1504	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
PID 1500 wrote to memory of 1504	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
PID 1500 wrote to memory of 1504	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
PID 1500 wrote to memory of 1196	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	cmd.exe
PID 1500 wrote to memory of 1196	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	cmd.exe
PID 1500 wrote to memory of 1196	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	cmd.exe
PID 1500 wrote to memory of 1196	1500	{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe	cmd.exe
PID 1504 wrote to memory of 840	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
PID 1504 wrote to memory of 840	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
PID 1504 wrote to memory of 840	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
PID 1504 wrote to memory of 840	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
PID 1504 wrote to memory of 2040	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	cmd.exe
PID 1504 wrote to memory of 2040	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	cmd.exe
PID 1504 wrote to memory of 2040	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	cmd.exe
PID 1504 wrote to memory of 2040	1504	{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
C:\Windows\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
C:\Windows\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
C:\Windows\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
C:\Windows\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
C:\Windows\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
C:\Windows\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
C:\Windows\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
C:\Windows\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
C:\Windows\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
C:\Windows\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe
C:\Windows\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe
12⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5D0~1.EXE > nul
12⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF842~1.EXE > nul
11⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BA9E~1.EXE > nul
10⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6A22A~1.EXE > nul
9⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD0A0~1.EXE > nul
8⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3AAE2~1.EXE > nul
7⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08D01~1.EXE > nul
6⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A0AFD~1.EXE > nul
5⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F7686~1.EXE > nul
4⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1B09E~1.EXE > nul
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:3056

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08D01B6F-80BC-43e6-9E97-971CE44A4104}.exe
Filesize
408KB

MD5
9807d77e833329ad139754fe42e740d2

SHA1
1014e596220f206997e7217e9b4b08afd1addcda

SHA256
0ee9c92f24726347619dc12307b5d05d39fe27bd7aeaf7b5e16fef1587c367b8

SHA512
79fbcb697f02bbd35892de2b70682384fca1699077da33ace8ac584fdf9513500a00b0451750ad52272007c5c2da935376bf3e8bdd3cff0a5c6ed53c624ac3bc

Download Submit
C:\Windows\{1B09E6E7-CF95-4370-B883-A67DB42F2738}.exe
Filesize
408KB

MD5
c403500562da24a92fe0f2dd18d3614b

SHA1
2f9a547b24189278a40f10c47e4739b8211c2829

SHA256
bac68ab3878eb685856eb04c2b1b6712be77f55ab38b20f70d5527a4d4d3aab2

SHA512
7f302406b6e8127dea37d9960fd5cbc3f622d6ed06411183f5f81ca304443e98cf57eb9b5ad8171553ef5c464a9b9e117ce85dedc48395de6d03a61f59a4a778

Download Submit
C:\Windows\{3AAE247C-26FA-4d54-8E4E-38864E29671D}.exe
Filesize
408KB

MD5
3ff3f85932d4f23bc6b68d34bebbb969

SHA1
48b12f82273738514cacf4e78330a248149e6439

SHA256
4e542b6652564421fe5b13abf4a8d7b0f20e52003f388cbfe9a03d6c5c9d1688

SHA512
3b65c496ac9eac97668a32e7776e4ef384618d52d6dcc1d10c27319f33eaa33ba1797aa89a63c84fffae96489e99fb4d763646c60b1eaccadcc529a038478996

Download Submit
C:\Windows\{4BA9E84E-C094-4a4b-A40E-B6E00BE0499C}.exe
Filesize
408KB

MD5
1e463ff43db38338044bd8a050c9d94e

SHA1
624ea36463b480eff7d2d327a08f60589c795a99

SHA256
68944c01d0982f43d8d76611ab6845c04b9a850a4db43e5dec658d569395d582

SHA512
ed7db6fa23344b4580c3ca9799e80d7cd46fa8ee7680acbcdcbe082bc082a9785ab01e8760039d3f913d418edd7171bb692c8f8b85d669783804650602b7f7f2

Download Submit
C:\Windows\{6A22AEED-56E6-4d41-B2F0-77784B334D90}.exe
Filesize
408KB

MD5
0d9fd55737929dd5d26a025e8a4375a4

SHA1
3a5c680cf102bed99cc5e9ffa4894086294c0841

SHA256
74c846a98e3ec0e036a950b2c5f152fb6a9e029895d2cb69156b52ab55606e41

SHA512
2519190b3eb4fc2e3bbca0b6c647a787fa78793daedf09c53d55429c0204458afce42c0be58ad095083a36f8ac7a345ea47ee9a9bbd1cdffda6bb4a1c545de8f

Download Submit
C:\Windows\{74CAF540-3EE3-47f0-83A2-2307ABBD437D}.exe
Filesize
408KB

MD5
773cdb80ee16a4794c644437cce3a737

SHA1
1ef8d40e7d57d9e431f93756a753c507e08c2ce1

SHA256
76862f87f3f8ea928c67364e0b474aecceb5e1024bd48750e4d5e522e03350f6

SHA512
1bb70834122ab295445e103fefff573d1f9a90f8fd2ec2a010ecf85af760c64f94180a9b581cadf2c059cd492fd860181d70e920d13dac92a3bd9131c530258b

Download Submit
C:\Windows\{8A5D0345-C5F9-4b20-8555-DB536EF86EDE}.exe
Filesize
408KB

MD5
4932d83a796912debcf1177b65601e59

SHA1
0b16be447426339b3ee6a7e486cc61a56209dcaa

SHA256
7602860103a55f1328d9bf982e99701db448e711f8c2051d0d131b6ebd705f12

SHA512
87839247a6b9d188c9fd35ec638e89687e8b04a95cadeb9331f21738d69ecf635f23f05a4a07eb58f8f71995446862ef42bb18c249bec4a3888b2a0e08d8b106

Download Submit
C:\Windows\{A0AFD15F-B04B-46e4-A86F-90AE32897119}.exe
Filesize
408KB

MD5
cb07f3ca2e3acbcc8de573be0b3631ec

SHA1
31567b7617110aadc332bb4f341903579c00a19c

SHA256
a8f77cd4c5a38d9715927e06f77b0b9bdbda04ded9870f07ad4afb1cdb6c3a9c

SHA512
21ac89686a4b196f5352fbe792342cf18341a73e3672c2779239a94499c76fbd067c8536536e625d6cc7edbcb7848cf880846c752c589ff57abd57e3bcc6aa92

Download Submit
C:\Windows\{CF842058-4A3C-41da-AC84-D698EAED39D1}.exe
Filesize
408KB

MD5
15fb43da8827850e57cad33265a77a7b

SHA1
9b1bd7a1d9aecdb55b860cf411f5d3790de214af

SHA256
55b1f3cee722726bdc785c352dd69b0b2efec72bbdc125f0f1911cf58ef77983

SHA512
abe9355d5a807d4e50e536bfcd82928e940ecd4042fe6471969be425183e9cdad4fda62d24fdfef81023df1da44e383fe9cf61103c26a3b369de2a9f4157e679

Download Submit
C:\Windows\{F7686D72-347E-4b2d-94BE-973A23DCD914}.exe
Filesize
408KB

MD5
c317cb6c948ed79fc4cdfe28b30bce5a

SHA1
b2ca97ece5b57e4752a95ad5c1a322f19c451066

SHA256
ec7064178c2dfafe851798b245b475a783525494a17abc6624ab0132f053579c

SHA512
6c7097e42205fe5d00f3d734867a78e28c88d788ac8c57f5cdcd658703077247a42c918fd25ab0004cc7d702210e963e5139964dd52c95c9010a6dd71fd8fe82

Download Submit
C:\Windows\{FD0A0D90-C273-4d58-A5F4-D2D4917E8EA7}.exe
Filesize
408KB

MD5
5ed7a18db510d15245b129eae3650096

SHA1
d605a08d1053e8303ff9ad3c2d882d43f1ce506d

SHA256
253540afcaf79c2de70828da3e4f9a91fc6e44bedeccaabf7e36fe73ac0f3361

SHA512
cd4ca8b18b3b6693d9367cdcea7e8c08671949cdd565d91f35250687da645ec9f2ef749a1fea67ce38c51896d3ba1a6f55a9d65fe1690ba1edd60484a2bd119e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads