7d52c64a7e326da3b005dba3ccf086d1fde2f675afcd720e6211d3c79dff48db

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Size

204KB
MD5

300b31c407d9de737e7ccfe92c86c794
SHA1

4593def138e0ea2958e3d8e4eb38b3588284e81a
SHA256

7d52c64a7e326da3b005dba3ccf086d1fde2f675afcd720e6211d3c79dff48db
SHA512

2080c96be1195c8b42a9868edde571d72e205e8f838f91abf8d55b10411a49cb1cf201c5f96b8cad2665ea8059cbafc5eaf51067d19a256f1cb96537897f8e93
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe{545609B5-FA9F-447b-8E78-C1933EADB006}.exe{41DE7D30-1A28-4153-915B-30839F6593D4}.exe{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe{1221A108-758F-4f34-BBB7-90134E0548AA}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545609B5-FA9F-447b-8E78-C1933EADB006}	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1221A108-758F-4f34-BBB7-90134E0548AA}\stubpath = "C:\\Windows\\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe"	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC98CF6A-3377-4706-B5D9-C7128460905B}	{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC98CF6A-3377-4706-B5D9-C7128460905B}\stubpath = "C:\\Windows\\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe"	{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}\stubpath = "C:\\Windows\\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe"	{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}\stubpath = "C:\\Windows\\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe"	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545609B5-FA9F-447b-8E78-C1933EADB006}\stubpath = "C:\\Windows\\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe"	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DE7D30-1A28-4153-915B-30839F6593D4}\stubpath = "C:\\Windows\\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe"	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}\stubpath = "C:\\Windows\\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe"	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}\stubpath = "C:\\Windows\\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe"	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CF5963-8A01-4437-9BD4-5D49BA463553}	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}	{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DE7D30-1A28-4153-915B-30839F6593D4}	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}\stubpath = "C:\\Windows\\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe"	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}\stubpath = "C:\\Windows\\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe"	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1221A108-758F-4f34-BBB7-90134E0548AA}	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CF5963-8A01-4437-9BD4-5D49BA463553}\stubpath = "C:\\Windows\\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe"	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2940 cmd.exe

pid	process
2940	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe{545609B5-FA9F-447b-8E78-C1933EADB006}.exe{41DE7D30-1A28-4153-915B-30839F6593D4}.exe{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe{1221A108-758F-4f34-BBB7-90134E0548AA}.exe{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe

pid	process
1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
1644	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
2908	{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
1420	{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
2780	{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe{545609B5-FA9F-447b-8E78-C1933EADB006}.exe{41DE7D30-1A28-4153-915B-30839F6593D4}.exe{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe{1221A108-758F-4f34-BBB7-90134E0548AA}.exe{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe

description	ioc	process
File created	C:\Windows\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
File created	C:\Windows\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
File created	C:\Windows\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
File created	C:\Windows\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
File created	C:\Windows\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
File created	C:\Windows\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
File created	C:\Windows\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
File created	C:\Windows\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
File created	C:\Windows\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe	{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
File created	C:\Windows\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe	{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
File created	C:\Windows\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe{545609B5-FA9F-447b-8E78-C1933EADB006}.exe{41DE7D30-1A28-4153-915B-30839F6593D4}.exe{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe{1221A108-758F-4f34-BBB7-90134E0548AA}.exe{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
Token: SeIncBasePriorityPrivilege	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
Token: SeIncBasePriorityPrivilege	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
Token: SeIncBasePriorityPrivilege	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
Token: SeIncBasePriorityPrivilege	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
Token: SeIncBasePriorityPrivilege	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
Token: SeIncBasePriorityPrivilege	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
Token: SeIncBasePriorityPrivilege	1644	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
Token: SeIncBasePriorityPrivilege	2908	{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
Token: SeIncBasePriorityPrivilege	1420	{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2224 wrote to memory of 1704	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
PID 2224 wrote to memory of 1704	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
PID 2224 wrote to memory of 1704	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
PID 2224 wrote to memory of 1704	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
PID 2224 wrote to memory of 2940	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2940	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2940	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2940	2224	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 1704 wrote to memory of 2620	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
PID 1704 wrote to memory of 2620	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
PID 1704 wrote to memory of 2620	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
PID 1704 wrote to memory of 2620	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
PID 1704 wrote to memory of 2648	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	cmd.exe
PID 1704 wrote to memory of 2648	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	cmd.exe
PID 1704 wrote to memory of 2648	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	cmd.exe
PID 1704 wrote to memory of 2648	1704	{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe	cmd.exe
PID 2620 wrote to memory of 1736	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
PID 2620 wrote to memory of 1736	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
PID 2620 wrote to memory of 1736	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
PID 2620 wrote to memory of 1736	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
PID 2620 wrote to memory of 2684	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	cmd.exe
PID 2620 wrote to memory of 2684	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	cmd.exe
PID 2620 wrote to memory of 2684	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	cmd.exe
PID 2620 wrote to memory of 2684	2620	{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe	cmd.exe
PID 1736 wrote to memory of 2872	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
PID 1736 wrote to memory of 2872	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
PID 1736 wrote to memory of 2872	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
PID 1736 wrote to memory of 2872	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
PID 1736 wrote to memory of 2876	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	cmd.exe
PID 1736 wrote to memory of 2876	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	cmd.exe
PID 1736 wrote to memory of 2876	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	cmd.exe
PID 1736 wrote to memory of 2876	1736	{545609B5-FA9F-447b-8E78-C1933EADB006}.exe	cmd.exe
PID 2872 wrote to memory of 2524	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
PID 2872 wrote to memory of 2524	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
PID 2872 wrote to memory of 2524	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
PID 2872 wrote to memory of 2524	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
PID 2872 wrote to memory of 2744	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	cmd.exe
PID 2872 wrote to memory of 2744	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	cmd.exe
PID 2872 wrote to memory of 2744	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	cmd.exe
PID 2872 wrote to memory of 2744	2872	{41DE7D30-1A28-4153-915B-30839F6593D4}.exe	cmd.exe
PID 2524 wrote to memory of 2904	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
PID 2524 wrote to memory of 2904	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
PID 2524 wrote to memory of 2904	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
PID 2524 wrote to memory of 2904	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
PID 2524 wrote to memory of 2328	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	cmd.exe
PID 2524 wrote to memory of 2328	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	cmd.exe
PID 2524 wrote to memory of 2328	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	cmd.exe
PID 2524 wrote to memory of 2328	2524	{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe	cmd.exe
PID 2904 wrote to memory of 2020	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
PID 2904 wrote to memory of 2020	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
PID 2904 wrote to memory of 2020	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
PID 2904 wrote to memory of 2020	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
PID 2904 wrote to memory of 1220	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	cmd.exe
PID 2904 wrote to memory of 1220	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	cmd.exe
PID 2904 wrote to memory of 1220	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	cmd.exe
PID 2904 wrote to memory of 1220	2904	{1221A108-758F-4f34-BBB7-90134E0548AA}.exe	cmd.exe
PID 2020 wrote to memory of 1644	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
PID 2020 wrote to memory of 1644	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
PID 2020 wrote to memory of 1644	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
PID 2020 wrote to memory of 1644	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
PID 2020 wrote to memory of 540	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	cmd.exe
PID 2020 wrote to memory of 540	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	cmd.exe
PID 2020 wrote to memory of 540	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	cmd.exe
PID 2020 wrote to memory of 540	2020	{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
C:\Windows\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
C:\Windows\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
C:\Windows\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
C:\Windows\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
C:\Windows\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
C:\Windows\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
C:\Windows\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
C:\Windows\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
C:\Windows\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
C:\Windows\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe
C:\Windows\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe
12⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BC98C~1.EXE > nul
12⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CF5~1.EXE > nul
11⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C57DB~1.EXE > nul
10⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBD4F~1.EXE > nul
9⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1221A~1.EXE > nul
8⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B416~1.EXE > nul
7⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{41DE7~1.EXE > nul
6⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{54560~1.EXE > nul
5⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E5326~1.EXE > nul
4⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA7EE~1.EXE > nul
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2940

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1221A108-758F-4f34-BBB7-90134E0548AA}.exe
Filesize
204KB

MD5
e5c83d855b29f46498e8afdd5e3e8bec

SHA1
fb76ad2fb132e60a1a4aa9b45df5ee9486b303ef

SHA256
3be91ebaa9fd36630798dcd9cd2d077c8cd86d8b8a56dfa1499d33b925a5df59

SHA512
05ca3976e983c8a6b0ab025efc2953f0c5f75429d801010333038320657fe001e3c033c83c5212a567ed7c0218584948521bd83f2bf3e4de018dc6a5d4e6e972

Download Submit
C:\Windows\{41DE7D30-1A28-4153-915B-30839F6593D4}.exe
Filesize
204KB

MD5
8731f551cd9e657533fdd624914087ff

SHA1
4b94370d1433eb928e896c6e8a3003266c55169a

SHA256
7a6f5a541f9ab9401b3ceea6e102dc3eb7579ce63a5c33fb0e0bcc78cd74ef40

SHA512
1bb1d665f4943cbb178052ef979a15594d51a8154be9492283031d8d9ed61d127a7f30cf86a1d44c62ca5494b4e45901ad4c72b0775d3285cd73fd4ddc5d6867

Download Submit
C:\Windows\{545609B5-FA9F-447b-8E78-C1933EADB006}.exe
Filesize
204KB

MD5
1aa6287298cc5a1e4ec0b8f5e2df8cf5

SHA1
f50bd65b42096ab2a60cb0854909cdb22b926a6e

SHA256
6fa309a64e2341967cc1f6e6db7a2ffb998b579248bf96ce418db3a014671ea1

SHA512
f75c5adead2558a123e9f6301b753bc2f4d85ad0733988f5ddf9c82612314c060fd62a756a54c6aef3700692dfa86bf0ba9de580b1c140e503732ac5aa7efea0

Download Submit
C:\Windows\{7B416E2A-66C2-4e94-8D0E-C9D581CEA0BB}.exe
Filesize
204KB

MD5
3fabd62b8ad940292be90dd253930e05

SHA1
1c1657c73b81eb2befd4ce54b4666dc41d39dc87

SHA256
96f2a5272f16339521bf3a580aa7c84c60d5235cab554efa864964aeffd521be

SHA512
654f452e1a0014cc925efda3bf29db94a478a7373d1c3f094b0f922652eebef04a66525af79da2f041f1e42064bd08c9c842e341898376b701a64879948e1ffe

Download Submit
C:\Windows\{BC98CF6A-3377-4706-B5D9-C7128460905B}.exe
Filesize
204KB

MD5
7c9e1e34039bd9a5fb5e487ccd304231

SHA1
0b16b1121c75c390e0cb4d9e8ab786d30d26235e

SHA256
36ec86183ee2a60b4328122a1b9a7d53a939b76a4dbf6b8223747fca06ca6689

SHA512
a84bc38e4b12de863e15a1fb1511a6d7950a1f822e63d174b51906d54f287352f708eb61964f049ff7e66f0ef7ad47b7afca5e28cef2654c2d9e4e9d96301c3e

Download Submit
C:\Windows\{C57DB750-C632-4d71-B984-0B1F1EC23AF8}.exe
Filesize
204KB

MD5
abe80b7641c1a0f3f7991dc208c71047

SHA1
46c9f072f3af5da367c1d71d07725753b33e1727

SHA256
a8e7e35ed8f17357f53a625c28fe1dde11e84345b99ecb1e50b916f26e1a7341

SHA512
da04214812ee40f54dd533d8f2b1c515bd5eb66f5cf599ff2f49e3e8d7bad8c1c83285854918fda5dbc8e97f869422dba382cdeb82e32bfc7ca330d1e2c1cd80

Download Submit
C:\Windows\{C6CF5963-8A01-4437-9BD4-5D49BA463553}.exe
Filesize
204KB

MD5
23aad8c3d51af2aab64c66730146ab60

SHA1
becaaa6ce44c2452b9b66cb3786376e742f66bf2

SHA256
85aac3496f8405494ded27c89f932f6633f799dcd327e4c95ed2e44cc34c56b1

SHA512
bc689ef0db3d2ff882cdd9b3ca37247e1fec02fcc5794a04114a2cd661bcc678e2746cbe1a914a7403a8ff12b5d842e405fcf080bea6586bb7bde74c5aee1d95

Download Submit
C:\Windows\{DA5885DC-06ED-4ae3-A305-A619BC5F6D8C}.exe
Filesize
204KB

MD5
5537585ef84e0de4a739d3709feaa0e6

SHA1
314469c8cb68ea129fadc46d9e221912bf3198f0

SHA256
661139bb0a941de8a88c872fa5d03a2b2a202aa56cc62f4b0cf9e2ca766bc22c

SHA512
a20fe650da7132cef5eb77adb7b4aab511eb922e1f1b106f7c6f7f43d8b5ac3c07d53e9cdb63f911050704b8d3d3e37b54a5d4619481d5836839ae1d7b64934e

Download Submit
C:\Windows\{E53260C1-6E2F-4fde-8DF8-1DB641A52413}.exe
Filesize
204KB

MD5
a4881447edf0ac07adad2aa5a96fd41f

SHA1
84bfa751fe014afc028f84b549431564aa8f4451

SHA256
1f06908f6f562081e74644460ba9f29bfb1082f281ea69f3221530f35449f442

SHA512
2882a40c96d062bffe70678e5fbcac4c4405c3e7a2566140e7f7f928036c25e2d21c6acd834769c130aa99aed8c19bdb6d53b66714d8871eb8c6389327575fb9

Download Submit
C:\Windows\{FA7EE441-D6AD-4cfb-B192-FAAF2E876F2D}.exe
Filesize
204KB

MD5
5c037cfbf80939d52aec20d905f75af8

SHA1
8b8ab8d2b6e2e4dfaf339785c4725195f9ca7399

SHA256
a20a60db4ed044cdeed617576ba151f9840cdef7fb7ec4772c27c65aafc5198a

SHA512
7551a31ad4a14033fa634e1348b036ba93c980526691ff319af1bd82bf1e41d828d6d7de3d7c63f320104ae8aa5bdf0b15f2fb3bd006fb2ea5c9270625b5471e

Download Submit
C:\Windows\{FBD4FCCF-8CBC-4f05-827B-33D7FDD197FD}.exe
Filesize
204KB

MD5
597ff1ecb9718d40a7c8ad90f69a7def

SHA1
59041f5eacd6b80bbc95513b05e90364f35d1752

SHA256
e240ef2afbbc9b9057f17f1606e74101fcdfa58684ca5d18c3f8b6b7c22f6dad

SHA512
096be8710066c0481e793628092316ef7740186eee1ed383cb53d9d67eb43580e26cf01af8e1decc12a9865b0935f8d517ace87aa395d28515c913e103977e36

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads