63266e8b189ab68064dd6b08c3a59a9a77f34aa0ddd0d05c487c589f5cda09d5

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Size

197KB
MD5

2db276831963609abab179ef7e026e56
SHA1

37b9a6d66a32477bc67bb0ea80607581ec43ecb7
SHA256

63266e8b189ab68064dd6b08c3a59a9a77f34aa0ddd0d05c487c589f5cda09d5
SHA512

75f635aff9846fc48241a3df8edaba182c88437fb48b32e409ff2c98abd2715fdef7ecd7683410cc0284451cf4f5771a56a3acd580f5a4b9a9c300672bf4c7aa
SSDEEP

3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGilEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}\stubpath = "C:\\Windows\\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe"	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}	{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}\stubpath = "C:\\Windows\\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe"	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}\stubpath = "C:\\Windows\\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe"	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF72096-B633-450c-B92F-9AB512BCD40B}\stubpath = "C:\\Windows\\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe"	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}\stubpath = "C:\\Windows\\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe"	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233494DF-DCBF-4727-A720-D830F97F5ECB}	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}\stubpath = "C:\\Windows\\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe"	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF72096-B633-450c-B92F-9AB512BCD40B}	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}\stubpath = "C:\\Windows\\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe"	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB68514C-24EC-4cc6-8304-D7315B45D169}	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB68514C-24EC-4cc6-8304-D7315B45D169}\stubpath = "C:\\Windows\\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe"	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}	{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233494DF-DCBF-4727-A720-D830F97F5ECB}\stubpath = "C:\\Windows\\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe"	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}\stubpath = "C:\\Windows\\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe"	{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}\stubpath = "C:\\Windows\\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe"	{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe

Executes dropped EXE 11 IoCs

Processes:

{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe

pid	process
2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
832	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
3052	{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
324	{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
1752	{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe

Drops file in Windows directory 11 IoCs

Processes:

{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe

description	ioc	process
File created	C:\Windows\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
File created	C:\Windows\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
File created	C:\Windows\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe	{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
File created	C:\Windows\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
File created	C:\Windows\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
File created	C:\Windows\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
File created	C:\Windows\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
File created	C:\Windows\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe	{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
File created	C:\Windows\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
File created	C:\Windows\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
File created	C:\Windows\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
Token: SeIncBasePriorityPrivilege	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
Token: SeIncBasePriorityPrivilege	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
Token: SeIncBasePriorityPrivilege	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
Token: SeIncBasePriorityPrivilege	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
Token: SeIncBasePriorityPrivilege	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
Token: SeIncBasePriorityPrivilege	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
Token: SeIncBasePriorityPrivilege	832	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
Token: SeIncBasePriorityPrivilege	3052	{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
Token: SeIncBasePriorityPrivilege	324	{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1912 wrote to memory of 2896	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
PID 1912 wrote to memory of 2896	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
PID 1912 wrote to memory of 2896	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
PID 1912 wrote to memory of 2896	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
PID 1912 wrote to memory of 1248	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 1912 wrote to memory of 1248	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 1912 wrote to memory of 1248	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 1912 wrote to memory of 1248	1912	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 2896 wrote to memory of 2524	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
PID 2896 wrote to memory of 2524	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
PID 2896 wrote to memory of 2524	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
PID 2896 wrote to memory of 2524	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
PID 2896 wrote to memory of 2512	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	cmd.exe
PID 2896 wrote to memory of 2512	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	cmd.exe
PID 2896 wrote to memory of 2512	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	cmd.exe
PID 2896 wrote to memory of 2512	2896	{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe	cmd.exe
PID 2524 wrote to memory of 2604	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
PID 2524 wrote to memory of 2604	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
PID 2524 wrote to memory of 2604	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
PID 2524 wrote to memory of 2604	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
PID 2524 wrote to memory of 2476	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	cmd.exe
PID 2524 wrote to memory of 2476	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	cmd.exe
PID 2524 wrote to memory of 2476	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	cmd.exe
PID 2524 wrote to memory of 2476	2524	{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe	cmd.exe
PID 2604 wrote to memory of 1476	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
PID 2604 wrote to memory of 1476	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
PID 2604 wrote to memory of 1476	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
PID 2604 wrote to memory of 1476	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
PID 2604 wrote to memory of 2424	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	cmd.exe
PID 2604 wrote to memory of 2424	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	cmd.exe
PID 2604 wrote to memory of 2424	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	cmd.exe
PID 2604 wrote to memory of 2424	2604	{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe	cmd.exe
PID 1476 wrote to memory of 2692	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
PID 1476 wrote to memory of 2692	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
PID 1476 wrote to memory of 2692	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
PID 1476 wrote to memory of 2692	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
PID 1476 wrote to memory of 1840	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	cmd.exe
PID 1476 wrote to memory of 1840	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	cmd.exe
PID 1476 wrote to memory of 1840	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	cmd.exe
PID 1476 wrote to memory of 1840	1476	{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe	cmd.exe
PID 2692 wrote to memory of 1832	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
PID 2692 wrote to memory of 1832	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
PID 2692 wrote to memory of 1832	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
PID 2692 wrote to memory of 1832	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
PID 2692 wrote to memory of 284	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	cmd.exe
PID 2692 wrote to memory of 284	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	cmd.exe
PID 2692 wrote to memory of 284	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	cmd.exe
PID 2692 wrote to memory of 284	2692	{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe	cmd.exe
PID 1832 wrote to memory of 2116	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
PID 1832 wrote to memory of 2116	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
PID 1832 wrote to memory of 2116	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
PID 1832 wrote to memory of 2116	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
PID 1832 wrote to memory of 2808	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	cmd.exe
PID 1832 wrote to memory of 2808	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	cmd.exe
PID 1832 wrote to memory of 2808	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	cmd.exe
PID 1832 wrote to memory of 2808	1832	{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe	cmd.exe
PID 2116 wrote to memory of 832	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
PID 2116 wrote to memory of 832	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
PID 2116 wrote to memory of 832	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
PID 2116 wrote to memory of 832	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
PID 2116 wrote to memory of 1204	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	cmd.exe
PID 2116 wrote to memory of 1204	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	cmd.exe
PID 2116 wrote to memory of 1204	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	cmd.exe
PID 2116 wrote to memory of 1204	2116	{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
C:\Windows\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
C:\Windows\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
C:\Windows\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
C:\Windows\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
C:\Windows\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
C:\Windows\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
C:\Windows\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
C:\Windows\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
C:\Windows\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
C:\Windows\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe
C:\Windows\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe
12⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5D83~1.EXE > nul
12⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3564~1.EXE > nul
11⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2ACBA~1.EXE > nul
10⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C301A~1.EXE > nul
9⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB685~1.EXE > nul
8⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF72~1.EXE > nul
7⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D543~1.EXE > nul
6⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{457DC~1.EXE > nul
5⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{937BE~1.EXE > nul
4⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23349~1.EXE > nul
3⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1248

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{233494DF-DCBF-4727-A720-D830F97F5ECB}.exe
Filesize
197KB

MD5
cdcaa0cf62c335b6c2c3f1fda80cfd16

SHA1
3a9ad4e865793e08fa350ef746d6126becbeb2d8

SHA256
cdf8005319a72b9620201dd41e6232b4572500777fae2361656f25ee0bbfff94

SHA512
f6c7f11a23d7b333155444c75cc973ca36d9cfe3c30b29c9f8366ee1e79fab46a7e4d5fa0b27d13794f1489810ec35a3f6621d4cad87ea26a281a97084668d58

Download Submit
C:\Windows\{2ACBAD03-1127-46d2-AFB6-E1CC7D5A2609}.exe
Filesize
197KB

MD5
7d142783377492fc4d958f7fc94130b4

SHA1
04a8ddf21786dd829e198da9d5394d1c55ce9fa9

SHA256
5c0dbee356e40793d1db28d9cd225db2f31cd9968ebf300fa3033c6fd79bf866

SHA512
73ee1031a2b18cf84010b79dae0aec8c902b4ab9db3cfbd8c255a2ec676f2e8724030fbe8ea7e4c42c705e6d01a1848741d33b8ab29ce2a5dce3ae25c7859a31

Download Submit
C:\Windows\{457DC9D6-529A-44c6-95F0-5AC6BF81C9D4}.exe
Filesize
197KB

MD5
9bcc3c7f47b57356889ac384e564a96a

SHA1
82e3050486314e8d8fe7ec8563f116028e4bca19

SHA256
f10dbb5a4f5b5bb743bd85c556d7cfefc4cf450333011ec5f3e981e74fd42413

SHA512
9514f8c68c4f1c3182328ee326448868d2f576c09f75cf12960bc73d3581497a22b2cbba4d87b763b1769d472e4d76a7a5faa0eac054b4c34f45fa5b74b263cc

Download Submit
C:\Windows\{603E7E86-3620-419f-AE8E-B06FA3AC22BE}.exe
Filesize
197KB

MD5
53bb515682e08e62cde295c636eebfa2

SHA1
6a0a54e8b615af57b2a0dff26578d096c3e22098

SHA256
c4f6a150df29c1725653f25542027897fad95819f5d7a81291855b57cb2e3f08

SHA512
b84b86ad7215c72d26730e4aea0e6fcc20c3c7fa1330c7d57e4bce63f541affd3a094c13362b91c2a98a925575cac684c3447846061fb44fb68005a9dabb98a0

Download Submit
C:\Windows\{937BE0E1-797F-4e1d-B49F-F8FA51ADAE8A}.exe
Filesize
197KB

MD5
4062306f42bdad4a7c19723d3b916c8b

SHA1
0b4e95e0beddaea61253ee9a867f3df795ea4353

SHA256
c3c2c1fe04383ecaed9b0e4eefb4bceefc9b8afb20377bede989e6d5085a9bba

SHA512
8bf9ac6f2e43ddb2a212b10f39639391fb67f132f435cf0a382088fb3180b5b5897c27082f80027e19605fb2cde6a22cfd4028bac38a1e3312ec05b1e2b9ed5b

Download Submit
C:\Windows\{9D54381A-B8D7-4e96-8D27-C1E33E648A2F}.exe
Filesize
197KB

MD5
56a44dd4afa5a2dc80e1367cd86ba9c2

SHA1
4dac7486cac9dde267d4dee0c1d556d89657c7a9

SHA256
f8f1fd7ec5bc586a3d3a9a64432be22b097f77c7de351f48cdf9491bc6db70d0

SHA512
a73bd55f2b1e941fff55c509b4f0a24fba7d19fb0c30d2d93b6f7e1d3188a03996539fdecef709b076d65a820ec5f928fbf861b3674d9e0a183531babd04e491

Download Submit
C:\Windows\{A5D83DA7-7979-440f-969F-62BFB3D0FD7F}.exe
Filesize
197KB

MD5
81479a3ff4692a5ad80a1acb162e6a58

SHA1
96aa383f87ea99a6436f89c512b57debb25503ce

SHA256
be28024023e559430ae79b0d2f5088b8c561942adbb9844576a440fe6b604613

SHA512
ebdb261793a1561e72475c411f9fbdcff62215a3f0ff4b43d6d18b4dd80ec446e23b849532ff85345434ab236121836df4955a8097a3f9e51bfdfb16ed6825ec

Download Submit
C:\Windows\{B356494B-3B20-40ca-89DE-FAAFF4603CB1}.exe
Filesize
197KB

MD5
305f37be6541f9f5f301c7346d257187

SHA1
932c7854530b114ef22e016a2f4410cccd4ef971

SHA256
be69f389c2a8f660637f046d1778e48675a321afcb8a38e63101127231829071

SHA512
8e70073e0cb8e3b7e893794e25724ef775f9871d2830c041a5b318f73ce347f0c00b0e77bfe8b065b443115c837625196f9ee473f34ce25ad9d3ba912e748724

Download Submit
C:\Windows\{C301A314-C56C-467c-A3FE-A6A3532BAEB2}.exe
Filesize
197KB

MD5
e006b03d511380472b3a046c9da230de

SHA1
e28ca6833f614464e96df843e9e0239adf426e63

SHA256
a0ec6c36aa5353068327ef8cdb40f4155fced66663ff1904768bd6c67add8a06

SHA512
c8700c2049b8949b43a83c2bedd9e18e9ffede50b7ff4048083dcb0074ecbfd21d221644aa687fdf5c82dc224340cda7efda3c3d76ccf88ba5f13246d99a1ccc

Download Submit
C:\Windows\{EEF72096-B633-450c-B92F-9AB512BCD40B}.exe
Filesize
197KB

MD5
60614c890bb14b7eca2d396991af5f15

SHA1
4a3f9a35d1f4a8c9c72e3997aeff3bd8cb10d02a

SHA256
4e72137bfc2dc4d889e2d99b00c06bd1b62141f10d8d3880c8759b3d9ff3cc96

SHA512
5104b2eb3299be87d25ce3e00c6448b599a39db23f36552e39b6a3519e087a2aae7bb960d53567636397bda652a049acc8098626af6354b22e3b01068fd18666

Download Submit
C:\Windows\{FB68514C-24EC-4cc6-8304-D7315B45D169}.exe
Filesize
197KB

MD5
5c8a169d996339031b7b7022c031f097

SHA1
240b37cde9475f9f2ed1f7e6c0b75d3959cf6179

SHA256
bbc6ee7f247312fe17fddc04861828d42b9f23271f4653648950039ad1d58aec

SHA512
5346094254c333f8f725330118d14ab254f9a56e9cfe5fc2c90d49bb7c343000a62cbb7500a08eeb16a77f992e6d37a9ff5ae2b96fb55405bc3dea22a072585d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads