348aed7ababcf46e2edbb63cd09164bbde1a308e050f4b8adf2591c9f3c2eb91

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Size

408KB
MD5

5bff720a0d116999389eed5fa08da62d
SHA1

448bef2748b57b67e8f73c2645e82c140a951af3
SHA256

348aed7ababcf46e2edbb63cd09164bbde1a308e050f4b8adf2591c9f3c2eb91
SHA512

74cd906385c4f7e418f6973e0695e98906b018b22c4b1eab5006a33099cba403957ad30afb1bc69f47a5b8db957b3978f1d650e43045b86d25531d1550c9048a
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGWldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}\stubpath = "C:\\Windows\\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe"	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}\stubpath = "C:\\Windows\\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe"	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}\stubpath = "C:\\Windows\\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe"	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}\stubpath = "C:\\Windows\\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe"	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F3C8446-01D7-419c-BC9D-7E93658197E1}	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F3C8446-01D7-419c-BC9D-7E93658197E1}\stubpath = "C:\\Windows\\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe"	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5C9611-40CD-45f9-A699-BF845657FAE4}	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E840496-1FDB-4310-BAD3-A0D980864D51}	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}	{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}\stubpath = "C:\\Windows\\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe"	{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{638693D8-E13B-4659-9520-1EF5A15F98F5}	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5C9611-40CD-45f9-A699-BF845657FAE4}\stubpath = "C:\\Windows\\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe"	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}\stubpath = "C:\\Windows\\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe"	{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{638693D8-E13B-4659-9520-1EF5A15F98F5}\stubpath = "C:\\Windows\\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe"	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}\stubpath = "C:\\Windows\\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe"	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E840496-1FDB-4310-BAD3-A0D980864D51}\stubpath = "C:\\Windows\\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe"	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}	{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe

pid	process
2684	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe

pid	process
3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
2744	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
2092	{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
2376	{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
780	{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe

Drops file in Windows directory 11 IoCs

Processes:

{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe

description	ioc	process
File created	C:\Windows\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
File created	C:\Windows\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
File created	C:\Windows\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
File created	C:\Windows\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe	{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
File created	C:\Windows\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
File created	C:\Windows\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
File created	C:\Windows\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
File created	C:\Windows\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe	{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
File created	C:\Windows\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
File created	C:\Windows\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
File created	C:\Windows\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
Token: SeIncBasePriorityPrivilege	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
Token: SeIncBasePriorityPrivilege	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
Token: SeIncBasePriorityPrivilege	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
Token: SeIncBasePriorityPrivilege	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
Token: SeIncBasePriorityPrivilege	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
Token: SeIncBasePriorityPrivilege	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
Token: SeIncBasePriorityPrivilege	2744	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
Token: SeIncBasePriorityPrivilege	2092	{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
Token: SeIncBasePriorityPrivilege	2376	{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2944 wrote to memory of 3028	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
PID 2944 wrote to memory of 3028	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
PID 2944 wrote to memory of 3028	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
PID 2944 wrote to memory of 3028	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
PID 2944 wrote to memory of 2684	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 2944 wrote to memory of 2684	2944	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 3028 wrote to memory of 2724	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
PID 3028 wrote to memory of 2724	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
PID 3028 wrote to memory of 2724	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
PID 3028 wrote to memory of 2724	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
PID 3028 wrote to memory of 2660	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	cmd.exe
PID 3028 wrote to memory of 2660	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	cmd.exe
PID 3028 wrote to memory of 2660	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	cmd.exe
PID 3028 wrote to memory of 2660	3028	{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe	cmd.exe
PID 2724 wrote to memory of 2812	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
PID 2724 wrote to memory of 2812	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
PID 2724 wrote to memory of 2812	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
PID 2724 wrote to memory of 2812	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
PID 2724 wrote to memory of 2532	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	cmd.exe
PID 2724 wrote to memory of 2532	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	cmd.exe
PID 2724 wrote to memory of 2532	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	cmd.exe
PID 2724 wrote to memory of 2532	2724	{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe	cmd.exe
PID 2812 wrote to memory of 2980	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
PID 2812 wrote to memory of 2980	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
PID 2812 wrote to memory of 2980	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
PID 2812 wrote to memory of 2980	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
PID 2812 wrote to memory of 2992	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	cmd.exe
PID 2812 wrote to memory of 2992	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	cmd.exe
PID 2812 wrote to memory of 2992	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	cmd.exe
PID 2812 wrote to memory of 2992	2812	{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe	cmd.exe
PID 2980 wrote to memory of 2832	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
PID 2980 wrote to memory of 2832	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
PID 2980 wrote to memory of 2832	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
PID 2980 wrote to memory of 2832	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
PID 2980 wrote to memory of 2864	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	cmd.exe
PID 2980 wrote to memory of 2864	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	cmd.exe
PID 2980 wrote to memory of 2864	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	cmd.exe
PID 2980 wrote to memory of 2864	2980	{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe	cmd.exe
PID 2832 wrote to memory of 1576	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
PID 2832 wrote to memory of 1576	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
PID 2832 wrote to memory of 1576	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
PID 2832 wrote to memory of 1576	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
PID 2832 wrote to memory of 1976	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	cmd.exe
PID 2832 wrote to memory of 1976	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	cmd.exe
PID 2832 wrote to memory of 1976	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	cmd.exe
PID 2832 wrote to memory of 1976	2832	{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe	cmd.exe
PID 1576 wrote to memory of 1420	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
PID 1576 wrote to memory of 1420	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
PID 1576 wrote to memory of 1420	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
PID 1576 wrote to memory of 1420	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
PID 1576 wrote to memory of 1800	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	cmd.exe
PID 1576 wrote to memory of 1800	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	cmd.exe
PID 1576 wrote to memory of 1800	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	cmd.exe
PID 1576 wrote to memory of 1800	1576	{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe	cmd.exe
PID 1420 wrote to memory of 2744	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
PID 1420 wrote to memory of 2744	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
PID 1420 wrote to memory of 2744	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
PID 1420 wrote to memory of 2744	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
PID 1420 wrote to memory of 1620	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	cmd.exe
PID 1420 wrote to memory of 1620	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	cmd.exe
PID 1420 wrote to memory of 1620	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	cmd.exe
PID 1420 wrote to memory of 1620	1420	{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
C:\Windows\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
C:\Windows\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
C:\Windows\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
C:\Windows\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
C:\Windows\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
C:\Windows\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
C:\Windows\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
C:\Windows\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
C:\Windows\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
C:\Windows\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe
C:\Windows\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe
12⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8EF0~1.EXE > nul
12⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E840~1.EXE > nul
11⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB5C9~1.EXE > nul
10⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC80~1.EXE > nul
9⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{769EF~1.EXE > nul
8⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2FAF6~1.EXE > nul
7⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43D88~1.EXE > nul
6⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{63869~1.EXE > nul
5⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5993E~1.EXE > nul
4⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3C8~1.EXE > nul
3⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2684

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E840496-1FDB-4310-BAD3-A0D980864D51}.exe
Filesize
408KB

MD5
e33c0adc75700fcc308731aed67f5474

SHA1
15e899c24aaa15394eff272e708560590901daa1

SHA256
b098a66bce2cbfb95d3dd8892df045ef711581ed21003ba87b626fd544064f9a

SHA512
d3079360b33c4c987f9cfa52b15efbc74dbbaeb76d4f182b86786bf3b446da89d677d057ad64295857a3a17ea02f8d20cda90b61615475c28d07566fb3275540

Download Submit
C:\Windows\{2FAF683C-B51A-4b6a-B6A9-0486C9515C59}.exe
Filesize
408KB

MD5
b5fff128fee8b9f247d66ef9d642b9fe

SHA1
c6eea309f87d8205e648b7aff5da7d5fbf608bf8

SHA256
171fc7f21aee9b9db0430a30bee5a3306978fca0b88cc3e132e36805f5b16625

SHA512
4ed7c0d650ef3fa787a04832e75be61d1cc11fb8f07f6561c9920c0da77bdb8f6424527cbc1857fd28b5c0273488ea902b079e84cd80b1859225b0a450d6e9af

Download Submit
C:\Windows\{43D88F94-43F8-4e66-A5DB-2C1BA400D38B}.exe
Filesize
408KB

MD5
0e79980a32e43d724e7586f80c2b3711

SHA1
94fb86c3e81e256d36384d6304f4fe27faef919e

SHA256
8003517c913612210a59b55a896d84c494c4405967be9580c04269d193765ba9

SHA512
875d5ed71bff8b96add5500cb1053969536b5e65d9936ff0aa2c0cd606b17bf7dfb13ef59004e51883f6d8d0f9b95c8c11eae910924ae648319b52f14102786a

Download Submit
C:\Windows\{5993E7DA-10E5-484a-9835-B7721C6CAB6B}.exe
Filesize
408KB

MD5
ffb91c6df1917232c58968062aa0b226

SHA1
22d4599637dee4bfce4e6b4003b1d7cc76918b1d

SHA256
ec045f1269897450ff346db798cd5a8c7d6be083818101e24b9e1580690116cb

SHA512
287552e837be95438bf99aae41105a85ea5218397da94435eb2c28b670de9308f067504bc73cff90736b1c8b4fb1deb754551774ff8ea9cf871d7ef97e4dd4f8

Download Submit
C:\Windows\{638693D8-E13B-4659-9520-1EF5A15F98F5}.exe
Filesize
408KB

MD5
dcb0d8578ff1f01b6ef369fd3a80b22c

SHA1
b253e15944880dde28f07194c3ab8a4eccda7052

SHA256
949805ebad5fbeeccb28db042c8011456abc44472b4c7780e884e4b6bd36b1be

SHA512
876a3bb211712cfb30545522da509becfb321db64f172eab6e010afb14e066b7870c14c4d3e371fef949fe516496815d8fa2edf22e0953a59378e32ab6007e4c

Download Submit
C:\Windows\{769EF9E6-EEC1-4b9b-BB88-B5DE937B61C2}.exe
Filesize
408KB

MD5
f91c6c4489de354169037cca54684cfa

SHA1
89b28b595840e5273d22dffd9f986d8238a714a2

SHA256
c83c8d1e4dd75c3685573dc2eee42db23344ba38899cd6718c23f342d567d1a6

SHA512
1c5d7fc83e3e012eae52b5c7ada386321bcdede579e0bf444d00a495719776ea3313d214e4753b2a055e1b1dcf1e62ca225f226b02b36f942992e983b5e24241

Download Submit
C:\Windows\{7F3C8446-01D7-419c-BC9D-7E93658197E1}.exe
Filesize
408KB

MD5
314e55ef79f3e7be75554004d429dbb2

SHA1
a54953304c3cd15d0ec44d709fe7b6f268ce692a

SHA256
57989712f1e9ac0c003d10f8ebd2f887c2f83c4108f40ad1284089ac67e2a645

SHA512
a30b34dfc9e164c84cba545f37f9789f07c77d1c00a1770bea5b8b05f398d7ca229624023df9477d2930accaa66568433c3850e4f9f0d4b7f428fee5ed7fb89e

Download Submit
C:\Windows\{B5FFD761-3E53-4cd4-A51F-F6E50A93CC5A}.exe
Filesize
408KB

MD5
30065dfdd02b1cdc6d39194dce1d7c71

SHA1
56a27a740ba37cf7d79adc686def2f236a0c6910

SHA256
d65c4dd3c03ba23fef604876daa414e3ed54dc5cf76b3c3a4cc3b02ec6c8461f

SHA512
aad59b7e6532f73c104ca003bb18faf4f67e93241b01b7e726575bc5114413d4bf55554a7d261897b4e4b48a081d38b15d2ac7dcf5419788f5b4def1da88742d

Download Submit
C:\Windows\{B8EF00C0-AADD-4cc5-BAA6-79046D424B8A}.exe
Filesize
408KB

MD5
2978a20747d5c9c89c091552d2846ecf

SHA1
36ee35448df682da60e989ad164284d7ac57494f

SHA256
4140e2f75b281cfd7e3e56d6bc6b8a1547e12f75f253e01ad7da6c7d76e42834

SHA512
afb9db87d560ef823141375bc060e0d133e650739345709965fae65c18f316a603c83abe17b3f7441e5b861a64284be033711add0107510a955f25c1a6bbda83

Download Submit
C:\Windows\{ECC80A1E-CB85-4aa3-A02A-C2A8A55A3684}.exe
Filesize
408KB

MD5
761eb064e3b34e9879b1557c808e5029

SHA1
2bed4e154a046fe0092fe9bd98e9cb49bfd1ce82

SHA256
144ae3edbd30455c80eeb637b6985db5117db42b65e5408d7d31ca1703008912

SHA512
c44540bac88fe3858c63ead9e25f37bd8e415c9d0ad021e8a7833f18c12123f3a83867bde50f06934e66419cd4bad1ed3e4f84c0a9acf8fc97c4a31d935b6e0c

Download Submit
C:\Windows\{FB5C9611-40CD-45f9-A699-BF845657FAE4}.exe
Filesize
408KB

MD5
c6a351b0d3639350d03ad8bb1a345566

SHA1
4a9c9cc9903d75dcc6c8c452d1aa5c913ae75b99

SHA256
24bc3191e14c871fb073b65acb7a4f139f092d3f43f2e532c9ea04700ca0dfbd

SHA512
48c6b77a5c356b78fc0e6f392839ff87e9c57e255fbe1422b5bfddb53f637084cfb4bc10a73af100778fc02d018816ea1757df05f1fff11dcde170e1ec701fd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads