a5ae13e9881edb845cb1be040db949fddee0304a777817ff2c1e759dd9b9fd3e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Size

168KB
MD5

829e2ab0eecbc2a0e6de507194e6baa5
SHA1

21620f26a55012290bcf1384106861d0616f3459
SHA256

a5ae13e9881edb845cb1be040db949fddee0304a777817ff2c1e759dd9b9fd3e
SHA512

caaa29532c92ea737d6015b9e66dee543b54deec9136f59bd847bb0fbfe54935afdfc1065a316657b72ff803021a10ccf0a7622d69cacc35639fa210c2d253d1
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{080367F5-F710-4314-BCEF-614735E83E25}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5C66C015-6618-4640-8035-171C4B247556}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{33C89405-DD53-48e5-845C-101E54F0077E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe{33C89405-DD53-48e5-845C-101E54F0077E}.exe{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe{0B2759A2-5342-422a-97BB-A66ED689548D}.exe{080367F5-F710-4314-BCEF-614735E83E25}.exe{5C66C015-6618-4640-8035-171C4B247556}.exe2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}	{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}\stubpath = "C:\\Windows\\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe"	{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}\stubpath = "C:\\Windows\\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe"	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C89405-DD53-48e5-845C-101E54F0077E}\stubpath = "C:\\Windows\\{33C89405-DD53-48e5-845C-101E54F0077E}.exe"	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{052C7F9F-A9CC-4f93-AB1A-953134265086}\stubpath = "C:\\Windows\\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe"	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}\stubpath = "C:\\Windows\\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe"	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C89405-DD53-48e5-845C-101E54F0077E}	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C66C015-6618-4640-8035-171C4B247556}\stubpath = "C:\\Windows\\{5C66C015-6618-4640-8035-171C4B247556}.exe"	{080367F5-F710-4314-BCEF-614735E83E25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}	{5C66C015-6618-4640-8035-171C4B247556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{052C7F9F-A9CC-4f93-AB1A-953134265086}	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B2759A2-5342-422a-97BB-A66ED689548D}	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080367F5-F710-4314-BCEF-614735E83E25}\stubpath = "C:\\Windows\\{080367F5-F710-4314-BCEF-614735E83E25}.exe"	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080367F5-F710-4314-BCEF-614735E83E25}	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C66C015-6618-4640-8035-171C4B247556}	{080367F5-F710-4314-BCEF-614735E83E25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}\stubpath = "C:\\Windows\\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe"	{5C66C015-6618-4640-8035-171C4B247556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}	{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}\stubpath = "C:\\Windows\\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe"	{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B2759A2-5342-422a-97BB-A66ED689548D}\stubpath = "C:\\Windows\\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe"	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}\stubpath = "C:\\Windows\\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe"	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2992 cmd.exe

pid	process
2992	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{0B2759A2-5342-422a-97BB-A66ED689548D}.exe{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe{080367F5-F710-4314-BCEF-614735E83E25}.exe{5C66C015-6618-4640-8035-171C4B247556}.exe{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe{33C89405-DD53-48e5-845C-101E54F0077E}.exe{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe

pid	process
2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe
2044	{5C66C015-6618-4640-8035-171C4B247556}.exe
2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
540	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
2296	{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
2412	{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
780	{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe{0B2759A2-5342-422a-97BB-A66ED689548D}.exe{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe{5C66C015-6618-4640-8035-171C4B247556}.exe{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe{080367F5-F710-4314-BCEF-614735E83E25}.exe{33C89405-DD53-48e5-845C-101E54F0077E}.exe{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe

description	ioc	process
File created	C:\Windows\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
File created	C:\Windows\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
File created	C:\Windows\{080367F5-F710-4314-BCEF-614735E83E25}.exe	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
File created	C:\Windows\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	{5C66C015-6618-4640-8035-171C4B247556}.exe
File created	C:\Windows\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
File created	C:\Windows\{33C89405-DD53-48e5-845C-101E54F0077E}.exe	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
File created	C:\Windows\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe	{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
File created	C:\Windows\{5C66C015-6618-4640-8035-171C4B247556}.exe	{080367F5-F710-4314-BCEF-614735E83E25}.exe
File created	C:\Windows\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
File created	C:\Windows\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
File created	C:\Windows\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe	{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe{0B2759A2-5342-422a-97BB-A66ED689548D}.exe{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe{080367F5-F710-4314-BCEF-614735E83E25}.exe{5C66C015-6618-4640-8035-171C4B247556}.exe{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe{33C89405-DD53-48e5-845C-101E54F0077E}.exe{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
Token: SeIncBasePriorityPrivilege	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
Token: SeIncBasePriorityPrivilege	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe
Token: SeIncBasePriorityPrivilege	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe
Token: SeIncBasePriorityPrivilege	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
Token: SeIncBasePriorityPrivilege	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
Token: SeIncBasePriorityPrivilege	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
Token: SeIncBasePriorityPrivilege	540	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
Token: SeIncBasePriorityPrivilege	2296	{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
Token: SeIncBasePriorityPrivilege	2412	{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2756 wrote to memory of 2212	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
PID 2756 wrote to memory of 2212	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
PID 2756 wrote to memory of 2212	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
PID 2756 wrote to memory of 2212	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
PID 2756 wrote to memory of 2992	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 2756 wrote to memory of 2992	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 2756 wrote to memory of 2992	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 2756 wrote to memory of 2992	2756	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 2212 wrote to memory of 2672	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
PID 2212 wrote to memory of 2672	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
PID 2212 wrote to memory of 2672	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
PID 2212 wrote to memory of 2672	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
PID 2212 wrote to memory of 2560	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	cmd.exe
PID 2212 wrote to memory of 2560	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	cmd.exe
PID 2212 wrote to memory of 2560	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	cmd.exe
PID 2212 wrote to memory of 2560	2212	{0B2759A2-5342-422a-97BB-A66ED689548D}.exe	cmd.exe
PID 2672 wrote to memory of 2592	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	{080367F5-F710-4314-BCEF-614735E83E25}.exe
PID 2672 wrote to memory of 2592	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	{080367F5-F710-4314-BCEF-614735E83E25}.exe
PID 2672 wrote to memory of 2592	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	{080367F5-F710-4314-BCEF-614735E83E25}.exe
PID 2672 wrote to memory of 2592	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	{080367F5-F710-4314-BCEF-614735E83E25}.exe
PID 2672 wrote to memory of 2768	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	cmd.exe
PID 2672 wrote to memory of 2768	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	cmd.exe
PID 2672 wrote to memory of 2768	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	cmd.exe
PID 2672 wrote to memory of 2768	2672	{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe	cmd.exe
PID 2592 wrote to memory of 2044	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	{5C66C015-6618-4640-8035-171C4B247556}.exe
PID 2592 wrote to memory of 2044	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	{5C66C015-6618-4640-8035-171C4B247556}.exe
PID 2592 wrote to memory of 2044	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	{5C66C015-6618-4640-8035-171C4B247556}.exe
PID 2592 wrote to memory of 2044	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	{5C66C015-6618-4640-8035-171C4B247556}.exe
PID 2592 wrote to memory of 500	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	cmd.exe
PID 2592 wrote to memory of 500	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	cmd.exe
PID 2592 wrote to memory of 500	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	cmd.exe
PID 2592 wrote to memory of 500	2592	{080367F5-F710-4314-BCEF-614735E83E25}.exe	cmd.exe
PID 2044 wrote to memory of 2720	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
PID 2044 wrote to memory of 2720	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
PID 2044 wrote to memory of 2720	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
PID 2044 wrote to memory of 2720	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
PID 2044 wrote to memory of 2780	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	cmd.exe
PID 2044 wrote to memory of 2780	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	cmd.exe
PID 2044 wrote to memory of 2780	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	cmd.exe
PID 2044 wrote to memory of 2780	2044	{5C66C015-6618-4640-8035-171C4B247556}.exe	cmd.exe
PID 2720 wrote to memory of 2160	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
PID 2720 wrote to memory of 2160	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
PID 2720 wrote to memory of 2160	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
PID 2720 wrote to memory of 2160	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
PID 2720 wrote to memory of 1996	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	cmd.exe
PID 2720 wrote to memory of 1996	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	cmd.exe
PID 2720 wrote to memory of 1996	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	cmd.exe
PID 2720 wrote to memory of 1996	2720	{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe	cmd.exe
PID 2160 wrote to memory of 308	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
PID 2160 wrote to memory of 308	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
PID 2160 wrote to memory of 308	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
PID 2160 wrote to memory of 308	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	{33C89405-DD53-48e5-845C-101E54F0077E}.exe
PID 2160 wrote to memory of 2256	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	cmd.exe
PID 2160 wrote to memory of 2256	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	cmd.exe
PID 2160 wrote to memory of 2256	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	cmd.exe
PID 2160 wrote to memory of 2256	2160	{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe	cmd.exe
PID 308 wrote to memory of 540	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
PID 308 wrote to memory of 540	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
PID 308 wrote to memory of 540	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
PID 308 wrote to memory of 540	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
PID 308 wrote to memory of 2216	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	cmd.exe
PID 308 wrote to memory of 2216	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	cmd.exe
PID 308 wrote to memory of 2216	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	cmd.exe
PID 308 wrote to memory of 2216	308	{33C89405-DD53-48e5-845C-101E54F0077E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
C:\Windows\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
C:\Windows\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\{080367F5-F710-4314-BCEF-614735E83E25}.exe
C:\Windows\{080367F5-F710-4314-BCEF-614735E83E25}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\{5C66C015-6618-4640-8035-171C4B247556}.exe
C:\Windows\{5C66C015-6618-4640-8035-171C4B247556}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
C:\Windows\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
C:\Windows\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\{33C89405-DD53-48e5-845C-101E54F0077E}.exe
C:\Windows\{33C89405-DD53-48e5-845C-101E54F0077E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
C:\Windows\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
C:\Windows\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
C:\Windows\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe
C:\Windows\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe
12⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE350~1.EXE > nul
12⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C2B7~1.EXE > nul
11⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{052C7~1.EXE > nul
10⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33C89~1.EXE > nul
9⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{183C1~1.EXE > nul
8⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{21A3E~1.EXE > nul
7⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C66C~1.EXE > nul
6⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08036~1.EXE > nul
5⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{17EB2~1.EXE > nul
4⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B275~1.EXE > nul
3⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2992

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052C7F9F-A9CC-4f93-AB1A-953134265086}.exe
Filesize
168KB

MD5
5c97aa2bf4cd0ebd545d477aba10e6d7

SHA1
00a9dda7aca69630b12ce52c763e43de9268e92b

SHA256
2e1c62a1cb14b3632874071c7c7559b32fc8c2bd99ba4a020f631defe71d71ba

SHA512
c271c6c6dc96f67aa3f25cd316e80eaf0f04143df683c5791c18a666e3a678a4cbadea450b1350a6f0944ba933094a3e003d28fb4a2d409b2b6c7399f2e67570

Download Submit
C:\Windows\{080367F5-F710-4314-BCEF-614735E83E25}.exe
Filesize
168KB

MD5
5fe32583754db4060b505da6b4dc93a8

SHA1
fa60da03a41d5b3e6d7ab47062dfa083eca3347a

SHA256
583317d318376f673a3db1402e8409debe0dc36b5cc8df501398780bd7073a21

SHA512
c52024bcd92da90e944159ea28d83c552dabd5902138bf00c7b0d8ddd0f8d652b37072f4699f2259e388e12f459c7cccf712c86f7393971f840467e5936c9cd4

Download Submit
C:\Windows\{0B2759A2-5342-422a-97BB-A66ED689548D}.exe
Filesize
168KB

MD5
5ec205d10c43802a1179350ebd275dac

SHA1
629c0bc5ffefaa4c8ce794421c7507113613d9c7

SHA256
61ad81877e35369152520544d8a5f4b0161857d3c43a8d8be2b8fb39535306f4

SHA512
8aef8b462f76fc2685066bd42b211d4a17519633e17e40a1125ba45f6ff2ac95e547cf0e98a917eb6e2cbf3e161c45838fdf448d6b9dcc841a148e25566d7378

Download Submit
C:\Windows\{17EB2BC1-FD01-4f4d-9E87-E97DA98CFDC0}.exe
Filesize
168KB

MD5
dd849ac00406fc1cfd1334b534912b0f

SHA1
140f9caf055027acfe3a6a8fd6cac4dd47e0d68c

SHA256
ae28560b9769ed77c2227c37830d86b801d8903b9841f5b080958bec87604468

SHA512
ba5e4ad82cf38fe5fadd9345db00c4286e16a4b8368908069cc9391bc81fae36c0e92b202ed3622f52f2b148260e450f018924e79e3ae8120525dba29adbc170

Download Submit
C:\Windows\{183C1F51-D27D-4ed4-A66E-36ABFE92F0C2}.exe
Filesize
168KB

MD5
a4c3c74d596b31223804eed5bfafa80d

SHA1
62c810c6059174751c50034e754edd60d3a72d74

SHA256
c225432619925deb97d6ac55b3178f61d8d0f6a82ee730a4eebe383b04fae3dd

SHA512
2ef4acd59da87ff8278aea09e63ae4a6c99ff7bca5d81541e83f949d8608b9ce437c7a754bd9ddf120a93737e80f22cced6a76d10a4ba824e3b085b4f8b4fc04

Download Submit
C:\Windows\{21A3E915-6FA5-4b06-9ACB-F6CD1F05E534}.exe
Filesize
168KB

MD5
e1685462d509162e812014bc3f0c93ce

SHA1
ad09a44e4372a5efec156c6b016649ef5f82ba35

SHA256
b7c10455741a17bcc058ab9962ad400019e7672010b73e48b0f53215ef1186f1

SHA512
a90ca05879fd36f8aca4e09f98c00797385123bf2160a0e273132fd8f19ccddb8383b10fdc8967f848e87548a67ba563439af622bb080b024c1f4091ab537585

Download Submit
C:\Windows\{33C89405-DD53-48e5-845C-101E54F0077E}.exe
Filesize
168KB

MD5
65cc78258eb81d3fd2c1d31f890dc2e2

SHA1
48ab4f7ccc933a7461071fefea01a36359ef8f51

SHA256
26bda5c6a7ecc6554e1ace30be1ee15885dca44257fbe5d42cb499c372d50029

SHA512
851ef46e595441b55c31bde0a8344f91bda45486265a0f48d36f32767981784ea71b9957deee8811e7371c454ed2fbf58ac67281c18abfdd23feda8a5932e8f8

Download Submit
C:\Windows\{4C2B7A8E-534D-47c1-8BD3-03921AD8CC33}.exe
Filesize
168KB

MD5
0f0e4e3d093442a806412da56e1697e4

SHA1
97058613696c06837c28bf727d743204137e1441

SHA256
d2f840c0bdee68b75d2dac25b66deff777146ea4c758202aa408b0cfb3be689f

SHA512
aae5dfc17440ad25f3fcbd826d43d6b58c6e78867f783e6597a8757005286bfe9ca830efd84409819b5d64b6acb3c0345273f4484e0f840ccf6084afbcfe4661

Download Submit
C:\Windows\{5C66C015-6618-4640-8035-171C4B247556}.exe
Filesize
168KB

MD5
3a74702cf5459d67b213e4b5f565973b

SHA1
863d7f60deebc775489cdcb6bad04d65f7aa4cfe

SHA256
65cd048c8553c5985320a2a4606f6992916c47e3a40159e7d1307995d18fa6dc

SHA512
325a425d387980c1ab9d8cdfc98bbf9e5997728620c09641df469d811853478bcb44b4d2a7380b48ef03df46bc9e45bc34263aa554208a32824aaf02a91565dc

Download Submit
C:\Windows\{C17E32A9-F295-43b1-8AA9-27CDD21B28FC}.exe
Filesize
168KB

MD5
a4d1d7b0a71b6001bec9ebd56a79d4c3

SHA1
48a7a247dde442bf76a5ea57aa5fa00ff6220509

SHA256
6998833a2f98b28e818cde5dc88983e536a28a2c9b226a12484d6c8b879e5f64

SHA512
f5da6700e14bdccca0115fcaee390c4299dc3ccc29fe081fdb1add1203d6c8fac9032ae05d60b4cfe25ac2264c6c4290fbc343638887534de8e0ad1262ec572d

Download Submit
C:\Windows\{DE350731-ADFF-4afe-BA32-C0A8A6ECA105}.exe
Filesize
168KB

MD5
14dc1f930e38f4274870459341addcd2

SHA1
09ac1415599df02ec09df50ff154d2193c2dfdc2

SHA256
59743b9840632fb40180c4d1382f9fcbaf800908c6a60825f614e2c810f74af4

SHA512
8e75e044afb23d3fc8256e73d8dbe2393462c79ebd5e62b17e3ce5570473b8b6bc7ea8fd5ea63fd6912333368ef02fcf95c014e4cc5e92d6c0accd0df7d87daa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads