a5ae13e9881edb845cb1be040db949fddee0304a777817ff2c1e759dd9b9fd3e

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Size

168KB
MD5

829e2ab0eecbc2a0e6de507194e6baa5
SHA1

21620f26a55012290bcf1384106861d0616f3459
SHA256

a5ae13e9881edb845cb1be040db949fddee0304a777817ff2c1e759dd9b9fd3e
SHA512

caaa29532c92ea737d6015b9e66dee543b54deec9136f59bd847bb0fbfe54935afdfc1065a316657b72ff803021a10ccf0a7622d69cacc35639fa210c2d253d1
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0C462764-6849-4794-A259-510C8A7B6071}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe{0C462764-6849-4794-A259-510C8A7B6071}.exe{35AEF626-2B81-4a2e-A950-4481B6350572}.exe{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35AEF626-2B81-4a2e-A950-4481B6350572}\stubpath = "C:\\Windows\\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe"	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7EF830-BA78-43f2-A506-43A4DCA64087}	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}\stubpath = "C:\\Windows\\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe"	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF303D8E-395F-413f-A22F-869A258EFEB0}	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C462764-6849-4794-A259-510C8A7B6071}\stubpath = "C:\\Windows\\{0C462764-6849-4794-A259-510C8A7B6071}.exe"	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D496BC-7541-412b-8D79-0B534A10A7EF}	{0C462764-6849-4794-A259-510C8A7B6071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D496BC-7541-412b-8D79-0B534A10A7EF}\stubpath = "C:\\Windows\\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe"	{0C462764-6849-4794-A259-510C8A7B6071}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}\stubpath = "C:\\Windows\\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe"	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}\stubpath = "C:\\Windows\\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe"	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6925CDE-0B12-4248-BACE-55B3B6B03036}	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6925CDE-0B12-4248-BACE-55B3B6B03036}\stubpath = "C:\\Windows\\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe"	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}\stubpath = "C:\\Windows\\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe"	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35AEF626-2B81-4a2e-A950-4481B6350572}	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7EF830-BA78-43f2-A506-43A4DCA64087}\stubpath = "C:\\Windows\\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe"	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF303D8E-395F-413f-A22F-869A258EFEB0}\stubpath = "C:\\Windows\\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe"	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C462764-6849-4794-A259-510C8A7B6071}	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}\stubpath = "C:\\Windows\\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe"	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}\stubpath = "C:\\Windows\\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe"	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe

Executes dropped EXE 12 IoCs

Processes:

{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe{0C462764-6849-4794-A259-510C8A7B6071}.exe{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe{35AEF626-2B81-4a2e-A950-4481B6350572}.exe{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe

pid	process
3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe
4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
928	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
4552	{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe

Drops file in Windows directory 12 IoCs

Processes:

{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe{0C462764-6849-4794-A259-510C8A7B6071}.exe{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe{35AEF626-2B81-4a2e-A950-4481B6350572}.exe{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe

description	ioc	process
File created	C:\Windows\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
File created	C:\Windows\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
File created	C:\Windows\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
File created	C:\Windows\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	{0C462764-6849-4794-A259-510C8A7B6071}.exe
File created	C:\Windows\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
File created	C:\Windows\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
File created	C:\Windows\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
File created	C:\Windows\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
File created	C:\Windows\{0C462764-6849-4794-A259-510C8A7B6071}.exe	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
File created	C:\Windows\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
File created	C:\Windows\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
File created	C:\Windows\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe{0C462764-6849-4794-A259-510C8A7B6071}.exe{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe{35AEF626-2B81-4a2e-A950-4481B6350572}.exe{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
Token: SeIncBasePriorityPrivilege	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
Token: SeIncBasePriorityPrivilege	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
Token: SeIncBasePriorityPrivilege	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
Token: SeIncBasePriorityPrivilege	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
Token: SeIncBasePriorityPrivilege	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
Token: SeIncBasePriorityPrivilege	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe
Token: SeIncBasePriorityPrivilege	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
Token: SeIncBasePriorityPrivilege	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
Token: SeIncBasePriorityPrivilege	3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
Token: SeIncBasePriorityPrivilege	928	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 836 wrote to memory of 3812	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
PID 836 wrote to memory of 3812	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
PID 836 wrote to memory of 3812	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
PID 836 wrote to memory of 3556	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 836 wrote to memory of 3556	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 836 wrote to memory of 3556	836	2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe	cmd.exe
PID 3812 wrote to memory of 1612	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
PID 3812 wrote to memory of 1612	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
PID 3812 wrote to memory of 1612	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
PID 3812 wrote to memory of 5108	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	cmd.exe
PID 3812 wrote to memory of 5108	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	cmd.exe
PID 3812 wrote to memory of 5108	3812	{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe	cmd.exe
PID 1612 wrote to memory of 4540	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
PID 1612 wrote to memory of 4540	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
PID 1612 wrote to memory of 4540	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
PID 1612 wrote to memory of 3608	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	cmd.exe
PID 1612 wrote to memory of 3608	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	cmd.exe
PID 1612 wrote to memory of 3608	1612	{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe	cmd.exe
PID 4540 wrote to memory of 4316	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
PID 4540 wrote to memory of 4316	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
PID 4540 wrote to memory of 4316	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
PID 4540 wrote to memory of 2616	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	cmd.exe
PID 4540 wrote to memory of 2616	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	cmd.exe
PID 4540 wrote to memory of 2616	4540	{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe	cmd.exe
PID 4316 wrote to memory of 5036	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
PID 4316 wrote to memory of 5036	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
PID 4316 wrote to memory of 5036	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
PID 4316 wrote to memory of 2104	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	cmd.exe
PID 4316 wrote to memory of 2104	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	cmd.exe
PID 4316 wrote to memory of 2104	4316	{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe	cmd.exe
PID 5036 wrote to memory of 2128	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
PID 5036 wrote to memory of 2128	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
PID 5036 wrote to memory of 2128	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
PID 5036 wrote to memory of 2800	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	cmd.exe
PID 5036 wrote to memory of 2800	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	cmd.exe
PID 5036 wrote to memory of 2800	5036	{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe	cmd.exe
PID 2128 wrote to memory of 3840	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	{0C462764-6849-4794-A259-510C8A7B6071}.exe
PID 2128 wrote to memory of 3840	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	{0C462764-6849-4794-A259-510C8A7B6071}.exe
PID 2128 wrote to memory of 3840	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	{0C462764-6849-4794-A259-510C8A7B6071}.exe
PID 2128 wrote to memory of 4836	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	cmd.exe
PID 2128 wrote to memory of 4836	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	cmd.exe
PID 2128 wrote to memory of 4836	2128	{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe	cmd.exe
PID 3840 wrote to memory of 4620	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
PID 3840 wrote to memory of 4620	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
PID 3840 wrote to memory of 4620	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
PID 3840 wrote to memory of 3376	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	cmd.exe
PID 3840 wrote to memory of 3376	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	cmd.exe
PID 3840 wrote to memory of 3376	3840	{0C462764-6849-4794-A259-510C8A7B6071}.exe	cmd.exe
PID 4620 wrote to memory of 1924	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
PID 4620 wrote to memory of 1924	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
PID 4620 wrote to memory of 1924	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
PID 4620 wrote to memory of 4360	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	cmd.exe
PID 4620 wrote to memory of 4360	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	cmd.exe
PID 4620 wrote to memory of 4360	4620	{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe	cmd.exe
PID 1924 wrote to memory of 3176	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
PID 1924 wrote to memory of 3176	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
PID 1924 wrote to memory of 3176	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
PID 1924 wrote to memory of 368	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	cmd.exe
PID 1924 wrote to memory of 368	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	cmd.exe
PID 1924 wrote to memory of 368	1924	{35AEF626-2B81-4a2e-A950-4481B6350572}.exe	cmd.exe
PID 3176 wrote to memory of 928	3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
PID 3176 wrote to memory of 928	3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
PID 3176 wrote to memory of 928	3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
PID 3176 wrote to memory of 4140	3176	{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_829e2ab0eecbc2a0e6de507194e6baa5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
C:\Windows\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
C:\Windows\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
C:\Windows\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
C:\Windows\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
C:\Windows\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
C:\Windows\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\{0C462764-6849-4794-A259-510C8A7B6071}.exe
C:\Windows\{0C462764-6849-4794-A259-510C8A7B6071}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
C:\Windows\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
C:\Windows\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
C:\Windows\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
C:\Windows\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe
C:\Windows\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe
13⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{225AB~1.EXE > nul
13⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7528F~1.EXE > nul
12⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35AEF~1.EXE > nul
11⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D49~1.EXE > nul
10⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C462~1.EXE > nul
9⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF303~1.EXE > nul
8⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB6C~1.EXE > nul
7⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5FD08~1.EXE > nul
6⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F345E~1.EXE > nul
5⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6925~1.EXE > nul
4⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F475~1.EXE > nul
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3556

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C462764-6849-4794-A259-510C8A7B6071}.exe
Filesize
168KB

MD5
e3643ec6a64647642ff46a5112de84d2

SHA1
8dd0af29671e3a475c94f18e0b9fe3630d6953f2

SHA256
ea3ef87237a0da849071214ae0aecea70a48acc7ec7a3e8eed39aa6888193aa2

SHA512
3e7c679ef7b75801fb98c6a53e281593400323f6fc723f1a8fee16b2c1ee1fec6f39535db0ac2b12caf670012b7907180bd0c707754fb6eaebe5e64fa0166aa6

Download Submit
C:\Windows\{225AB9D4-94BA-4b75-A82D-24E1DCE2B531}.exe
Filesize
168KB

MD5
60267f8e5a517f68764a542866f8e448

SHA1
e4dd06f4a76e9a6a6e627fa30e8a75a1ed906eef

SHA256
287e803ee384340019734e765d75d2628db75c2f76f484ae4b73ebcc0a7eb12b

SHA512
a97f473714833ac081391a69a8b1bd7c719cb88a819add9f47963ba7fbf61584f928f4aaf1846c612b0e21737f6a294f268c25c8f20d7f15ec00a45f4ea636f0

Download Submit
C:\Windows\{35AEF626-2B81-4a2e-A950-4481B6350572}.exe
Filesize
168KB

MD5
d2c9c735530ea6f22169091987359dc5

SHA1
7d9d7fd49119ee3f951d805c29a86c5c823b9067

SHA256
2a94dc46b6bf1cb396c7df15ffc28d754e8d409ff8561faba172e2d4f464620a

SHA512
b947998f4996f6c5702748d1871602b360b2ba1fe5777df55a21043a1c221bca1a05d4400fd392551134bb5fbb78caad6e3580f56132b27561cbe805cd626dad

Download Submit
C:\Windows\{4F7EF830-BA78-43f2-A506-43A4DCA64087}.exe
Filesize
168KB

MD5
1d17139c4d35a2c4ff15bc9bd1b4843d

SHA1
1239d0e56e40586f68bfd482e1afeb4d49e29459

SHA256
26bbe0fca9040618a10c4664a2c36cd51daf53d58c79b7d6b82e03d5ec99c47d

SHA512
b4e0c34ffef39d31a70f8f55f7c34196f9571048749a31ea3b9594df16c589750d98d18b0c2612401b31fa5cd6022fe6d364d43806786800287125e8519a2834

Download Submit
C:\Windows\{5FD0896B-81CA-41b0-8E50-5B4285C88A26}.exe
Filesize
168KB

MD5
e32140bd76804b2d9a94c39678b3478f

SHA1
cba60153b557b199a1e05525af0b8250c1304e3c

SHA256
beefc0ec3b1b76bb39f1a724c4401efae818a2b4aa9a81d9185ce37e9ab15803

SHA512
dfab4098d481cfe5c612a41369244ff2248461a67493b1f6c17c93b1eb7c7a36644d4bca0bfc8935949cc01aa849a8545c091d605eae68051ea86711d7617227

Download Submit
C:\Windows\{6F4755AA-6DA3-4c49-81A1-A026CAF475C3}.exe
Filesize
168KB

MD5
38fefa25337cd33fcd63b57f2956823a

SHA1
4a91edcf9dc22cf2e9f9f8227b1e3682e29e792c

SHA256
ec8fc33ccf8c52a5addf45e82387ad5b2338bf8f7ef974702e5528ed17f08a0f

SHA512
305aec7da77e35e0feb15ef9cfa1e137670b62bc56c3f07a4030ac64216ca2ba42fc56247bbdd4f9acfb33c274315d07658fc4278153043eb1d370dddf1c7e4d

Download Submit
C:\Windows\{7528F2CF-5DB9-4235-A3C7-A77F1B66E29B}.exe
Filesize
168KB

MD5
2e22afb4fb1fe3812adf063d99672474

SHA1
6f46a951ff5cc90ca03b1efbae54842c3cdfd6bb

SHA256
30f3773c2df9ef802aa1fa0f2d5e7676e1c85a64cde64e79091a3185131e5713

SHA512
753d18aeab87562506724c938f51f7ce88ac6bebe08e073d247c2b425f4e70240e4856611c874b53707f3f1a06c780d26ce0b33907c95d5d7a19b8739b7de786

Download Submit
C:\Windows\{AEB6C915-ACCC-4041-B0C3-3A7E7BA9183C}.exe
Filesize
168KB

MD5
eab38cb9c781ac3bba79aba4e55cbb96

SHA1
e1d9a84c3fe04a6782637441ea45111fb239c816

SHA256
d4f509aa981ef1c0cf553ec53b6fae294ba66cbbbacf9c72fc563969c78daeca

SHA512
f9a3dde70f334e3e5b5c58412ed3faaff3e3f62f088a8ae3ae7e00d483cc54f95eeb3c9fa4a32f76de98b646451309c5f0cf2b0cf48e33b315288d23d2287961

Download Submit
C:\Windows\{D6925CDE-0B12-4248-BACE-55B3B6B03036}.exe
Filesize
168KB

MD5
8139968aee90b221fe5cc6294e7db6df

SHA1
9248b963d26cc0ddc2627c1cbca803072ac2e3fc

SHA256
1db7f960fd5f9c2e38aa158aa3fccefe69c3756b9875c536f65225f79670143b

SHA512
d530bbcac823b481847497db5efc77265421aabb8e1e93f1552f70bdb7aa2903403cacaa0cb5287b074eb6d0cf5e450667b5833fc3d715e35ac0438e083ebd2e

Download Submit
C:\Windows\{DF303D8E-395F-413f-A22F-869A258EFEB0}.exe
Filesize
168KB

MD5
794affa6d434460cdfe18933f072a75f

SHA1
8eedfbc40532950cce5b23191680ca1a1b7a3acc

SHA256
4c57b87dd104a6d91eb006b126ff256ad05199150af0fa4fdc817a8ddbb516fb

SHA512
12f2b07d40d4f32776d63763175050e151402f2f8a10933b7a57d9f59d7da712b0ab0e1570a2eb2172bfe1ee092f706a04ff718976f9809e0f5f7f4c400de687

Download Submit
C:\Windows\{E9D496BC-7541-412b-8D79-0B534A10A7EF}.exe
Filesize
168KB

MD5
cac87cb0b0206f104b2595e29f3aeb70

SHA1
88699fb558cb714fb92a6478d4538d8952645681

SHA256
f93ab354540e21ce3ed8f4f568c9e9cfa2df1abfe5b09adfb80867fe83925257

SHA512
a1776900a49cb5fa8760546cdec4563e08da248fafe247777a4b9317a29b47a7ee82b1627a08ae2c5eeb9d75c92002053d282d8fdfafc524f03fc35c061168dc

Download Submit
C:\Windows\{F345E0A4-C1DC-4c5d-8A8E-7673EA18F620}.exe
Filesize
168KB

MD5
a634786b2904c440a2450a61fd961260

SHA1
e3e094ca8e3accb5927673cdb6a5e2524338edbb

SHA256
9f0b199030ad5b93129a36a124fa0e5ba6ae4d321e952e7f9dfdaa68413c373e

SHA512
0eea3332ce16ba12524faad53738fb29f4f0ef0511b6ce00e240a26568d7c4fca5b349926ab080cfdcad5bb3e62c4dfbde43938b226210dff5658ae4ff3cbe2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads