f30d2da75b123622539ef3ad7551f6600328a2b35ed21520793912024ecfef15

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Size

204KB
MD5

8de7721085c2872c6457605cb8b3349e
SHA1

27f0ca2467eb8d86a28e35d355b6a781ce7a45a1
SHA256

f30d2da75b123622539ef3ad7551f6600328a2b35ed21520793912024ecfef15
SHA512

cb610a65ab30820486e2fc353bbaf63371a479b208ea3e5ffcd93423de9e5a736878b15302b50125f24691b771eca2acd921ac68fc5e5e1627c2a824940e1078
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe{883F0288-85B3-4e98-9029-456AA1176B8F}.exe2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{D6BB7334-B930-4e9d-974B-CE355303678D}.exe{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}\stubpath = "C:\\Windows\\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe"	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}\stubpath = "C:\\Windows\\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe"	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843612BF-C1D1-4813-A8CC-8D38C2C10923}\stubpath = "C:\\Windows\\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe"	{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}\stubpath = "C:\\Windows\\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe"	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{531CBA25-A160-41e7-BA6F-CBA50E468985}\stubpath = "C:\\Windows\\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe"	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BB7334-B930-4e9d-974B-CE355303678D}	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BB7334-B930-4e9d-974B-CE355303678D}\stubpath = "C:\\Windows\\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe"	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843612BF-C1D1-4813-A8CC-8D38C2C10923}	{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{531CBA25-A160-41e7-BA6F-CBA50E468985}	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883F0288-85B3-4e98-9029-456AA1176B8F}	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}\stubpath = "C:\\Windows\\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe"	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB10699A-7F6D-4df6-B005-9816718AF885}	{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}\stubpath = "C:\\Windows\\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe"	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}\stubpath = "C:\\Windows\\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe"	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883F0288-85B3-4e98-9029-456AA1176B8F}\stubpath = "C:\\Windows\\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe"	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB10699A-7F6D-4df6-B005-9816718AF885}\stubpath = "C:\\Windows\\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe"	{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1796 cmd.exe

pid	process
1796	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe{D6BB7334-B930-4e9d-974B-CE355303678D}.exe{883F0288-85B3-4e98-9029-456AA1176B8F}.exe{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe{FB10699A-7F6D-4df6-B005-9816718AF885}.exe

pid	process
2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
1196	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
2872	{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
2120	{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
1572	{FB10699A-7F6D-4df6-B005-9816718AF885}.exe

Drops file in Windows directory 11 IoCs

Processes:

{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe{D6BB7334-B930-4e9d-974B-CE355303678D}.exe{883F0288-85B3-4e98-9029-456AA1176B8F}.exe2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe

description	ioc	process
File created	C:\Windows\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
File created	C:\Windows\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe	{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
File created	C:\Windows\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe	{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
File created	C:\Windows\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
File created	C:\Windows\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
File created	C:\Windows\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
File created	C:\Windows\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
File created	C:\Windows\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
File created	C:\Windows\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
File created	C:\Windows\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
File created	C:\Windows\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe{D6BB7334-B930-4e9d-974B-CE355303678D}.exe{883F0288-85B3-4e98-9029-456AA1176B8F}.exe{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
Token: SeIncBasePriorityPrivilege	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
Token: SeIncBasePriorityPrivilege	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
Token: SeIncBasePriorityPrivilege	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
Token: SeIncBasePriorityPrivilege	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
Token: SeIncBasePriorityPrivilege	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
Token: SeIncBasePriorityPrivilege	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
Token: SeIncBasePriorityPrivilege	1196	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
Token: SeIncBasePriorityPrivilege	2872	{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
Token: SeIncBasePriorityPrivilege	2120	{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1948 wrote to memory of 2208	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
PID 1948 wrote to memory of 2208	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
PID 1948 wrote to memory of 2208	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
PID 1948 wrote to memory of 2208	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
PID 1948 wrote to memory of 1796	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 1948 wrote to memory of 1796	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 1948 wrote to memory of 1796	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 1948 wrote to memory of 1796	1948	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 2208 wrote to memory of 2340	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
PID 2208 wrote to memory of 2340	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
PID 2208 wrote to memory of 2340	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
PID 2208 wrote to memory of 2340	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
PID 2208 wrote to memory of 2396	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	cmd.exe
PID 2208 wrote to memory of 2396	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	cmd.exe
PID 2208 wrote to memory of 2396	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	cmd.exe
PID 2208 wrote to memory of 2396	2208	{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe	cmd.exe
PID 2340 wrote to memory of 2560	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
PID 2340 wrote to memory of 2560	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
PID 2340 wrote to memory of 2560	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
PID 2340 wrote to memory of 2560	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
PID 2340 wrote to memory of 2648	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	cmd.exe
PID 2340 wrote to memory of 2648	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	cmd.exe
PID 2340 wrote to memory of 2648	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	cmd.exe
PID 2340 wrote to memory of 2648	2340	{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe	cmd.exe
PID 2560 wrote to memory of 2868	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
PID 2560 wrote to memory of 2868	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
PID 2560 wrote to memory of 2868	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
PID 2560 wrote to memory of 2868	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
PID 2560 wrote to memory of 776	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	cmd.exe
PID 2560 wrote to memory of 776	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	cmd.exe
PID 2560 wrote to memory of 776	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	cmd.exe
PID 2560 wrote to memory of 776	2560	{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe	cmd.exe
PID 2868 wrote to memory of 1324	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
PID 2868 wrote to memory of 1324	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
PID 2868 wrote to memory of 1324	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
PID 2868 wrote to memory of 1324	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
PID 2868 wrote to memory of 2456	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	cmd.exe
PID 2868 wrote to memory of 2456	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	cmd.exe
PID 2868 wrote to memory of 2456	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	cmd.exe
PID 2868 wrote to memory of 2456	2868	{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe	cmd.exe
PID 1324 wrote to memory of 1452	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
PID 1324 wrote to memory of 1452	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
PID 1324 wrote to memory of 1452	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
PID 1324 wrote to memory of 1452	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
PID 1324 wrote to memory of 1516	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	cmd.exe
PID 1324 wrote to memory of 1516	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	cmd.exe
PID 1324 wrote to memory of 1516	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	cmd.exe
PID 1324 wrote to memory of 1516	1324	{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe	cmd.exe
PID 1452 wrote to memory of 2308	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
PID 1452 wrote to memory of 2308	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
PID 1452 wrote to memory of 2308	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
PID 1452 wrote to memory of 2308	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
PID 1452 wrote to memory of 2140	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	cmd.exe
PID 1452 wrote to memory of 2140	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	cmd.exe
PID 1452 wrote to memory of 2140	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	cmd.exe
PID 1452 wrote to memory of 2140	1452	{D6BB7334-B930-4e9d-974B-CE355303678D}.exe	cmd.exe
PID 2308 wrote to memory of 1196	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
PID 2308 wrote to memory of 1196	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
PID 2308 wrote to memory of 1196	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
PID 2308 wrote to memory of 1196	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
PID 2308 wrote to memory of 2040	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	cmd.exe
PID 2308 wrote to memory of 2040	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	cmd.exe
PID 2308 wrote to memory of 2040	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	cmd.exe
PID 2308 wrote to memory of 2040	2308	{883F0288-85B3-4e98-9029-456AA1176B8F}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
C:\Windows\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
C:\Windows\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
C:\Windows\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
C:\Windows\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
C:\Windows\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
C:\Windows\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
C:\Windows\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
C:\Windows\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
C:\Windows\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
C:\Windows\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe
C:\Windows\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe
12⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{84361~1.EXE > nul
12⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BC0B5~1.EXE > nul
11⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC9F7~1.EXE > nul
10⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{883F0~1.EXE > nul
9⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BB7~1.EXE > nul
8⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FE5D4~1.EXE > nul
7⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BEFB5~1.EXE > nul
6⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{531CB~1.EXE > nul
5⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD2C~1.EXE > nul
4⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53270~1.EXE > nul
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1796

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{531CBA25-A160-41e7-BA6F-CBA50E468985}.exe
Filesize
204KB

MD5
27eeb2609b1f9d1ee5715f72ab34db52

SHA1
c9e934b4168ab1140cc87c137af876af95e0e0fb

SHA256
32b370ce285f2f5304c57e7ffa7a20ea0fdacf731325877b0a412fa2753fe2d0

SHA512
910692d8295c6d6cfa41a4f0436174902e9be841e903013c6d3a55885b15e9ab060215c1f81e20c1511405f05b7efc2bf20229ce653d9277eb519593c1059439

Download Submit
C:\Windows\{53270E07-111C-450e-B07D-A3EC0CEF4CA5}.exe
Filesize
204KB

MD5
89210d276631447198fd3cc9e58c91fe

SHA1
7833ec33ddffd4fefba6962425b96921021393c9

SHA256
6830df85e5c85f3aa5d88a78d2e8fa73d928473192b1df3bb1815ffe78a7a423

SHA512
d214c63bb53cb1e83b8a201088b2629eb20d2060d3f4841df4ec2b30a28e188dfaff1eaad52dbfe8bf432a7b9d958b6c61d0e91e2abd83a293e3a75d10b54ab8

Download Submit
C:\Windows\{7CD2CA60-F70F-4ae4-8D3D-1E4060313949}.exe
Filesize
204KB

MD5
31bfec280e369328f9addb15a16b6751

SHA1
cd36841e0baa5b85754ed9d9524d5cb63aea624a

SHA256
55d72d65eff6607bc0729efe47146e6cadd2ca8b9a675dd38bb622bb2ec989b8

SHA512
206c4763c060d3204cb516dd634f02405b660c5ca84d3d4eb05288613780ea3b0152211569851905111ec6564a1ca2323f4d1580ba05cb06d004bb846f0f1584

Download Submit
C:\Windows\{843612BF-C1D1-4813-A8CC-8D38C2C10923}.exe
Filesize
204KB

MD5
709293f76d7e8ce7dc814e5d17d84d19

SHA1
0726b4753fb2ff342a70cb3d738e2728832f8782

SHA256
78831157e4dcac949196067e4a8d8e4e5386dee70e9cd8965f7085c4ac97198e

SHA512
7940f99f0ff324e24b7d88b23c90bab45afffa8c3d82c505d38800df622da2f3d36c74552b8427cd0ec98fa1406cadbde7dd52f05db7fa5854a6d6dde5aeecf5

Download Submit
C:\Windows\{883F0288-85B3-4e98-9029-456AA1176B8F}.exe
Filesize
204KB

MD5
a4293645c575a0ae79d579d59a397b3b

SHA1
b2bd339a4386610a85d77549ad72866f5e300af9

SHA256
ef1d670da63265a86096895f5dfa9e18ec16959754c5314c37f50774e71b908d

SHA512
31f216348dc20694fe7482c8176039f62703902077f73c5e20a38bbdb731cfe9b17fb8e701e54535699d18dc6c1b4304c50e52f08794aa0a8ecfa4ff52802018

Download Submit
C:\Windows\{BC0B5D94-7929-480f-8696-51B78DB3E4B0}.exe
Filesize
204KB

MD5
aee6dc8fc53c7196b7511ce6e109342b

SHA1
6d81693f445d1173a67c1933e70b6923423fdc26

SHA256
a06d4c80e4402eb493dc32b265698dfabf6254eb749eaa2290519b57070b2124

SHA512
2551048e78e4c1b38dd1e08ca7b090a7716c9561c7ba387af1f56fa99b67c1bb69c501e2731caf67db8b96762119dd206d6062e13b51f9f0aa52ca45c616df1d

Download Submit
C:\Windows\{BEFB5309-F70C-4f79-8FE3-80B13EF3DE90}.exe
Filesize
204KB

MD5
574f9bcf168af45ee53eadb26c791162

SHA1
f4f2001ccbabbf47c7f22399ae97fec56470b053

SHA256
5c2a5925c79af61f47dfa693dd3cbf1c4ec35fdbb94f9e103b56f4fb77f5dd3e

SHA512
886bcd783767256a1078553af25650a821cbf2ea977fc47edd23313fc46a88a2000314036afa08314d3871eb28e831a7eb311e95132e8b6883a69c97a014b879

Download Submit
C:\Windows\{D6BB7334-B930-4e9d-974B-CE355303678D}.exe
Filesize
204KB

MD5
447ffb8803fbd51dfcd52400862ef223

SHA1
beea9b9f5b3d82ed1de77709522866612da333ab

SHA256
53a7dc8f8f19522af0a4d0b3072f59d9f0caf15ca690a2264aa8d3a3f5a4645f

SHA512
f613173ef7084ef7f6021d1c32f62c78e583f97db58320beee98ccd844463b67ec4cd37a9d5d13a98fdfcbf275beab30d82f6b6b948b7aa15379cf82ba1f219b

Download Submit
C:\Windows\{EC9F7D9B-2CD4-47dc-8FD0-2C2540A5CE61}.exe
Filesize
204KB

MD5
0bf8008d1f35d298f0047d8a713352ce

SHA1
619351bcea92d4e873f8a7f2a954b701f3f1cea8

SHA256
ce138a4b28772180e3ec6b322ac1a5babfbc56d49ee0e90d12e96a38f92b6fe2

SHA512
e7f38afd07c15ea8af4e42836c16de2b6dffcc64e74575d7e296ca3bcdb69530dc21b7ef399f8995186cc3d77a2010ddae336323066f0dd364a772f5ba4962b8

Download Submit
C:\Windows\{FB10699A-7F6D-4df6-B005-9816718AF885}.exe
Filesize
204KB

MD5
8b3e255bffcec7455fedc5a80afb2e38

SHA1
f68334509dc78f46b35854a44cd837dd57b58c7b

SHA256
31b6862fab252e51f1528dc0fd6d139a37b291e325c8dcac0a3f62c2dc5954ee

SHA512
d2af91b8259cb2f0af07d254972cb43db3f1e9c6a8efa3661847ba6c8827b495f89f6f644e35178a3af28755c8517360433c9667898c710add587d9243238b93

Download Submit
C:\Windows\{FE5D4D3F-2C1D-4b53-9B77-DF600C107A11}.exe
Filesize
204KB

MD5
dc49a9d32b38a33796b1c0037ca49385

SHA1
5439df72bba3a25297afda70b92edb49bb4c49d0

SHA256
718c106aa2b584dd6c4d0434b2b74d121d99a18642d9a85eb01fc32006405c63

SHA512
af080384c4647e88e174a5c4e619c7400be8900c659abc92f554a619b428cca6d18cae8eef0dc0f6f7b6fe007765dd66682d0bd8dc1ca9176294a8bafa76fb9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads