c183d123b2330a79b5896051ae082e6e3b34e9f27c0275f17718d9b6f38ff094

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Size

344KB
MD5

8ec1074d0c966760edd365860c93b42d
SHA1

4c9df09114993717e916be3462e3f6288f064adc
SHA256

c183d123b2330a79b5896051ae082e6e3b34e9f27c0275f17718d9b6f38ff094
SHA512

1eac1ef0720974a958e2a99d70bec42245840e2cfeccc5ffde7ca8477d38852aedf5c51d83d16fc75af90ca0d80a9924874092878a68c8a74e33933d6e747189
SSDEEP

3072:mEGh0oalEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{90617509-9017-4bab-9AE0-94630890E18B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{55793141-0AF7-46f8-97D2-CDC252728745}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe{55793141-0AF7-46f8-97D2-CDC252728745}.exe{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe{90617509-9017-4bab-9AE0-94630890E18B}.exe{A0931107-6C0E-4841-A562-07F67C133C7C}.exe{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe{B74732E5-C225-4450-AD95-D5CB063C123B}.exe{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55793141-0AF7-46f8-97D2-CDC252728745}	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CC749A2-1281-4744-89DC-B46626CA77E0}	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9F0772-41A7-4ac5-8A84-56EF72565776}\stubpath = "C:\\Windows\\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe"	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}\stubpath = "C:\\Windows\\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe"	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}\stubpath = "C:\\Windows\\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe"	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90617509-9017-4bab-9AE0-94630890E18B}	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0931107-6C0E-4841-A562-07F67C133C7C}	{90617509-9017-4bab-9AE0-94630890E18B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037CD811-00C8-493d-8A76-87A4C9EAF55A}	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037CD811-00C8-493d-8A76-87A4C9EAF55A}\stubpath = "C:\\Windows\\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe"	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74732E5-C225-4450-AD95-D5CB063C123B}\stubpath = "C:\\Windows\\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe"	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}	{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}	{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}\stubpath = "C:\\Windows\\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe"	{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CC749A2-1281-4744-89DC-B46626CA77E0}\stubpath = "C:\\Windows\\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe"	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55793141-0AF7-46f8-97D2-CDC252728745}\stubpath = "C:\\Windows\\{55793141-0AF7-46f8-97D2-CDC252728745}.exe"	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74732E5-C225-4450-AD95-D5CB063C123B}	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}\stubpath = "C:\\Windows\\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe"	{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90617509-9017-4bab-9AE0-94630890E18B}\stubpath = "C:\\Windows\\{90617509-9017-4bab-9AE0-94630890E18B}.exe"	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0931107-6C0E-4841-A562-07F67C133C7C}\stubpath = "C:\\Windows\\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe"	{90617509-9017-4bab-9AE0-94630890E18B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9F0772-41A7-4ac5-8A84-56EF72565776}	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2984 cmd.exe

pid	process
2984	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe{90617509-9017-4bab-9AE0-94630890E18B}.exe{A0931107-6C0E-4841-A562-07F67C133C7C}.exe{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe{55793141-0AF7-46f8-97D2-CDC252728745}.exe{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe{B74732E5-C225-4450-AD95-D5CB063C123B}.exe{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe

pid	process
2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe
2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
1464	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
2876	{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
336	{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
1780	{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe{90617509-9017-4bab-9AE0-94630890E18B}.exe{A0931107-6C0E-4841-A562-07F67C133C7C}.exe{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe{55793141-0AF7-46f8-97D2-CDC252728745}.exe{B74732E5-C225-4450-AD95-D5CB063C123B}.exe{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe

description	ioc	process
File created	C:\Windows\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
File created	C:\Windows\{90617509-9017-4bab-9AE0-94630890E18B}.exe	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
File created	C:\Windows\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	{90617509-9017-4bab-9AE0-94630890E18B}.exe
File created	C:\Windows\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
File created	C:\Windows\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
File created	C:\Windows\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
File created	C:\Windows\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe	{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
File created	C:\Windows\{55793141-0AF7-46f8-97D2-CDC252728745}.exe	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
File created	C:\Windows\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
File created	C:\Windows\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
File created	C:\Windows\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe	{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe{90617509-9017-4bab-9AE0-94630890E18B}.exe{A0931107-6C0E-4841-A562-07F67C133C7C}.exe{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe{55793141-0AF7-46f8-97D2-CDC252728745}.exe{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe{B74732E5-C225-4450-AD95-D5CB063C123B}.exe{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
Token: SeIncBasePriorityPrivilege	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe
Token: SeIncBasePriorityPrivilege	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
Token: SeIncBasePriorityPrivilege	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
Token: SeIncBasePriorityPrivilege	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
Token: SeIncBasePriorityPrivilege	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
Token: SeIncBasePriorityPrivilege	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
Token: SeIncBasePriorityPrivilege	1464	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
Token: SeIncBasePriorityPrivilege	2876	{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
Token: SeIncBasePriorityPrivilege	336	{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe{90617509-9017-4bab-9AE0-94630890E18B}.exe{A0931107-6C0E-4841-A562-07F67C133C7C}.exe{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe{55793141-0AF7-46f8-97D2-CDC252728745}.exe{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe

description	pid	process	target process
PID 1712 wrote to memory of 2944	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
PID 1712 wrote to memory of 2944	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
PID 1712 wrote to memory of 2944	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
PID 1712 wrote to memory of 2944	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
PID 1712 wrote to memory of 2984	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 2944 wrote to memory of 2096	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	{90617509-9017-4bab-9AE0-94630890E18B}.exe
PID 2944 wrote to memory of 2096	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	{90617509-9017-4bab-9AE0-94630890E18B}.exe
PID 2944 wrote to memory of 2096	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	{90617509-9017-4bab-9AE0-94630890E18B}.exe
PID 2944 wrote to memory of 2096	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	{90617509-9017-4bab-9AE0-94630890E18B}.exe
PID 2944 wrote to memory of 2600	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	cmd.exe
PID 2944 wrote to memory of 2600	2944	{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe	cmd.exe
PID 2096 wrote to memory of 2528	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
PID 2096 wrote to memory of 2528	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
PID 2096 wrote to memory of 2528	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
PID 2096 wrote to memory of 2528	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
PID 2096 wrote to memory of 2516	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	cmd.exe
PID 2096 wrote to memory of 2516	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	cmd.exe
PID 2096 wrote to memory of 2516	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	cmd.exe
PID 2096 wrote to memory of 2516	2096	{90617509-9017-4bab-9AE0-94630890E18B}.exe	cmd.exe
PID 2528 wrote to memory of 2472	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
PID 2528 wrote to memory of 2472	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
PID 2528 wrote to memory of 2472	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
PID 2528 wrote to memory of 2472	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
PID 2528 wrote to memory of 2452	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	cmd.exe
PID 2528 wrote to memory of 2452	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	cmd.exe
PID 2528 wrote to memory of 2452	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	cmd.exe
PID 2528 wrote to memory of 2452	2528	{A0931107-6C0E-4841-A562-07F67C133C7C}.exe	cmd.exe
PID 2472 wrote to memory of 1872	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
PID 2472 wrote to memory of 1872	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
PID 2472 wrote to memory of 1872	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
PID 2472 wrote to memory of 1872	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
PID 2472 wrote to memory of 1744	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	cmd.exe
PID 2472 wrote to memory of 1744	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	cmd.exe
PID 2472 wrote to memory of 1744	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	cmd.exe
PID 2472 wrote to memory of 1744	2472	{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe	cmd.exe
PID 1872 wrote to memory of 1656	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
PID 1872 wrote to memory of 1656	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
PID 1872 wrote to memory of 1656	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
PID 1872 wrote to memory of 1656	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	{55793141-0AF7-46f8-97D2-CDC252728745}.exe
PID 1872 wrote to memory of 344	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	cmd.exe
PID 1872 wrote to memory of 344	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	cmd.exe
PID 1872 wrote to memory of 344	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	cmd.exe
PID 1872 wrote to memory of 344	1872	{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe	cmd.exe
PID 1656 wrote to memory of 2460	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
PID 1656 wrote to memory of 2460	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
PID 1656 wrote to memory of 2460	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
PID 1656 wrote to memory of 2460	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
PID 1656 wrote to memory of 1376	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	cmd.exe
PID 1656 wrote to memory of 1376	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	cmd.exe
PID 1656 wrote to memory of 1376	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	cmd.exe
PID 1656 wrote to memory of 1376	1656	{55793141-0AF7-46f8-97D2-CDC252728745}.exe	cmd.exe
PID 2460 wrote to memory of 1464	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
PID 2460 wrote to memory of 1464	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
PID 2460 wrote to memory of 1464	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
PID 2460 wrote to memory of 1464	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
PID 2460 wrote to memory of 2588	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	cmd.exe
PID 2460 wrote to memory of 2588	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	cmd.exe
PID 2460 wrote to memory of 2588	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	cmd.exe
PID 2460 wrote to memory of 2588	2460	{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
C:\Windows\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\{90617509-9017-4bab-9AE0-94630890E18B}.exe
C:\Windows\{90617509-9017-4bab-9AE0-94630890E18B}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
C:\Windows\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
C:\Windows\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
C:\Windows\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\{55793141-0AF7-46f8-97D2-CDC252728745}.exe
C:\Windows\{55793141-0AF7-46f8-97D2-CDC252728745}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
C:\Windows\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
C:\Windows\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
C:\Windows\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
C:\Windows\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe
C:\Windows\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe
12⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD389~1.EXE > nul
12⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B7473~1.EXE > nul
11⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6A8A7~1.EXE > nul
10⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9F0~1.EXE > nul
9⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55793~1.EXE > nul
8⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC74~1.EXE > nul
7⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{037CD~1.EXE > nul
6⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A0931~1.EXE > nul
5⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90617~1.EXE > nul
4⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C3B8~1.EXE > nul
3⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2984

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{037CD811-00C8-493d-8A76-87A4C9EAF55A}.exe
Filesize
344KB

MD5
5980329e218a361002937526db491d1e

SHA1
ee9029ac4d3300120e72184b86d810227048e606

SHA256
a8fc2a243dbb628863cc904e4d8ade3ddaa60b242fd20467d13503d95df6a1e7

SHA512
38330b85b06463397b8b3deac2244c074dd1afc3be6722149ca8458055855e8d5a53212ad1a096e57f0c75b500c2790f8080b5e6cd5572395989e55a9d092470

Download Submit
C:\Windows\{0A9F0772-41A7-4ac5-8A84-56EF72565776}.exe
Filesize
344KB

MD5
d79dde92b1c2492ebfa704be7dfcaebc

SHA1
96639c663d3bbb5cdc0d01ce7ed40ef034385720

SHA256
ba1752ade1bfb457dfa12fc1fb14d7b5a019e2734c7f3be7d45571f1589e7ec7

SHA512
203d452a39c028288f624d17401edbf2767366c0e6e11df3daefb61a1192a83d93a77b870ffaa646d58a72538a9397d612848132f8c0b1ebf8fe79bb04d17171

Download Submit
C:\Windows\{2FB17D49-D6B0-4b8c-B816-21C05425F6CF}.exe
Filesize
344KB

MD5
29f3d062c99c30566d74fa80f136d041

SHA1
7598fbbda133d9a610499952f206c8041795634f

SHA256
96921cbcb35b3a8153903b229d4e41f2cbe5ae662d6183d4ba306abd048fcbb8

SHA512
86cde63242bfbc708a3bfc73a7aacd27b43999e60eaa6087acbc5b48b0e11cc5407f29378b19f552b3577417d1720fbbb841519030a2f962a0727ad9193a82c4

Download Submit
C:\Windows\{3C3B8547-40B4-4fdf-BF42-CE37666B6128}.exe
Filesize
344KB

MD5
63077d4e4c43145659240f4b92693213

SHA1
7f71536ba45bc0d4ee8cebd7f0664d62bf70cbcb

SHA256
558892da485a778fb35226b2e5895aac7508e0367a4aa4c07864e710ce96bfa6

SHA512
9884a1f3865174802729632144be67eee234a3e242b6f256f6cd0df92514a1cf98de5081c0079e026bc3b274aa0dd81ea204c296d09b55bef6d1dfb8d399645c

Download Submit
C:\Windows\{55793141-0AF7-46f8-97D2-CDC252728745}.exe
Filesize
344KB

MD5
78e13d8b8518a6149619c470003c8b9a

SHA1
00af518e32b93de866e70df19e09cf0a4e5b5796

SHA256
8d1d99b1ea3be920a818399f2bbead044267eb4a7b9c2edd81b827293cde2647

SHA512
eeb21ec979a5cf2c956da1f54d503136f141c8e8efdd63324ff6fd2ba1b0c81872914fc16f606cca77227cc99ee4e482f70ecc49b0a2de19b08598ccb089cc18

Download Submit
C:\Windows\{5CC749A2-1281-4744-89DC-B46626CA77E0}.exe
Filesize
344KB

MD5
54bc0763a04f6a7ccd070dc7a298158c

SHA1
5d153e8569f226d8cdd684189b9e864579ae2c5a

SHA256
6ba848ddd06d520cb1028ffcb1e8061c26135de9d43de760210a7efaaa0b24e8

SHA512
d2609e97398732b884ca08e560ddfc6a35bfa0aa29d8bca0e748998d8af7d1081cecef17049790c2ea6ae1c0891398a254be9e97bcabc7b7ef26376539acbb81

Download Submit
C:\Windows\{6A8A70AA-EE89-4f8f-8B13-B3176F37197F}.exe
Filesize
344KB

MD5
4031118fdd4f019afdd9fed10724c019

SHA1
746f6cbacbb0bafeee778061bcdfe07885b38efb

SHA256
27dd67afabd1032fa719d997ce2929ebfe03eef266da06b727e26ac9b78bb5dc

SHA512
b1299ff075c60bab565c3677dcdf0fdecb29fe5f407e87e13bc4be8479b9bd09248c7193e6e2187c9306027ffc7bf1bd847742788b4b723ceaa6d0b7abcd7044

Download Submit
C:\Windows\{90617509-9017-4bab-9AE0-94630890E18B}.exe
Filesize
344KB

MD5
f4560c8dcebbf55ebf654b4222976f10

SHA1
cb9637c74257a331259db82066f5a89a5e98b358

SHA256
b12dfd1908fc158b2a11d7369f1093dad17cfa9766a545a7fd8c707e3db86733

SHA512
61ddd55e533ebdbea6086bbecdede0edac41d9a37cd50ec443dc83dbddd3195e627a559fb17f3c83e7d4124195aa126f8cbd509ff7e2a06123c76a07f7675034

Download Submit
C:\Windows\{A0931107-6C0E-4841-A562-07F67C133C7C}.exe
Filesize
344KB

MD5
f7422691fe20b9d2b5c64b714f7cddc4

SHA1
91411c13193a8c04742306eba8bb848ec51c4831

SHA256
deb953311c5b1a19100952d341461badc9673952c58891060792f54d9f8faf6d

SHA512
bfd0707a1ca087d629750361071179f8012516e7b2fb288f98d55622237c835a2dc584c3e614de74e700c9d80a2f8ca07dc7b798fd397bc5af12472df6f305d5

Download Submit
C:\Windows\{B74732E5-C225-4450-AD95-D5CB063C123B}.exe
Filesize
344KB

MD5
8541f4d72e0fe306e49b1316c79710c7

SHA1
34f5eb4c3ba12429f61d9d6f40757d96342d5c88

SHA256
f28c3c11ed3c58c828872caa3c6600a10666ceb33b2deba22c133b9d2efb7026

SHA512
b132540e8f96e0478d8afaaefd53783202ac9e12c3dac23c3fee364e77ebc2f9e468ef3bbe06f7b2d6bedfc5346b16f505a473eb661e9e805f51bcdd5fdea129

Download Submit
C:\Windows\{CD389BCB-9226-4ef3-8E77-17AD0443F4FB}.exe
Filesize
344KB

MD5
d2f16e21c094a7c43c6dde382aa844a5

SHA1
fd69665e968fc8352a634498fb763c956b81a6df

SHA256
67e0caa2c6749eea6fa1839da0656acfefc097167c6ec709e6307e10487d7393

SHA512
aec1abd2e448374ddf8d29696e11105ffd7ea67ec51d9ada0f63ec6e3370d45231388e7db53778f1ec5f7dbd64bbd0cc6e4fd0c328dd0918d6fa15a014107607

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads