78cc575f1d769f42f5c952874409c032d9cf74c0000611a9b6407418f4b7f4f7

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Size

197KB
MD5

83bc0013b0b2315d4afc71ba9a24c5de
SHA1

30b3a1cfc8702b2fbc03bf6c0a7ca11819afb98e
SHA256

78cc575f1d769f42f5c952874409c032d9cf74c0000611a9b6407418f4b7f4f7
SHA512

4f068bf25e17edba080b4137f2901a16d23efedd51a338a047098fc332b66bdbd31342ae500acc546090390a43cbc28946b0c2735a06ba8c1f13c3835893ef9f
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014698-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015264-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014698-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014698-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014698-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000014698-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000014698-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}\stubpath = "C:\\Windows\\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe"	{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{644FE373-7259-40a3-944A-0E9E9F00309F}	{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}\stubpath = "C:\\Windows\\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe"	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}	{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23188697-4395-4be1-9E26-99B53BF1EBF3}	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}\stubpath = "C:\\Windows\\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe"	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}	{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD45ABDE-4F06-4b24-9CF1-460B57490530}	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD45ABDE-4F06-4b24-9CF1-460B57490530}\stubpath = "C:\\Windows\\{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe"	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}\stubpath = "C:\\Windows\\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe"	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}	{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{644FE373-7259-40a3-944A-0E9E9F00309F}\stubpath = "C:\\Windows\\{644FE373-7259-40a3-944A-0E9E9F00309F}.exe"	{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07601850-DF36-4906-87DA-CAAFE914B9A7}\stubpath = "C:\\Windows\\{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe"	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23188697-4395-4be1-9E26-99B53BF1EBF3}\stubpath = "C:\\Windows\\{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe"	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}\stubpath = "C:\\Windows\\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe"	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}\stubpath = "C:\\Windows\\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe"	{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}\stubpath = "C:\\Windows\\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe"	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07601850-DF36-4906-87DA-CAAFE914B9A7}	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}\stubpath = "C:\\Windows\\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe"	{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
1128	{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
768	{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
2276	{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
3004	{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
2072	{644FE373-7259-40a3-944A-0E9E9F00309F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
File created	C:\Windows\{644FE373-7259-40a3-944A-0E9E9F00309F}.exe	{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
File created	C:\Windows\{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
File created	C:\Windows\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
File created	C:\Windows\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
File created	C:\Windows\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
File created	C:\Windows\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
File created	C:\Windows\{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
File created	C:\Windows\{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
File created	C:\Windows\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe	{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
File created	C:\Windows\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe	{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
File created	C:\Windows\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe	{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
Token: SeIncBasePriorityPrivilege	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
Token: SeIncBasePriorityPrivilege	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
Token: SeIncBasePriorityPrivilege	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
Token: SeIncBasePriorityPrivilege	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
Token: SeIncBasePriorityPrivilege	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
Token: SeIncBasePriorityPrivilege	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
Token: SeIncBasePriorityPrivilege	1128	{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
Token: SeIncBasePriorityPrivilege	768	{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
Token: SeIncBasePriorityPrivilege	2276	{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
Token: SeIncBasePriorityPrivilege	3004	{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2948	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	28
PID 2892 wrote to memory of 2948	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	28
PID 2892 wrote to memory of 2948	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	28
PID 2892 wrote to memory of 2948	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	28
PID 2892 wrote to memory of 3020	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	29
PID 2892 wrote to memory of 3020	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	29
PID 2892 wrote to memory of 3020	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	29
PID 2892 wrote to memory of 3020	2892	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	29
PID 2948 wrote to memory of 2648	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	32
PID 2948 wrote to memory of 2648	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	32
PID 2948 wrote to memory of 2648	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	32
PID 2948 wrote to memory of 2648	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	32
PID 2948 wrote to memory of 1588	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	33
PID 2948 wrote to memory of 1588	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	33
PID 2948 wrote to memory of 1588	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	33
PID 2948 wrote to memory of 1588	2948	{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe	33
PID 2648 wrote to memory of 2396	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	34
PID 2648 wrote to memory of 2396	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	34
PID 2648 wrote to memory of 2396	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	34
PID 2648 wrote to memory of 2396	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	34
PID 2648 wrote to memory of 1696	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	35
PID 2648 wrote to memory of 1696	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	35
PID 2648 wrote to memory of 1696	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	35
PID 2648 wrote to memory of 1696	2648	{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe	35
PID 2396 wrote to memory of 240	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	36
PID 2396 wrote to memory of 240	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	36
PID 2396 wrote to memory of 240	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	36
PID 2396 wrote to memory of 240	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	36
PID 2396 wrote to memory of 1396	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	37
PID 2396 wrote to memory of 1396	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	37
PID 2396 wrote to memory of 1396	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	37
PID 2396 wrote to memory of 1396	2396	{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe	37
PID 240 wrote to memory of 1928	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	38
PID 240 wrote to memory of 1928	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	38
PID 240 wrote to memory of 1928	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	38
PID 240 wrote to memory of 1928	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	38
PID 240 wrote to memory of 1200	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	39
PID 240 wrote to memory of 1200	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	39
PID 240 wrote to memory of 1200	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	39
PID 240 wrote to memory of 1200	240	{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe	39
PID 1928 wrote to memory of 2712	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	40
PID 1928 wrote to memory of 2712	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	40
PID 1928 wrote to memory of 2712	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	40
PID 1928 wrote to memory of 2712	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	40
PID 1928 wrote to memory of 2752	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	41
PID 1928 wrote to memory of 2752	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	41
PID 1928 wrote to memory of 2752	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	41
PID 1928 wrote to memory of 2752	1928	{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe	41
PID 2712 wrote to memory of 2168	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	42
PID 2712 wrote to memory of 2168	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	42
PID 2712 wrote to memory of 2168	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	42
PID 2712 wrote to memory of 2168	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	42
PID 2712 wrote to memory of 2340	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	43
PID 2712 wrote to memory of 2340	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	43
PID 2712 wrote to memory of 2340	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	43
PID 2712 wrote to memory of 2340	2712	{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe	43
PID 2168 wrote to memory of 1128	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	44
PID 2168 wrote to memory of 1128	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	44
PID 2168 wrote to memory of 1128	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	44
PID 2168 wrote to memory of 1128	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	44
PID 2168 wrote to memory of 2432	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	45
PID 2168 wrote to memory of 2432	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	45
PID 2168 wrote to memory of 2432	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	45
PID 2168 wrote to memory of 2432	2168	{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
  C:\Windows\{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
    C:\Windows\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
      C:\Windows\{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
        
        C:\Windows\{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Windows\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
        
        C:\Windows\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
        
        C:\Windows\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
        
        C:\Windows\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
        
        C:\Windows\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
        
        C:\Windows\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
        
        C:\Windows\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
        
        C:\Windows\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{644FE373-7259-40a3-944A-0E9E9F00309F}.exe
        
        C:\Windows\{644FE373-7259-40a3-944A-0E9E9F00309F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9715~1.EXE > nul
        13⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CCBA~1.EXE > nul
        12⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2644A~1.EXE > nul
        11⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30819~1.EXE > nul
        10⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AC27~1.EXE > nul
        9⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C12~1.EXE > nul
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83815~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23188~1.EXE > nul
        6⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07601~1.EXE > nul
        5⤵
        
        PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E76~1.EXE > nul
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FD45A~1.EXE > nul
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07601850-DF36-4906-87DA-CAAFE914B9A7}.exe

Filesize
197KB

MD5
6d874b10d45d39368b3de78789357ff8

SHA1
ca5ae3444de7d623a78d7719a3b13f630db0db89

SHA256
a63ddf65b7b8f200edcc07aea07e8f470a76b3ed7c56769d2481d69a9b2411f9

SHA512
ad21fb2fc8bb7443e6c4652f30ad15578a4405b7a062f8c5611936928e20185b926900696251db50f9c44226d04f6a496ec39a4d7a1a7522fa05d0bbb0fd0057

Download Submit
C:\Windows\{22C1288E-7FD3-4c09-91BF-A35FA4918DF5}.exe

Filesize
197KB

MD5
ae5149417e859de1d031f0044400168e

SHA1
65bc085ba60ca04500d70f0795ee19949cbbae7e

SHA256
c1b1e7e86e44870b3a0568192efbdcc19a750ac2a4b47164d9d60d3becfd8740

SHA512
2d7579d3b36daea922a54c4a18a6a1209876ed5c0e92079eef17a6fa949ab4a25380c5cb39abb7263a2bc737cb897497d0c08df38ce1dcb876ed1306fa2d132b

Download Submit
C:\Windows\{23188697-4395-4be1-9E26-99B53BF1EBF3}.exe

Filesize
197KB

MD5
4483554a8d2e4ad7f219e6d76cfc79dd

SHA1
bd537ba16fecc202073e3a92e797144bf6628e66

SHA256
c9e53e1548495b8c3f40a7d85ddcf64eb151033bc1105559de100ad51594fb05

SHA512
8edff1ff057b0a3b5ab576321990fb274ccaf7aae112d63f2d6ceedd534b557e45f68a27bf7dd89de5bdc67e826007fc8e26ce983fa883a8a257510341038542

Download Submit
C:\Windows\{2644A882-A7EF-4331-A1A5-5F3815CCD78A}.exe

Filesize
197KB

MD5
4a610ae23c67700c8464c1221125e1be

SHA1
8f3b544bff65d260fb29522f1e79e252042650a8

SHA256
8b06203462750a1c7a98e01e3666c78173668870897e87bec268638a33c1065b

SHA512
edf02e70a8b07f067ef683c16c75cee310a0c46be128b17873b6b32b5f33503d0940a02772718c945631473f19ee5fb23a87ed03e4a63157d90a9befecff9388

Download Submit
C:\Windows\{30819A51-9A1A-4736-8B8C-0F0E2D1275A7}.exe

Filesize
197KB

MD5
ff59df471b76b79f219aeb147a1be0a6

SHA1
207b0026017909025370bea01a83dcd9d6e4d910

SHA256
65d80027a5ae7db18affb5d340cb99048f702d5b78996bee0623bccadb0a8cba

SHA512
d68fb14c7c2945d8c69ae130494236ecb0b84dfa7562857a26e19c352a148d330f2783de1e498695e3cabc846b17d75b3b70387c4e0140fa8827cc9b8bde498a

Download Submit
C:\Windows\{644FE373-7259-40a3-944A-0E9E9F00309F}.exe

Filesize
197KB

MD5
8f8d0f10e38b44c3f718646743a50389

SHA1
5d4f50c6ca97846c462dfaf18223a249857b2d87

SHA256
6995d33fb7adc92497f56634e8a4b864c7a0d3f3b55cea2ab4fd1a686023fa11

SHA512
727fe0ac451a7ac8d601de99aef2d15d8a14bd2f11d21c70fe8678eb9547cc773ec62f1f0707489f2edb5ebbd031661e4ffa32ec76a992d796f33de6fc693bdb

Download Submit
C:\Windows\{83815B5A-4BF1-4210-B02E-A2DE09E372B7}.exe

Filesize
197KB

MD5
5ad30f969037616f8388d3f1e79c4a53

SHA1
9c65df05bbec60f4eff29edf81e5b8ab5039056d

SHA256
e9df847d13cf1c68fa217460e65313f22f0420d0917824964b1b59961f23ef9b

SHA512
d263f3c8351b028165605e73e33d48c92d040d7b4a834cb891b8ccb3b29985d47e81c974e18294b65c0efe436e1001227c23bdcb10c2a6dc6f22b05873444f15

Download Submit
C:\Windows\{8AC27D02-7ADD-48f9-8E2D-3AD5F2F415D3}.exe

Filesize
197KB

MD5
e4cdf903e213a5feea4b510b385ae664

SHA1
a37987cec55a76fb6601a92ee2ccc9962e5e6c62

SHA256
e861047c5e3851643d97fcadafc4c73af190c1be5be8f43ecf946701ec10008c

SHA512
9c4460706f4ed13d29b058d377c56677d9f5d30d43497631fdaf65b1b3c869dcb31cd42a36ddff6b067b6be92a258cda68e5c93f01c6bea5007bac8b517ccd99

Download Submit
C:\Windows\{9CCBA8EC-FB3F-4515-85D7-CF58776A4CD5}.exe

Filesize
197KB

MD5
2be0b09ac8b951654df8a79fa3e9e125

SHA1
a101f804147b11b473984d6c2f77883f048b3353

SHA256
3c1333c7e61253f5ad399deed35bed2638eebd0053e220a3d57ee3b7fdb8d819

SHA512
b6a1a28b36821f0a374d92cb36df1866a50d1a88eff4948a196413904166327eee9b7e5f8538ceb9cec26533d2113b2bb97b3b88c8c5b4bc5316b70664a498ec

Download Submit
C:\Windows\{F3E769DC-A36A-4869-8184-0ACE225C2BCF}.exe

Filesize
197KB

MD5
81d2fd58b33aedeb02634bf293c3cf55

SHA1
a77494cdbd3f9c7a9a5c7494adc517934661d81e

SHA256
258424d129ca7db1fa383d0d6b76bd993c20a4ea4cdd0835debac2b1b6e76f2b

SHA512
bd49e4fe1a7f0661ccd9a2e515c05a0f6f90c1865b948889a44506550ea67c96bd36189f96082450be097b579ef797c030a88701e9efad5bce200b82439f7d4b

Download Submit
C:\Windows\{F9715E8B-23AB-42b6-B598-F4F67AB68F7E}.exe

Filesize
197KB

MD5
bcfbaf5ee6bab9af5177b0cbc82a76aa

SHA1
e2b9bd2e396829cdecd830d061b9b6e5b135f055

SHA256
6155ffdac0af4401508565f26a87cfcb9bf2ae23953a6b1ce8416c4604105dbf

SHA512
f352fcbf2d68adae273aa81287ace1e8b420a3bb6876ce1c41952fda5c7ee23349433ab70c24756005a78c521da8ac4a8479dfe668a83aac2e5693389139084d

Download Submit
C:\Windows\{FD45ABDE-4F06-4b24-9CF1-460B57490530}.exe

Filesize
197KB

MD5
8a9d45c09ad4b56d5b87c0c1c911b513

SHA1
0a269105ebddc4fd8ae1a0ecb1e053126d0c9e46

SHA256
ca84058a4610edd31ab5710f54b09f9dfc61664a8b513067022b7f99a5f18ae8

SHA512
e5141d5853fc97537c7e42d585ecbb876db1b66d688dde6bf6add1f10550885bfa6ec323971bf6663cd404ae7708cf8d974ed6013189169321f9b4e9a54f9e56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads