c2012d1c2bfde307384aac5bcf86215cc4d3d21d4ba94557d5e88ee4d71227ff

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Size

180KB
MD5

2eacf9b575fda381de9e81f90ddd4791
SHA1

eea825deb93806ebb2382558b397e01aeec16416
SHA256

c2012d1c2bfde307384aac5bcf86215cc4d3d21d4ba94557d5e88ee4d71227ff
SHA512

c7ef521384ca2e0d89a5704ba79e3f53c5ebfb58a8488dde2acde3c87d321e2ff45054cd1c3fdb7c9569da3d7fa36110fc89f205f055b590d90096e1b987db39
SSDEEP

3072:jEGh0ovlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{46B4312C-7736-4fee-91AE-B2245657E371}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{358725DD-C064-4c16-A253-BD26821B10DC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe{46B4312C-7736-4fee-91AE-B2245657E371}.exe{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe{358725DD-C064-4c16-A253-BD26821B10DC}.exe{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe{0A059884-35BE-4503-A607-5DBB4661C57A}.exe{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A059884-35BE-4503-A607-5DBB4661C57A}\stubpath = "C:\\Windows\\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe"	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}\stubpath = "C:\\Windows\\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe"	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2132655A-50FB-40b7-BF1F-B7D763E41296}\stubpath = "C:\\Windows\\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe"	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B4312C-7736-4fee-91AE-B2245657E371}\stubpath = "C:\\Windows\\{46B4312C-7736-4fee-91AE-B2245657E371}.exe"	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358725DD-C064-4c16-A253-BD26821B10DC}	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49C63A7-54CB-4870-A58E-DE848CD62433}	{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49C63A7-54CB-4870-A58E-DE848CD62433}\stubpath = "C:\\Windows\\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe"	{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A96BC18-F492-42a5-B041-6DF4294A848E}	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A96BC18-F492-42a5-B041-6DF4294A848E}\stubpath = "C:\\Windows\\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe"	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}\stubpath = "C:\\Windows\\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe"	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}\stubpath = "C:\\Windows\\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe"	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F849CB-8653-4d15-993E-28E8ABC7A627}	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F849CB-8653-4d15-993E-28E8ABC7A627}\stubpath = "C:\\Windows\\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe"	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B4312C-7736-4fee-91AE-B2245657E371}	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}\stubpath = "C:\\Windows\\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe"	{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A059884-35BE-4503-A607-5DBB4661C57A}	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2132655A-50FB-40b7-BF1F-B7D763E41296}	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358725DD-C064-4c16-A253-BD26821B10DC}\stubpath = "C:\\Windows\\{358725DD-C064-4c16-A253-BD26821B10DC}.exe"	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}	{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2124 cmd.exe

pid	process
2124	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{0A059884-35BE-4503-A607-5DBB4661C57A}.exe{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe{46B4312C-7736-4fee-91AE-B2245657E371}.exe{358725DD-C064-4c16-A253-BD26821B10DC}.exe{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe

pid	process
2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
872	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
1660	{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
2896	{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
2968	{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe

Drops file in Windows directory 11 IoCs

Processes:

{358725DD-C064-4c16-A253-BD26821B10DC}.exe{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{0A059884-35BE-4503-A607-5DBB4661C57A}.exe{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe{46B4312C-7736-4fee-91AE-B2245657E371}.exe

description	ioc	process
File created	C:\Windows\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
File created	C:\Windows\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
File created	C:\Windows\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe	{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
File created	C:\Windows\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe	{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
File created	C:\Windows\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
File created	C:\Windows\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
File created	C:\Windows\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
File created	C:\Windows\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
File created	C:\Windows\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
File created	C:\Windows\{46B4312C-7736-4fee-91AE-B2245657E371}.exe	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
File created	C:\Windows\{358725DD-C064-4c16-A253-BD26821B10DC}.exe	{46B4312C-7736-4fee-91AE-B2245657E371}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{0A059884-35BE-4503-A607-5DBB4661C57A}.exe{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe{46B4312C-7736-4fee-91AE-B2245657E371}.exe{358725DD-C064-4c16-A253-BD26821B10DC}.exe{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
Token: SeIncBasePriorityPrivilege	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
Token: SeIncBasePriorityPrivilege	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
Token: SeIncBasePriorityPrivilege	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
Token: SeIncBasePriorityPrivilege	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
Token: SeIncBasePriorityPrivilege	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
Token: SeIncBasePriorityPrivilege	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
Token: SeIncBasePriorityPrivilege	872	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
Token: SeIncBasePriorityPrivilege	1660	{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
Token: SeIncBasePriorityPrivilege	2896	{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1284 wrote to memory of 2164	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
PID 1284 wrote to memory of 2164	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
PID 1284 wrote to memory of 2164	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
PID 1284 wrote to memory of 2164	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
PID 1284 wrote to memory of 2124	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 1284 wrote to memory of 2124	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 1284 wrote to memory of 2124	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 1284 wrote to memory of 2124	1284	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 2164 wrote to memory of 2752	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
PID 2164 wrote to memory of 2752	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
PID 2164 wrote to memory of 2752	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
PID 2164 wrote to memory of 2752	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
PID 2164 wrote to memory of 2736	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	cmd.exe
PID 2164 wrote to memory of 2736	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	cmd.exe
PID 2164 wrote to memory of 2736	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	cmd.exe
PID 2164 wrote to memory of 2736	2164	{0A059884-35BE-4503-A607-5DBB4661C57A}.exe	cmd.exe
PID 2752 wrote to memory of 2624	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
PID 2752 wrote to memory of 2624	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
PID 2752 wrote to memory of 2624	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
PID 2752 wrote to memory of 2624	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
PID 2752 wrote to memory of 2268	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	cmd.exe
PID 2752 wrote to memory of 2268	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	cmd.exe
PID 2752 wrote to memory of 2268	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	cmd.exe
PID 2752 wrote to memory of 2268	2752	{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe	cmd.exe
PID 2624 wrote to memory of 3040	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
PID 2624 wrote to memory of 3040	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
PID 2624 wrote to memory of 3040	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
PID 2624 wrote to memory of 3040	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
PID 2624 wrote to memory of 2276	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	cmd.exe
PID 2624 wrote to memory of 2276	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	cmd.exe
PID 2624 wrote to memory of 2276	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	cmd.exe
PID 2624 wrote to memory of 2276	2624	{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe	cmd.exe
PID 3040 wrote to memory of 2700	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
PID 3040 wrote to memory of 2700	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
PID 3040 wrote to memory of 2700	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
PID 3040 wrote to memory of 2700	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
PID 3040 wrote to memory of 2828	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	cmd.exe
PID 3040 wrote to memory of 2828	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	cmd.exe
PID 3040 wrote to memory of 2828	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	cmd.exe
PID 3040 wrote to memory of 2828	3040	{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe	cmd.exe
PID 2700 wrote to memory of 1956	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
PID 2700 wrote to memory of 1956	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
PID 2700 wrote to memory of 1956	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
PID 2700 wrote to memory of 1956	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	{46B4312C-7736-4fee-91AE-B2245657E371}.exe
PID 2700 wrote to memory of 1708	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	cmd.exe
PID 2700 wrote to memory of 1708	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	cmd.exe
PID 2700 wrote to memory of 1708	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	cmd.exe
PID 2700 wrote to memory of 1708	2700	{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe	cmd.exe
PID 1956 wrote to memory of 1596	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
PID 1956 wrote to memory of 1596	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
PID 1956 wrote to memory of 1596	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
PID 1956 wrote to memory of 1596	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	{358725DD-C064-4c16-A253-BD26821B10DC}.exe
PID 1956 wrote to memory of 2244	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	cmd.exe
PID 1956 wrote to memory of 2244	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	cmd.exe
PID 1956 wrote to memory of 2244	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	cmd.exe
PID 1956 wrote to memory of 2244	1956	{46B4312C-7736-4fee-91AE-B2245657E371}.exe	cmd.exe
PID 1596 wrote to memory of 872	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
PID 1596 wrote to memory of 872	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
PID 1596 wrote to memory of 872	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
PID 1596 wrote to memory of 872	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
PID 1596 wrote to memory of 1476	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	cmd.exe
PID 1596 wrote to memory of 1476	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	cmd.exe
PID 1596 wrote to memory of 1476	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	cmd.exe
PID 1596 wrote to memory of 1476	1596	{358725DD-C064-4c16-A253-BD26821B10DC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
C:\Windows\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
C:\Windows\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
C:\Windows\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
C:\Windows\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
C:\Windows\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\{46B4312C-7736-4fee-91AE-B2245657E371}.exe
C:\Windows\{46B4312C-7736-4fee-91AE-B2245657E371}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\{358725DD-C064-4c16-A253-BD26821B10DC}.exe
C:\Windows\{358725DD-C064-4c16-A253-BD26821B10DC}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
C:\Windows\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
C:\Windows\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
C:\Windows\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe
C:\Windows\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe
12⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F49C6~1.EXE > nul
12⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F5790~1.EXE > nul
11⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E2EA~1.EXE > nul
10⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35872~1.EXE > nul
9⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{46B43~1.EXE > nul
8⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A96B~1.EXE > nul
7⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{21326~1.EXE > nul
6⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA2E~1.EXE > nul
5⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{69F84~1.EXE > nul
4⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A059~1.EXE > nul
3⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2124

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A059884-35BE-4503-A607-5DBB4661C57A}.exe
Filesize
180KB

MD5
acf1e85b62c2c624f7debf363ad5ce81

SHA1
e3b280c2ac5af56e5d56eb022d9606131e6f9924

SHA256
626ddd0790c3dede89bd5abcfbca493169a0c33e1994e01fee119a1d85e6c662

SHA512
2e4c90ba6941ad8a0065c220d8440b2482158deb5a8247f9910710d32c75c045679de495f4956f905993626396715cc7a493d008b68f0ddfd97e7575b33d5e4f

Download Submit
C:\Windows\{2132655A-50FB-40b7-BF1F-B7D763E41296}.exe
Filesize
180KB

MD5
57b0fb7d54a8f9fcd4e8814a56665572

SHA1
8c5ed451284a75873b7e518e958e7ccb8e6d82eb

SHA256
54f6e4070559d44ee7d40d05eb6b2257751e15c648d0451f9f3eb773a2ae0938

SHA512
38c12254d6e2a71dadf9665a67ab4bba1c9b062d91720c92be396e53b44b15d6e4c065c42324e6eefe9825d3c26826e7a85559894915e0deb0fb65737cf6b3bd

Download Submit
C:\Windows\{358725DD-C064-4c16-A253-BD26821B10DC}.exe
Filesize
180KB

MD5
01377fef13426069f53430367c6f3810

SHA1
39bd51262b285afc70a8ab04284ff5b6f076dd23

SHA256
f953721cd9e4a5a34f5a8a313468f4d882baae4e2c4a3089e08d966f5b944d40

SHA512
c81e6aef1cd643efc36343c1802669d57ef9c0d9d09cbb7f7f7b7261239fbfcc91974a03af7197454444d930f3e90cb49a5fdc83f5980c2ec7a0dccc67b14ebd

Download Submit
C:\Windows\{46B4312C-7736-4fee-91AE-B2245657E371}.exe
Filesize
180KB

MD5
2d1813e227193fe0d157f5bf553c1a32

SHA1
a752f0e421e862177a7c099d0b0b2c0088465800

SHA256
22920b46ccf2e0aff08ceb22d9319420b3578d7b3c44d79aeac089646e21822b

SHA512
ba75f74dc0725eccd04bff295cee8e145fea5021a46061c05925410e50d2d2f59e14468cb6346ea18e798dab2fe4a7d7fdb002961209887c92ba0d7226f93318

Download Submit
C:\Windows\{4E2EABB8-8C82-4ce5-9A43-EF2E5BBBB68C}.exe
Filesize
180KB

MD5
a1532d0bde4a989568b8d80f0636247c

SHA1
6cf96df3c43c162155a5bab2a011623f931a2ac9

SHA256
7a749f6445e8850345b06921cc75f80ec8b3fbea326515e7267ed30ad748d231

SHA512
76bf713675ecbc62aa065302cee9f7e77fb22d0b32db4b672a62c15a549fa7ae33fa6075ec99a6e3d06299908b8930a6d68a4a0d1195bacded7085776b2fc26c

Download Submit
C:\Windows\{69F849CB-8653-4d15-993E-28E8ABC7A627}.exe
Filesize
180KB

MD5
59e95011e86aa30f4d35efaeb266e6f7

SHA1
a37ccb5e046fc9cac5a6a0d94271e234c35f2e26

SHA256
0157ad5c059cff0e38079cefdc524112923f85705c21b7958ea23cacda44e0e4

SHA512
c27fbc679b41f36f78722143a02ef0cfe5ecab6b5fc0dc28a75cffa1a8414bb0ee38fe87ab0e71eafd279b78ed72307aee4ca058792804afefb94fccbf31fc2d

Download Submit
C:\Windows\{7E2B566D-6D39-4f80-9468-3A4FF439D59D}.exe
Filesize
180KB

MD5
bd157b9f0f30ebd84e49a003a63f78b4

SHA1
ccd7109424dd4d12b225a3db4d357a7e290f6a48

SHA256
4914ad0e1100996909540f34bc3cf168e589013a88060a926b747773fa3c174d

SHA512
e761091fdb21fbebdda64e8c0f2aff0ff1e9c30a21a76ebb5fa1830aec46659bc82a2796dd764cc4202be206765fdaa6b60c48e3a00beaaff5ab778bb9f1d4eb

Download Submit
C:\Windows\{9A96BC18-F492-42a5-B041-6DF4294A848E}.exe
Filesize
180KB

MD5
7b1069e47032bee4b1d36ab26f80448e

SHA1
e30125a7aebc5132bed2ceb175a4b4b827d67e15

SHA256
31934394201a8f4b54c5fa9d5fbecd89a87fec977b7d23d3038060a71e5bdc71

SHA512
08fab306a2c0b553bda735f4c5200cb3d48d22998174668dedb2d95f67f454b69ed5df63753ccad5d80a215cbb246b68ae3344195c4cc73e8b7080662a441911

Download Submit
C:\Windows\{AFA2E7C2-AFC6-4d89-9222-A5D791F51208}.exe
Filesize
180KB

MD5
c14f41d514c57c8fd3730209d4137d03

SHA1
4780203c45e262497e0d61fe97893ff07457c5f0

SHA256
c7bdf41a920119533e529ce5ee9726e920ca9114f66fffa32dc479b0c54d5e3b

SHA512
4d417251879a03e68e9cb517264b569efaf92f3018fe9235109493b6a1fdec7661a3ab50854bf9c259a1343041f640e4347994eee71fef8ecbf4525461de588d

Download Submit
C:\Windows\{F49C63A7-54CB-4870-A58E-DE848CD62433}.exe
Filesize
180KB

MD5
0c18a047f5d99124b581ddfb844247e0

SHA1
22e31c084201c38fd3f8ad8b66ffd6b1a8dfcdcd

SHA256
07593b58e76e175a9a95a5883c7da499c19152b8b46490878a90161c176527ab

SHA512
bb13b3eb8115944d6be1d4fad181045025a0239c9263a6c09a1b3a81970095ebf3898b7fd95c47c10ba7725a75c20f28551471dcd5a0a3d42f9eeb5c7a82a019

Download Submit
C:\Windows\{F5790B43-72BF-4d51-82F9-BC3C3AEB06EB}.exe
Filesize
180KB

MD5
61fdc7bb012ed48763e4e130aaa01c58

SHA1
3675f08954760938f85f82b27a2f4b3afc79f2b9

SHA256
6e12b32e52e39c40f82cc301bfe3da25d939a2266f8a170372783e1e552d75cb

SHA512
1d8cd7709549625b43a4960b346b1992b30a4cfbe4cb085a864333e40789bd6959bea698766d9f2057d7e0a6c82732fd85682f14b60fa34e4e9d9341eddcc10a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads