c3c6345d545936a6460815736759b3f43a982d81985d308d6fc63eeaaa3ab31f

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Size

180KB
MD5

898876907ed8171c2a473416b4af813b
SHA1

d195dd96fc1d9c5300e2406a63d3279792244e8f
SHA256

c3c6345d545936a6460815736759b3f43a982d81985d308d6fc63eeaaa3ab31f
SHA512

9d94c86ec140f1a4eca8a5e908ac3bbfffa1a448588116f7582c9bbb00d1863ca0e01a6a67d474eb15ac0e697874692e4a7b3ed583c5aa06540127f6cb1b2375
SSDEEP

3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{228487DE-852B-4d59-9955-90DC086D15FF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C410CC8-7911-4118-A53F-897523F71822}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe{228487DE-852B-4d59-9955-90DC086D15FF}.exe{3C410CC8-7911-4118-A53F-897523F71822}.exe{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C6390D-529F-4e75-9A54-E747D93444EE}	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}\stubpath = "C:\\Windows\\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe"	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43202583-AE3D-46a8-905E-20D28C7F36E8}	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}\stubpath = "C:\\Windows\\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe"	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C410CC8-7911-4118-A53F-897523F71822}\stubpath = "C:\\Windows\\{3C410CC8-7911-4118-A53F-897523F71822}.exe"	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228487DE-852B-4d59-9955-90DC086D15FF}	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}	{3C410CC8-7911-4118-A53F-897523F71822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FB4253-B482-4366-9B2E-993915FAA7B9}\stubpath = "C:\\Windows\\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe"	{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C645740-C705-4c3e-900C-97F2967BEB6B}	{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}\stubpath = "C:\\Windows\\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe"	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FB4253-B482-4366-9B2E-993915FAA7B9}	{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C645740-C705-4c3e-900C-97F2967BEB6B}\stubpath = "C:\\Windows\\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe"	{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228487DE-852B-4d59-9955-90DC086D15FF}\stubpath = "C:\\Windows\\{228487DE-852B-4d59-9955-90DC086D15FF}.exe"	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}\stubpath = "C:\\Windows\\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe"	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C410CC8-7911-4118-A53F-897523F71822}	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43202583-AE3D-46a8-905E-20D28C7F36E8}\stubpath = "C:\\Windows\\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe"	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}\stubpath = "C:\\Windows\\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe"	{3C410CC8-7911-4118-A53F-897523F71822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C6390D-529F-4e75-9A54-E747D93444EE}\stubpath = "C:\\Windows\\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe"	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe

Executes dropped EXE 11 IoCs

Processes:

{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe{228487DE-852B-4d59-9955-90DC086D15FF}.exe{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe{3C410CC8-7911-4118-A53F-897523F71822}.exe{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe

pid	process
2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe
268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
572	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
2416	{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
2256	{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
1732	{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe

Drops file in Windows directory 11 IoCs

Processes:

{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe{228487DE-852B-4d59-9955-90DC086D15FF}.exe{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe{3C410CC8-7911-4118-A53F-897523F71822}.exe{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe

description	ioc	process
File created	C:\Windows\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
File created	C:\Windows\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe	{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
File created	C:\Windows\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
File created	C:\Windows\{3C410CC8-7911-4118-A53F-897523F71822}.exe	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
File created	C:\Windows\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	{3C410CC8-7911-4118-A53F-897523F71822}.exe
File created	C:\Windows\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
File created	C:\Windows\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
File created	C:\Windows\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
File created	C:\Windows\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
File created	C:\Windows\{228487DE-852B-4d59-9955-90DC086D15FF}.exe	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
File created	C:\Windows\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe	{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe{228487DE-852B-4d59-9955-90DC086D15FF}.exe{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe{3C410CC8-7911-4118-A53F-897523F71822}.exe{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
Token: SeIncBasePriorityPrivilege	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
Token: SeIncBasePriorityPrivilege	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
Token: SeIncBasePriorityPrivilege	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
Token: SeIncBasePriorityPrivilege	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
Token: SeIncBasePriorityPrivilege	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe
Token: SeIncBasePriorityPrivilege	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
Token: SeIncBasePriorityPrivilege	572	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
Token: SeIncBasePriorityPrivilege	2416	{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
Token: SeIncBasePriorityPrivilege	2256	{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1444 wrote to memory of 2664	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
PID 1444 wrote to memory of 2664	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
PID 1444 wrote to memory of 2664	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
PID 1444 wrote to memory of 2664	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
PID 1444 wrote to memory of 2772	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 1444 wrote to memory of 2772	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 1444 wrote to memory of 2772	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 1444 wrote to memory of 2772	1444	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 2664 wrote to memory of 2012	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
PID 2664 wrote to memory of 2012	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
PID 2664 wrote to memory of 2012	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
PID 2664 wrote to memory of 2012	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
PID 2664 wrote to memory of 2784	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	cmd.exe
PID 2664 wrote to memory of 2784	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	cmd.exe
PID 2664 wrote to memory of 2784	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	cmd.exe
PID 2664 wrote to memory of 2784	2664	{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe	cmd.exe
PID 2012 wrote to memory of 2560	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
PID 2012 wrote to memory of 2560	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
PID 2012 wrote to memory of 2560	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
PID 2012 wrote to memory of 2560	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
PID 2012 wrote to memory of 2508	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	cmd.exe
PID 2012 wrote to memory of 2508	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	cmd.exe
PID 2012 wrote to memory of 2508	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	cmd.exe
PID 2012 wrote to memory of 2508	2012	{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe	cmd.exe
PID 2560 wrote to memory of 2832	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
PID 2560 wrote to memory of 2832	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
PID 2560 wrote to memory of 2832	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
PID 2560 wrote to memory of 2832	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	{228487DE-852B-4d59-9955-90DC086D15FF}.exe
PID 2560 wrote to memory of 2700	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	cmd.exe
PID 2560 wrote to memory of 2700	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	cmd.exe
PID 2560 wrote to memory of 2700	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	cmd.exe
PID 2560 wrote to memory of 2700	2560	{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe	cmd.exe
PID 2832 wrote to memory of 2908	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
PID 2832 wrote to memory of 2908	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
PID 2832 wrote to memory of 2908	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
PID 2832 wrote to memory of 2908	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
PID 2832 wrote to memory of 1356	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	cmd.exe
PID 2832 wrote to memory of 1356	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	cmd.exe
PID 2832 wrote to memory of 1356	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	cmd.exe
PID 2832 wrote to memory of 1356	2832	{228487DE-852B-4d59-9955-90DC086D15FF}.exe	cmd.exe
PID 2908 wrote to memory of 2424	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	{3C410CC8-7911-4118-A53F-897523F71822}.exe
PID 2908 wrote to memory of 2424	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	{3C410CC8-7911-4118-A53F-897523F71822}.exe
PID 2908 wrote to memory of 2424	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	{3C410CC8-7911-4118-A53F-897523F71822}.exe
PID 2908 wrote to memory of 2424	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	{3C410CC8-7911-4118-A53F-897523F71822}.exe
PID 2908 wrote to memory of 2428	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	cmd.exe
PID 2908 wrote to memory of 2428	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	cmd.exe
PID 2908 wrote to memory of 2428	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	cmd.exe
PID 2908 wrote to memory of 2428	2908	{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe	cmd.exe
PID 2424 wrote to memory of 268	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
PID 2424 wrote to memory of 268	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
PID 2424 wrote to memory of 268	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
PID 2424 wrote to memory of 268	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
PID 2424 wrote to memory of 296	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	cmd.exe
PID 2424 wrote to memory of 296	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	cmd.exe
PID 2424 wrote to memory of 296	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	cmd.exe
PID 2424 wrote to memory of 296	2424	{3C410CC8-7911-4118-A53F-897523F71822}.exe	cmd.exe
PID 268 wrote to memory of 572	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
PID 268 wrote to memory of 572	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
PID 268 wrote to memory of 572	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
PID 268 wrote to memory of 572	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
PID 268 wrote to memory of 940	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	cmd.exe
PID 268 wrote to memory of 940	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	cmd.exe
PID 268 wrote to memory of 940	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	cmd.exe
PID 268 wrote to memory of 940	268	{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
C:\Windows\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
C:\Windows\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
C:\Windows\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23F86~1.EXE > nul
5⤵
PID:2700

C:\Windows\{228487DE-852B-4d59-9955-90DC086D15FF}.exe
C:\Windows\{228487DE-852B-4d59-9955-90DC086D15FF}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
C:\Windows\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\{3C410CC8-7911-4118-A53F-897523F71822}.exe
C:\Windows\{3C410CC8-7911-4118-A53F-897523F71822}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
C:\Windows\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
C:\Windows\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
C:\Windows\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
C:\Windows\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe
C:\Windows\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe
12⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FB4~1.EXE > nul
12⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5C63~1.EXE > nul
11⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1B29~1.EXE > nul
10⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ED81E~1.EXE > nul
9⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C410~1.EXE > nul
8⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AAB72~1.EXE > nul
7⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22848~1.EXE > nul
6⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43202~1.EXE > nul
4⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDF3~1.EXE > nul
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2772

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C645740-C705-4c3e-900C-97F2967BEB6B}.exe
Filesize
180KB

MD5
0cd45151f7dd024b5a478ae9ba602f88

SHA1
0720d9f549175cf8cde55b2b50200ffd942c8f39

SHA256
f25409b98e5078aceaccedcc97716f2f21e428f93b426db0b7fb0ee0f6d43715

SHA512
052304eb5baa3f6b56e57b4ececff00c176d518d6c2e28ac84e4e7926d6defdcd858470e57ed5742ed77248dcd4d994310939ce299d13a526a3cf0fe4842e2e7

Download Submit
C:\Windows\{228487DE-852B-4d59-9955-90DC086D15FF}.exe
Filesize
180KB

MD5
71a54e00e1dd3f0b3b1cd3dd55c4d79d

SHA1
0db6713d420ece93fa5480c6e6616cac6755252d

SHA256
2d17025513f415640983d0c7c4ab3389644bfb3167c6a913d91b9d07916aaaca

SHA512
e5f098f684ee0e7b2182a564939b76410b6ce29f8bcc8499dc1af63208ae090c5ba95004b38222c15ca394544c0f39f2fbfa3215b1d1a79af4364aba80999cf7

Download Submit
C:\Windows\{23F86B2C-CE7A-41eb-A5E1-F6C21B030549}.exe
Filesize
180KB

MD5
36e42fc412b7b52b485892be1e1a6198

SHA1
d3d11f47e4aa41a140fca2e81518fb9896c0f51f

SHA256
5f79a9086fd294c5f8c0a04a47c31c5f3dfa360851db298bb994c24df3c5155e

SHA512
88b3514b84b1e0e1c1eed80d61898df8ebefa9b7404bf1ed245539507931f07cdec9f366d9862875060d192610eefcc1731a789278eee423900da40a0eb0df69

Download Submit
C:\Windows\{3C410CC8-7911-4118-A53F-897523F71822}.exe
Filesize
180KB

MD5
9ca3605cd40efb6eb1615dc7c4aaa25e

SHA1
a8c8d0af902d19ab4a00e4e795387267a8bbefab

SHA256
158ea8b426d4dc4848f03c325ed09ad2484e5c388e5b6ab1e002fa7be48be0f8

SHA512
859a03a2b44b0d4887fa7d593f501fbee328627497c459bf2b1bbc265dc1ccaa53075a10c5834380fac1b084887d214e635f8cb53679b0d22d0b3ea453526f12

Download Submit
C:\Windows\{43202583-AE3D-46a8-905E-20D28C7F36E8}.exe
Filesize
180KB

MD5
fe8634410ece3890601d1473a526db6e

SHA1
57a8cbc62171724408d8bc48878d46b590a54022

SHA256
832d1680f75cec83989b9e21bd84f6f2d0d1450b1cfe9e50cec326e1e29c196d

SHA512
ad25efdd48303660dde05afef61c22985bff42df90b929748238e844efc0b86e4b2853aa76be38c53ba9df012331dd7f888051ab69062dfbe397371e748a8c65

Download Submit
C:\Windows\{AAB72FA6-FB17-4a5d-936D-D52992655EDC}.exe
Filesize
180KB

MD5
06ad64f4f320d51c7c8dfbaacf1646f8

SHA1
6ca73462f2bd2ee9d634f17397eefc13238f3b33

SHA256
bad6116afd1a6415580d6cafaafbaa3d14fcc0547c54c13a464d6d6d8703cd6e

SHA512
a7e66c2006bc3286315e9f7288bf6abbc4a89d680d4947396f095e365c6231c6c8af6d6f2c292ed69fc7c698341b2af0b94d673baa437a7dd9a7a5a96e70ab8d

Download Submit
C:\Windows\{C5FB4253-B482-4366-9B2E-993915FAA7B9}.exe
Filesize
180KB

MD5
2067fc7a2b217dbc3533634b712d7631

SHA1
c9a198b50a35a91cc14fffe536ff8f2518b10402

SHA256
801dca1fd0e1a5c5f442f09f5f870d1c97bf24531f52bb45167de8abbdfeee90

SHA512
885899c06f3f2997ee66accd566a9d4084c5e6a06bd0aa742ee9dec847304be02fe8067c15ee29e6ca18ec79e2822c9a4227879c7afb91b835ae0a7f2cd797ac

Download Submit
C:\Windows\{CBDF35AC-B27D-48dd-889F-7FAC8FD9843C}.exe
Filesize
180KB

MD5
6c2cc8bec8bf03b1ef64d3b1c7059b93

SHA1
1a185479427933c674d9939d0c509321fa69cca2

SHA256
33470794fbd75e36188ece55e8626dba95e5395cb27987436cad2539ddb00bae

SHA512
bcc67fbe246d5e583a7381b282cfcce62ee16fca37c5e60ea3736a24794d10d6f3e2f4ada30fea598e0de28b3a54e794359b37bcf8198f7cafd94b18ebbb7542

Download Submit
C:\Windows\{D1B290AB-B8C7-44d2-86C5-9177CD58582D}.exe
Filesize
180KB

MD5
e13ff5e06177be23381d2f3c325f0f47

SHA1
fe9d805a61aef817cd74dbf4c024ba694ea37558

SHA256
3ebeb571f08e4d5766da2d4998abb13f073d57b584343b72fe037ecfafc72035

SHA512
1b8ea082268af1ac1f88fd6a0e6f12fe938a01ea36bc3ed28f6ef127e73de52bfe4d7a764a0df643d89f7e0916e7046b1fb524d1bec77f42032986dc794c0e47

Download Submit
C:\Windows\{D5C6390D-529F-4e75-9A54-E747D93444EE}.exe
Filesize
180KB

MD5
546750aa8277e71edb64e184c9205b82

SHA1
ae32a0c910a5ed4156a3c0207d4c6584ebb9fae3

SHA256
cb0bb01d86ac428a4cf4e429ffbebf5adb9ff6dbd0ca73059d12311fe69bebd3

SHA512
6c99d9044156f0e2363fb1c05297a836ff7c7f811d0ef445aea1d95ffa622f826c306804401ee859298a6c27465adf2b14e79c45652fb0c11a2195c73eb0a83d

Download Submit
C:\Windows\{ED81E430-18BA-446e-86D3-AF79C4AE4A52}.exe
Filesize
180KB

MD5
09e9e9562dbb3aa4760c4ad4dff30054

SHA1
5718834d0adaa4d22a9a328ca0f8b7bc697da521

SHA256
8ea3ba95e0ed14e1edc721a3f7210416cdf56e14429b5b4b9affc9ceea190860

SHA512
30514dfcb2671359b9f72f98e24eeb9a1478fd5e05fe5f5f5922226f44dfdc04a5713340b4520e1c098c4d34f8053cb6f92a2b2688f4cbc62b7c3a334e1b910e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads