966908d184f13c088bbdafeb766444e758b4a60c572b15186e899eb3ac52945a

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Size

204KB
MD5

8b1cd4edb2a6b8728a45fa10ded9d24e
SHA1

2aeef12350a2263d8284b671d8875b538b523037
SHA256

966908d184f13c088bbdafeb766444e758b4a60c572b15186e899eb3ac52945a
SHA512

3ac11c8d8908acc6a3feb29cad81a7c12c7eeb46546bdde9bad5c48ebd6eb1037a67771fbf72474630eace05531e0ec576e5d46ca8142ec53e957b26d821c6f2
SSDEEP

1536:1EGh0oVl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oVl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}\stubpath = "C:\\Windows\\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe"	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E485F35E-55A1-4449-9782-A099DFB9E59C}	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}\stubpath = "C:\\Windows\\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe"	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{950E7DD7-D0AE-4251-88E6-9B114478CE24}	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}	{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}\stubpath = "C:\\Windows\\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe"	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}\stubpath = "C:\\Windows\\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe"	{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}\stubpath = "C:\\Windows\\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe"	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E485F35E-55A1-4449-9782-A099DFB9E59C}\stubpath = "C:\\Windows\\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe"	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}\stubpath = "C:\\Windows\\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe"	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}\stubpath = "C:\\Windows\\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe"	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D83F5F-DE8F-4305-ABCE-054547C57876}\stubpath = "C:\\Windows\\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe"	{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D83F5F-DE8F-4305-ABCE-054547C57876}	{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}\stubpath = "C:\\Windows\\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe"	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{950E7DD7-D0AE-4251-88E6-9B114478CE24}\stubpath = "C:\\Windows\\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe"	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe

pid	process
2836	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe

pid	process
2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
2184	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
1196	{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
2668	{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
2100	{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe

Drops file in Windows directory 11 IoCs

Processes:

{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe

description	ioc	process
File created	C:\Windows\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe	{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
File created	C:\Windows\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
File created	C:\Windows\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
File created	C:\Windows\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
File created	C:\Windows\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
File created	C:\Windows\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
File created	C:\Windows\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe	{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
File created	C:\Windows\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
File created	C:\Windows\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
File created	C:\Windows\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
File created	C:\Windows\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
Token: SeIncBasePriorityPrivilege	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
Token: SeIncBasePriorityPrivilege	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
Token: SeIncBasePriorityPrivilege	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
Token: SeIncBasePriorityPrivilege	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
Token: SeIncBasePriorityPrivilege	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
Token: SeIncBasePriorityPrivilege	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
Token: SeIncBasePriorityPrivilege	2184	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
Token: SeIncBasePriorityPrivilege	1196	{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
Token: SeIncBasePriorityPrivilege	2668	{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1936 wrote to memory of 2016	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
PID 1936 wrote to memory of 2016	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
PID 1936 wrote to memory of 2016	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
PID 1936 wrote to memory of 2016	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
PID 1936 wrote to memory of 2836	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 1936 wrote to memory of 2836	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 1936 wrote to memory of 2836	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 1936 wrote to memory of 2836	1936	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 2016 wrote to memory of 2796	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
PID 2016 wrote to memory of 2796	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
PID 2016 wrote to memory of 2796	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
PID 2016 wrote to memory of 2796	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
PID 2016 wrote to memory of 2380	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	cmd.exe
PID 2016 wrote to memory of 2380	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	cmd.exe
PID 2016 wrote to memory of 2380	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	cmd.exe
PID 2016 wrote to memory of 2380	2016	{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe	cmd.exe
PID 2796 wrote to memory of 3024	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
PID 2796 wrote to memory of 3024	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
PID 2796 wrote to memory of 3024	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
PID 2796 wrote to memory of 3024	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
PID 2796 wrote to memory of 2236	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	cmd.exe
PID 2796 wrote to memory of 2236	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	cmd.exe
PID 2796 wrote to memory of 2236	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	cmd.exe
PID 2796 wrote to memory of 2236	2796	{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe	cmd.exe
PID 3024 wrote to memory of 2144	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
PID 3024 wrote to memory of 2144	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
PID 3024 wrote to memory of 2144	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
PID 3024 wrote to memory of 2144	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
PID 3024 wrote to memory of 1048	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	cmd.exe
PID 3024 wrote to memory of 1048	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	cmd.exe
PID 3024 wrote to memory of 1048	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	cmd.exe
PID 3024 wrote to memory of 1048	3024	{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe	cmd.exe
PID 2144 wrote to memory of 580	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
PID 2144 wrote to memory of 580	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
PID 2144 wrote to memory of 580	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
PID 2144 wrote to memory of 580	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
PID 2144 wrote to memory of 560	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	cmd.exe
PID 2144 wrote to memory of 560	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	cmd.exe
PID 2144 wrote to memory of 560	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	cmd.exe
PID 2144 wrote to memory of 560	2144	{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe	cmd.exe
PID 580 wrote to memory of 1640	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
PID 580 wrote to memory of 1640	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
PID 580 wrote to memory of 1640	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
PID 580 wrote to memory of 1640	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
PID 580 wrote to memory of 1788	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	cmd.exe
PID 580 wrote to memory of 1788	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	cmd.exe
PID 580 wrote to memory of 1788	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	cmd.exe
PID 580 wrote to memory of 1788	580	{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe	cmd.exe
PID 1640 wrote to memory of 1968	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
PID 1640 wrote to memory of 1968	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
PID 1640 wrote to memory of 1968	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
PID 1640 wrote to memory of 1968	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
PID 1640 wrote to memory of 2200	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	cmd.exe
PID 1640 wrote to memory of 2200	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	cmd.exe
PID 1640 wrote to memory of 2200	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	cmd.exe
PID 1640 wrote to memory of 2200	1640	{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe	cmd.exe
PID 1968 wrote to memory of 2184	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
PID 1968 wrote to memory of 2184	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
PID 1968 wrote to memory of 2184	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
PID 1968 wrote to memory of 2184	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
PID 1968 wrote to memory of 2180	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	cmd.exe
PID 1968 wrote to memory of 2180	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	cmd.exe
PID 1968 wrote to memory of 2180	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	cmd.exe
PID 1968 wrote to memory of 2180	1968	{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
C:\Windows\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
C:\Windows\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
C:\Windows\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
C:\Windows\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
C:\Windows\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
C:\Windows\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
C:\Windows\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
C:\Windows\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
C:\Windows\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
C:\Windows\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe
C:\Windows\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe
12⤵
- Executes dropped EXE
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D83~1.EXE > nul
12⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6CFA4~1.EXE > nul
11⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6D0~1.EXE > nul
10⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{950E7~1.EXE > nul
9⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49C9B~1.EXE > nul
8⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E485F~1.EXE > nul
7⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A0C~1.EXE > nul
6⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF108~1.EXE > nul
5⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{962DD~1.EXE > nul
4⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB20~1.EXE > nul
3⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2836

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{49C9BF52-F28A-4fc9-9CA1-0B069822D8F0}.exe
Filesize
204KB

MD5
ea86d999a71f000dd3ee0342d7a97895

SHA1
425c2003268bb8df01cd1f97357c8864de16081d

SHA256
f6dd2bffa18cb08e9b1d89e94c7a6906fcbf27a768ac641b44c3f44f8fb6af35

SHA512
6c566164f8b806784303f1025b0a27e47577127ce0c14760d22e3a5b6cf9be9cfe7afe6d737b6a52da54471572ba3a5d3947bc8abfa21d9833df0f38a4d51ee5

Download Submit
C:\Windows\{6CFA4823-AF1E-4bbe-8D17-37BAAA58440B}.exe
Filesize
204KB

MD5
ae49815b80eedf79762da33e180c100f

SHA1
a7805e3ca085d3aaa2083ad14134d51d598d7c0a

SHA256
b4cfce4db24ceff2d310293bc6096a644ae2e51ba46280911129c03c96710e65

SHA512
daca708d5e22fbaa5b25ced0e79a6b638db616cdee813d479ad2ded5ce2e85f8b334c533414baf75f6caaaeb494eb3b85329051e74a065989b0e1a9bde0462e6

Download Submit
C:\Windows\{950E7DD7-D0AE-4251-88E6-9B114478CE24}.exe
Filesize
204KB

MD5
919bbbcd1896d90588e1f36f9d4f2e26

SHA1
00541f3f56e41433e5b713574d776986b5fc1b01

SHA256
ba5ec6a70dacc9681326044747b7567fa9dab87432e153074273469ba0b4ce2c

SHA512
11824aa93ca442f0cc4912fdbf863db4eae3670e48be0d05b1ff6dfc15e05a987e82cf3b17ad4fabcbaaba078ec3171e464b3cedddd6d5c4fe46669c53284244

Download Submit
C:\Windows\{962DD9E2-5EDC-4ddd-BE8D-802814BD50B9}.exe
Filesize
204KB

MD5
2d85ab5e5cd080793caee1fb04296cff

SHA1
2ab7dac376c7060f01eff58de6cfd19b5049b436

SHA256
65ac81cd056515832a60952268c3fc7a3fb84a4d10ce2464143c5320ba104a96

SHA512
d82f6e45e58bbcc098e8af7a80f1018495a873e802117bf859bf794b4c1775fd632d226a6007baab28ec4d6cfe0ad49a72a6b1a66c208f6e79a1a8d1bc9cf78b

Download Submit
C:\Windows\{A6A0C987-FE64-461a-BFEA-FCCCC57DA401}.exe
Filesize
204KB

MD5
0c5d82b75c4aca8d47db560396aa79c2

SHA1
4526c17ddcf888b0af2f357ac597cfa3286f56b2

SHA256
1ed817790e64dc8c0207ab1993f1de4d8ac9e2bbf725123d5153d2998e4e64c4

SHA512
5bcde7a1bce1247cd7dbee9d1bce3a06ad73645e0ea52bfe7a949a02d82b0f08c86bcf35d6a4a05316277f05df751c21cf65d1abf7c849cbe7f6534d4fd12cbf

Download Submit
C:\Windows\{BF1088BF-A87D-48e3-9848-A56AA1BD6018}.exe
Filesize
204KB

MD5
31a683fbbc982af43224100fed275399

SHA1
f1a362d5f73e7d06b4d436ce45edf1201b7fb47a

SHA256
d72200db70bba75c1de3f36fa036d1500aad7536349c7807680a557588ddf6c3

SHA512
bc88831f285e467990f012e236fb23e922b391c53ec3b51fac0cea5858a9f7e93a8ff9cb11327b912bf49f20f2edf39aff531d18be9176ebfe894cfdcc90da1e

Download Submit
C:\Windows\{C1D83F5F-DE8F-4305-ABCE-054547C57876}.exe
Filesize
204KB

MD5
abb56000e3c7fe3475adacdfcd281360

SHA1
a0d313c956c164f5ce0e5efeb44626a58bc107ff

SHA256
edfb4a30181a550247ded2eae58edff98422492712da07f3ce1654b3003f1fa8

SHA512
198215fa943b431d15b286a23d78bd3fd49edae4a01c087cf28040272cc82f7e7c6fc031912d7b3744e904dfd9a5601e294e917c05bdaa2f244a110084186b27

Download Submit
C:\Windows\{C843C440-8DCB-4d93-A533-2AF9326EA0F4}.exe
Filesize
204KB

MD5
9060bbcb541d0d2fb0d790b1b6e5a673

SHA1
d2005c6f3721d8ba3edec0afe9580aaf535d7e1e

SHA256
ee9832c62f5814ed1024778b6c40f43df685bd6452a4f6871a3cf1cd2b766003

SHA512
0ea2e3b45c699a72c4b5eaa29a74d0c39b2b7fa284863ce6c396dd183aba36d0a67f086b07ea9f6ff17c61ddaf048a4242c8538f30a70abfc3d8354cc7a5d204

Download Submit
C:\Windows\{CB6D0ACA-A04A-4efa-83B3-359F45174A97}.exe
Filesize
204KB

MD5
2331a8b75104705ab4614ab14376727b

SHA1
fe319a4434c788f57f04c05eb9a5152d85161a7c

SHA256
8171ffccbecdd18770a0d7d8688f8b2ee912696155643da7ba9c033427a94a9a

SHA512
1870fdb3ec8a6b62f95051600a23f72001a84afe99184c811b70c9c1ff62ed13870866443cf7e1367889a7e464d384af61478fb005f11a1ee70218b51bd83b38

Download Submit
C:\Windows\{E485F35E-55A1-4449-9782-A099DFB9E59C}.exe
Filesize
204KB

MD5
05bb1b9b1d984021fb88582ee97646bb

SHA1
1689c9f14fd3fcbc170d720d22de633ea917a229

SHA256
4a8d4ec60754cb4c0363e9a5aa60cd6ac61ffe8aee147377cb86fc4caba303f5

SHA512
4a1a6ba64a3b883d81aeccb9ed28f44ebb1126f4931e964ff01b5dee4adf730c4eebb83f97b558f912519544d37f69f60a82875ce0581a4d685dbb8ee3da9ffb

Download Submit
C:\Windows\{FAB20AB8-D761-40dc-A7D6-1FA68400A35E}.exe
Filesize
204KB

MD5
3d714ca98a211bcff7302b0801ae2d41

SHA1
e8c01b4eaf5f933c1fabe0128799116dc20f32ae

SHA256
2a1a3dba00f60d3f02c3abda9a300eff376654d2b4ed63789f6ed1c84c2a9a43

SHA512
24bd2f8caba4d1b9316f88255a87a7ee71ba0416ec67506cf0cc9aae93d6f9192252790235e411608c29e5e030989f2b30663f88f9e0cd94e3ac0e9f02c0183e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads