2ca065cae559efd8a6299c4f445039f89c4634d3ed5ebe04b852dca766638d86

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Size

408KB
MD5

7df4b59046fdae4fcc69bdeb2e2e8c60
SHA1

5abc70556eacaf2444e7b4f5bf516f05dbe2befe
SHA256

2ca065cae559efd8a6299c4f445039f89c4634d3ed5ebe04b852dca766638d86
SHA512

09e656cc6c180d7ba28d6394f3a90443bbcab652c89cb2dae77ea90485cdc091451f4ffb62b93b01944aaa667806947b5c259679c79bf3cbcf0c8b1e8d90d72a
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9609074A-F921-4e38-B496-1FB55E52E732}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe{9609074A-F921-4e38-B496-1FB55E52E732}.exe{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe{EEC0240E-5D40-43b0-8571-86963985FB26}.exe{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}\stubpath = "C:\\Windows\\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe"	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4236127B-9A4A-4433-8EFF-DB219DE34E03}	{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11BE78C-202C-4989-82FA-4F55A389F03E}	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11BE78C-202C-4989-82FA-4F55A389F03E}\stubpath = "C:\\Windows\\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe"	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9609074A-F921-4e38-B496-1FB55E52E732}	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}\stubpath = "C:\\Windows\\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe"	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC0240E-5D40-43b0-8571-86963985FB26}	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC0240E-5D40-43b0-8571-86963985FB26}\stubpath = "C:\\Windows\\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe"	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}	{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}\stubpath = "C:\\Windows\\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe"	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9609074A-F921-4e38-B496-1FB55E52E732}\stubpath = "C:\\Windows\\{9609074A-F921-4e38-B496-1FB55E52E732}.exe"	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}\stubpath = "C:\\Windows\\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe"	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DED850E-40D2-4df8-BF64-997D09F4AC48}\stubpath = "C:\\Windows\\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe"	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}\stubpath = "C:\\Windows\\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe"	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DED850E-40D2-4df8-BF64-997D09F4AC48}	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4236127B-9A4A-4433-8EFF-DB219DE34E03}\stubpath = "C:\\Windows\\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe"	{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}\stubpath = "C:\\Windows\\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe"	{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe

pid	process
2684	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe{9609074A-F921-4e38-B496-1FB55E52E732}.exe{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe{EEC0240E-5D40-43b0-8571-86963985FB26}.exe{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe

pid	process
2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
2400	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
1528	{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
2736	{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe
2408	{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe

Drops file in Windows directory 11 IoCs

Processes:

{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe{9609074A-F921-4e38-B496-1FB55E52E732}.exe{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe{EEC0240E-5D40-43b0-8571-86963985FB26}.exe{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe

description	ioc	process
File created	C:\Windows\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
File created	C:\Windows\{9609074A-F921-4e38-B496-1FB55E52E732}.exe	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
File created	C:\Windows\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
File created	C:\Windows\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
File created	C:\Windows\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
File created	C:\Windows\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
File created	C:\Windows\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
File created	C:\Windows\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe	{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
File created	C:\Windows\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
File created	C:\Windows\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
File created	C:\Windows\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe	{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe{9609074A-F921-4e38-B496-1FB55E52E732}.exe{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe{EEC0240E-5D40-43b0-8571-86963985FB26}.exe{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
Token: SeIncBasePriorityPrivilege	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
Token: SeIncBasePriorityPrivilege	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
Token: SeIncBasePriorityPrivilege	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
Token: SeIncBasePriorityPrivilege	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
Token: SeIncBasePriorityPrivilege	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
Token: SeIncBasePriorityPrivilege	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
Token: SeIncBasePriorityPrivilege	2400	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
Token: SeIncBasePriorityPrivilege	1528	{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
Token: SeIncBasePriorityPrivilege	2736	{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1700 wrote to memory of 2292	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
PID 1700 wrote to memory of 2292	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
PID 1700 wrote to memory of 2292	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
PID 1700 wrote to memory of 2292	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
PID 1700 wrote to memory of 2684	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 1700 wrote to memory of 2684	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 1700 wrote to memory of 2684	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 1700 wrote to memory of 2684	1700	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 2292 wrote to memory of 1252	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
PID 2292 wrote to memory of 1252	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
PID 2292 wrote to memory of 1252	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
PID 2292 wrote to memory of 1252	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
PID 2292 wrote to memory of 2080	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	cmd.exe
PID 2292 wrote to memory of 2080	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	cmd.exe
PID 2292 wrote to memory of 2080	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	cmd.exe
PID 2292 wrote to memory of 2080	2292	{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe	cmd.exe
PID 1252 wrote to memory of 2632	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
PID 1252 wrote to memory of 2632	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
PID 1252 wrote to memory of 2632	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
PID 1252 wrote to memory of 2632	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
PID 1252 wrote to memory of 3012	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	cmd.exe
PID 1252 wrote to memory of 3012	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	cmd.exe
PID 1252 wrote to memory of 3012	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	cmd.exe
PID 1252 wrote to memory of 3012	1252	{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe	cmd.exe
PID 2632 wrote to memory of 324	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
PID 2632 wrote to memory of 324	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
PID 2632 wrote to memory of 324	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
PID 2632 wrote to memory of 324	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	{9609074A-F921-4e38-B496-1FB55E52E732}.exe
PID 2632 wrote to memory of 976	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	cmd.exe
PID 2632 wrote to memory of 976	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	cmd.exe
PID 2632 wrote to memory of 976	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	cmd.exe
PID 2632 wrote to memory of 976	2632	{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe	cmd.exe
PID 324 wrote to memory of 2792	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
PID 324 wrote to memory of 2792	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
PID 324 wrote to memory of 2792	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
PID 324 wrote to memory of 2792	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
PID 324 wrote to memory of 2888	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	cmd.exe
PID 324 wrote to memory of 2888	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	cmd.exe
PID 324 wrote to memory of 2888	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	cmd.exe
PID 324 wrote to memory of 2888	324	{9609074A-F921-4e38-B496-1FB55E52E732}.exe	cmd.exe
PID 2792 wrote to memory of 2168	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
PID 2792 wrote to memory of 2168	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
PID 2792 wrote to memory of 2168	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
PID 2792 wrote to memory of 2168	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
PID 2792 wrote to memory of 792	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	cmd.exe
PID 2792 wrote to memory of 792	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	cmd.exe
PID 2792 wrote to memory of 792	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	cmd.exe
PID 2792 wrote to memory of 792	2792	{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe	cmd.exe
PID 2168 wrote to memory of 2296	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
PID 2168 wrote to memory of 2296	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
PID 2168 wrote to memory of 2296	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
PID 2168 wrote to memory of 2296	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
PID 2168 wrote to memory of 280	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	cmd.exe
PID 2168 wrote to memory of 280	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	cmd.exe
PID 2168 wrote to memory of 280	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	cmd.exe
PID 2168 wrote to memory of 280	2168	{EEC0240E-5D40-43b0-8571-86963985FB26}.exe	cmd.exe
PID 2296 wrote to memory of 2400	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
PID 2296 wrote to memory of 2400	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
PID 2296 wrote to memory of 2400	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
PID 2296 wrote to memory of 2400	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
PID 2296 wrote to memory of 1752	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	cmd.exe
PID 2296 wrote to memory of 1752	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	cmd.exe
PID 2296 wrote to memory of 1752	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	cmd.exe
PID 2296 wrote to memory of 1752	2296	{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
C:\Windows\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
C:\Windows\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
C:\Windows\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\{9609074A-F921-4e38-B496-1FB55E52E732}.exe
C:\Windows\{9609074A-F921-4e38-B496-1FB55E52E732}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96090~1.EXE > nul
6⤵
PID:2888

C:\Windows\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
C:\Windows\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E52~1.EXE > nul
7⤵
PID:792

C:\Windows\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
C:\Windows\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
C:\Windows\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
C:\Windows\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB15~1.EXE > nul
10⤵
PID:2352

C:\Windows\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
C:\Windows\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe
C:\Windows\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{42361~1.EXE > nul
12⤵
PID:1972

C:\Windows\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe
C:\Windows\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe
12⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5DED8~1.EXE > nul
11⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B063B~1.EXE > nul
9⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC02~1.EXE > nul
8⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A11BE~1.EXE > nul
5⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB83A~1.EXE > nul
4⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94FAD~1.EXE > nul
3⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2684

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4236127B-9A4A-4433-8EFF-DB219DE34E03}.exe
Filesize
408KB

MD5
697c2089d99deac9e7300a9d75b1dc39

SHA1
13a77d1a9962a14453353fc8e86dde8ecd3b5fe8

SHA256
e8168948b9052a3b1513460e3321d153eddc76a9e335ffb19d9b921fed385b9a

SHA512
fc177895e2f1de876d8c8bb8bf214025cae8cabc41f7995b7fab9d3de5d76a31aa1560aa9b40a53337e679ce1f284e6e6a4ce0f053874574e91cc536a9e222b7

Download Submit
C:\Windows\{5DED850E-40D2-4df8-BF64-997D09F4AC48}.exe
Filesize
408KB

MD5
dde0b294bcea64dd18a86b386db68d00

SHA1
792bc37ea56482ad76f79a066faeb7978a89a3c9

SHA256
5347e1944e7af94e4838c4312a246b3d23f446f3cd8481f78d8b42eec09be1b8

SHA512
66ee1dbe20be17b4c7cf8ce48dfcb26d133127712cc3311276fef4b5449d9fb6b52300131196d6c67e4c7e2a3168f52c78eb6b8dd231e3c8f7928b66ae578c76

Download Submit
C:\Windows\{8FB15D00-D7CE-47ef-8980-47BEA414E42C}.exe
Filesize
408KB

MD5
176d1d422475a26287b82817bf8046de

SHA1
65656d6c70fdd9cf2de5b58272e07c5a8c72061a

SHA256
a97053201d3b218707759da301ce51be5a0944715672adb3e2e52e2988dd0931

SHA512
65db5839248ad77e2adc1a341b182ec028c30d894a10c3f8248da7688366e86c1ba4de1e69e0868a73f0529ce0bf2420fafcc888d29d2a90d6ba1b82c20e40fb

Download Submit
C:\Windows\{94FADBB1-806E-4193-9F6B-61C4F4B0A350}.exe
Filesize
408KB

MD5
21a711e803a9c4aa1ab9da9c4401bb9d

SHA1
71c3f568b31316a64f4d0bce86dda8086d24933b

SHA256
fd227808891f38b31b7c881091478e2ae179ab450685dee4b7008505487cc237

SHA512
fe4d0b9da802f6f4cb9da260fd28c08dac853c3e5c27e7a44169d661b9c81ef35eb81c70b32c81732c691efb054e9a8d463c6b332cb138382a81edcbf18d7454

Download Submit
C:\Windows\{9609074A-F921-4e38-B496-1FB55E52E732}.exe
Filesize
408KB

MD5
434fed76dfb46bf528bcee0a7a130e45

SHA1
7115d0ffcabd5ea6fcc98715f63f2ec520bfaf56

SHA256
261af5ef4628e4e48c59777e23e5f7f8270f6b979e9414b0941732d5b9ac4600

SHA512
bff05ca54e3ae5117a8dafe33e3598c0a231190746e959607c239a502b8f202f9747bdb769cae113eac255e519d7767d1d3e0f14648c048592afa3f2512512b9

Download Submit
C:\Windows\{A11BE78C-202C-4989-82FA-4F55A389F03E}.exe
Filesize
408KB

MD5
d7c088a23e57d3da40c6a61e524c34b7

SHA1
8042ef75929947aaad7ff01d06e33fc00d99d27f

SHA256
fa4c5b068770192bdff705b9d9011a273716ab05137b7c2ae8027207a6ad6a12

SHA512
6d6884a2a31520eca5f2e2c7b6e6d26506baea9cbd5deb7c99645ff222846b8a61c6a086f198f93f680a639dc1b75e77507d50f198ed7955b3dec80d92d5021c

Download Submit
C:\Windows\{AAEEBB96-92AA-40ee-A2AE-B9F10E1E8A6D}.exe
Filesize
408KB

MD5
5079bccd816a25595749399f8af170f0

SHA1
9234a105ad44ef58ef5ec240f3e33c5e91879fc8

SHA256
5df1a375f4b458c65f8bfaf981d946d64a53249ddb55c4c35d1d6b5798967a70

SHA512
4d308d5d50c66baf6b150040dc6fa4a85d6a950e2b22d14c40073700a1dfc7b62e81f2b129eb90125e217e141634e765407720c49942566eac462315d2b594e8

Download Submit
C:\Windows\{AB83A4A1-DA90-4db4-8AA0-4E2488C8CEEF}.exe
Filesize
408KB

MD5
ad7146bc6726a9cd1cdc4f3e2b9564e6

SHA1
423814659090e761c6f3b30962c36f249379c03a

SHA256
d6577b6739352251f539a571ef4570238f8c56f1f4485f38982fb61d4a881a6f

SHA512
c7a1567e2d6c21558fcaa9db75f193a4d88c2178723af728d074ff035bfd293be01cedfb1bbab4390057c75adee3c22abdc2866d2ab887a0cac4fa5f54f1fc81

Download Submit
C:\Windows\{B063B4AE-EEC3-4d2f-A159-5CDBB38ACBC0}.exe
Filesize
408KB

MD5
f1112e4961c9a1400a20db130beac2e8

SHA1
96908fcf670a64e3bad596c17ffed875b8643ab1

SHA256
372ef7598a465c71fa381ef68e6d8aaa14b5931d276d71e443154b6c25f2fe0f

SHA512
14ed244c481c2a4cf468504a1972678d113c5897e8492b8c9ce379f71345abb22af354215b385a95004388407565b669d52fafac01ce63275e342519b7d3a08e

Download Submit
C:\Windows\{C7E52C59-CCDB-4a0b-8292-3693A1357C6C}.exe
Filesize
408KB

MD5
34ee91a2e5ffcaa740ef434a7881907c

SHA1
e138391cec944a87300a4562b5a609c1ce4e2943

SHA256
f456afb5c5702a1ed9929269954ec52a8fad8d6c3d13483b4e96049c2680a473

SHA512
dadd312eff6de305b194ab6eb9157db2893a167c5fa017d68e2cb62c33ddfa3a0e24b31747fb0b23b76b1894351a2fd6956d3dfe672b52c487b92334ce799291

Download Submit
C:\Windows\{EEC0240E-5D40-43b0-8571-86963985FB26}.exe
Filesize
408KB

MD5
8c0c7ba117de2d217f7ab297ee5da4b5

SHA1
e123da6b9013dd2d61b18163c98aa06d8680e0b5

SHA256
cdc5a7fa58c5021bde656dbb9b375ac005c468e619be5da06f70300fd1c910a0

SHA512
1de2e7dba7fe9fd4c3d5f6c9ad28648d8b22f73b2249de886cd256433c21e8185ff2fe428646bf8d454ebdb60248e21b9c68e6f22c9f761a85ab6b61b8445649

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads