5cda1f5a39fe82aa6ee646a9b4ecee7990e5c718c8b1f081520da25ed6d316aa

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
Size

168KB
MD5

f0c25c8a89cc8a13c499f95d5131db82
SHA1

847b9d56c83b43c9bc04387c705b962dafeeb82b
SHA256

5cda1f5a39fe82aa6ee646a9b4ecee7990e5c718c8b1f081520da25ed6d316aa
SHA512

c7f9c1e5d11e902632c331babc5d3bb04e1b5c893ebdbc2684b659fd209f2aefa6d903ec9ddd2149dbd4f4e5d711b0fc1646fc8b50f8032af3c1630f2079b3d6
SSDEEP

1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{530C35CB-A336-4714-93C9-F38F821895E6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B1233652-2DFE-4123-834C-759E3E191C43}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{849943A2-78AD-4010-82A1-F819E52D1843}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F497069-8A05-465b-B529-465035C9AD8F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4809CC39-238C-4234-954F-D12598ABA705}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe{B1233652-2DFE-4123-834C-759E3E191C43}.exe{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe{849943A2-78AD-4010-82A1-F819E52D1843}.exe{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe{6F497069-8A05-465b-B529-465035C9AD8F}.exe{530C35CB-A336-4714-93C9-F38F821895E6}.exe{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F6AF58-D5A4-455e-8354-12772F5E926F}	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C81F-7937-46d5-AC65-BE715B53C711}\stubpath = "C:\\Windows\\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe"	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530C35CB-A336-4714-93C9-F38F821895E6}\stubpath = "C:\\Windows\\{530C35CB-A336-4714-93C9-F38F821895E6}.exe"	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}\stubpath = "C:\\Windows\\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe"	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}\stubpath = "C:\\Windows\\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe"	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849943A2-78AD-4010-82A1-F819E52D1843}	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}\stubpath = "C:\\Windows\\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe"	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4809CC39-238C-4234-954F-D12598ABA705}	{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849943A2-78AD-4010-82A1-F819E52D1843}\stubpath = "C:\\Windows\\{849943A2-78AD-4010-82A1-F819E52D1843}.exe"	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B02799-E56B-44f8-9DA5-2E8E4239592E}	{6F497069-8A05-465b-B529-465035C9AD8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C81F-7937-46d5-AC65-BE715B53C711}	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1233652-2DFE-4123-834C-759E3E191C43}	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1233652-2DFE-4123-834C-759E3E191C43}\stubpath = "C:\\Windows\\{B1233652-2DFE-4123-834C-759E3E191C43}.exe"	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F6AF58-D5A4-455e-8354-12772F5E926F}\stubpath = "C:\\Windows\\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe"	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530C35CB-A336-4714-93C9-F38F821895E6}	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F497069-8A05-465b-B529-465035C9AD8F}	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F497069-8A05-465b-B529-465035C9AD8F}\stubpath = "C:\\Windows\\{6F497069-8A05-465b-B529-465035C9AD8F}.exe"	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B02799-E56B-44f8-9DA5-2E8E4239592E}\stubpath = "C:\\Windows\\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe"	{6F497069-8A05-465b-B529-465035C9AD8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4809CC39-238C-4234-954F-D12598ABA705}\stubpath = "C:\\Windows\\{4809CC39-238C-4234-954F-D12598ABA705}.exe"	{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2452 cmd.exe

pid	process
2452	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe{530C35CB-A336-4714-93C9-F38F821895E6}.exe{B1233652-2DFE-4123-834C-759E3E191C43}.exe{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe{849943A2-78AD-4010-82A1-F819E52D1843}.exe{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe{6F497069-8A05-465b-B529-465035C9AD8F}.exe{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe{4809CC39-238C-4234-954F-D12598ABA705}.exe

pid	process
3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
2856	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
1388	{6F497069-8A05-465b-B529-465035C9AD8F}.exe
2192	{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
672	{4809CC39-238C-4234-954F-D12598ABA705}.exe

Drops file in Windows directory 11 IoCs

Processes:

{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe{530C35CB-A336-4714-93C9-F38F821895E6}.exe{849943A2-78AD-4010-82A1-F819E52D1843}.exe{B1233652-2DFE-4123-834C-759E3E191C43}.exe{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe{6F497069-8A05-465b-B529-465035C9AD8F}.exe2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe

description	ioc	process
File created	C:\Windows\{6F497069-8A05-465b-B529-465035C9AD8F}.exe	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
File created	C:\Windows\{4809CC39-238C-4234-954F-D12598ABA705}.exe	{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
File created	C:\Windows\{B1233652-2DFE-4123-834C-759E3E191C43}.exe	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
File created	C:\Windows\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
File created	C:\Windows\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
File created	C:\Windows\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
File created	C:\Windows\{849943A2-78AD-4010-82A1-F819E52D1843}.exe	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
File created	C:\Windows\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
File created	C:\Windows\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe	{6F497069-8A05-465b-B529-465035C9AD8F}.exe
File created	C:\Windows\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
File created	C:\Windows\{530C35CB-A336-4714-93C9-F38F821895E6}.exe	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe{530C35CB-A336-4714-93C9-F38F821895E6}.exe{B1233652-2DFE-4123-834C-759E3E191C43}.exe{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe{849943A2-78AD-4010-82A1-F819E52D1843}.exe{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe{6F497069-8A05-465b-B529-465035C9AD8F}.exe{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
Token: SeIncBasePriorityPrivilege	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
Token: SeIncBasePriorityPrivilege	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
Token: SeIncBasePriorityPrivilege	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
Token: SeIncBasePriorityPrivilege	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
Token: SeIncBasePriorityPrivilege	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
Token: SeIncBasePriorityPrivilege	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
Token: SeIncBasePriorityPrivilege	2856	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
Token: SeIncBasePriorityPrivilege	1388	{6F497069-8A05-465b-B529-465035C9AD8F}.exe
Token: SeIncBasePriorityPrivilege	2192	{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2224 wrote to memory of 3068	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
PID 2224 wrote to memory of 3068	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
PID 2224 wrote to memory of 3068	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
PID 2224 wrote to memory of 3068	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
PID 2224 wrote to memory of 2452	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2452	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2452	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	cmd.exe
PID 2224 wrote to memory of 2452	2224	2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe	cmd.exe
PID 3068 wrote to memory of 2812	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
PID 3068 wrote to memory of 2812	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
PID 3068 wrote to memory of 2812	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
PID 3068 wrote to memory of 2812	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	{530C35CB-A336-4714-93C9-F38F821895E6}.exe
PID 3068 wrote to memory of 2584	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	cmd.exe
PID 3068 wrote to memory of 2584	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	cmd.exe
PID 3068 wrote to memory of 2584	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	cmd.exe
PID 3068 wrote to memory of 2584	3068	{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe	cmd.exe
PID 2812 wrote to memory of 2552	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
PID 2812 wrote to memory of 2552	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
PID 2812 wrote to memory of 2552	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
PID 2812 wrote to memory of 2552	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	{B1233652-2DFE-4123-834C-759E3E191C43}.exe
PID 2812 wrote to memory of 2616	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	cmd.exe
PID 2812 wrote to memory of 2616	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	cmd.exe
PID 2812 wrote to memory of 2616	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	cmd.exe
PID 2812 wrote to memory of 2616	2812	{530C35CB-A336-4714-93C9-F38F821895E6}.exe	cmd.exe
PID 2552 wrote to memory of 2492	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
PID 2552 wrote to memory of 2492	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
PID 2552 wrote to memory of 2492	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
PID 2552 wrote to memory of 2492	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
PID 2552 wrote to memory of 1448	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	cmd.exe
PID 2552 wrote to memory of 1448	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	cmd.exe
PID 2552 wrote to memory of 1448	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	cmd.exe
PID 2552 wrote to memory of 1448	2552	{B1233652-2DFE-4123-834C-759E3E191C43}.exe	cmd.exe
PID 2492 wrote to memory of 1612	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
PID 2492 wrote to memory of 1612	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
PID 2492 wrote to memory of 1612	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
PID 2492 wrote to memory of 1612	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
PID 2492 wrote to memory of 2940	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	cmd.exe
PID 2492 wrote to memory of 2940	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	cmd.exe
PID 2492 wrote to memory of 2940	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	cmd.exe
PID 2492 wrote to memory of 2940	2492	{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe	cmd.exe
PID 1612 wrote to memory of 2444	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
PID 1612 wrote to memory of 2444	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
PID 1612 wrote to memory of 2444	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
PID 1612 wrote to memory of 2444	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	{849943A2-78AD-4010-82A1-F819E52D1843}.exe
PID 1612 wrote to memory of 808	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	cmd.exe
PID 1612 wrote to memory of 808	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	cmd.exe
PID 1612 wrote to memory of 808	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	cmd.exe
PID 1612 wrote to memory of 808	1612	{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe	cmd.exe
PID 2444 wrote to memory of 800	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
PID 2444 wrote to memory of 800	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
PID 2444 wrote to memory of 800	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
PID 2444 wrote to memory of 800	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
PID 2444 wrote to memory of 1564	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	cmd.exe
PID 2444 wrote to memory of 1564	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	cmd.exe
PID 2444 wrote to memory of 1564	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	cmd.exe
PID 2444 wrote to memory of 1564	2444	{849943A2-78AD-4010-82A1-F819E52D1843}.exe	cmd.exe
PID 800 wrote to memory of 2856	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
PID 800 wrote to memory of 2856	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
PID 800 wrote to memory of 2856	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
PID 800 wrote to memory of 2856	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
PID 800 wrote to memory of 2884	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	cmd.exe
PID 800 wrote to memory of 2884	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	cmd.exe
PID 800 wrote to memory of 2884	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	cmd.exe
PID 800 wrote to memory of 2884	800	{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
C:\Windows\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\{530C35CB-A336-4714-93C9-F38F821895E6}.exe
C:\Windows\{530C35CB-A336-4714-93C9-F38F821895E6}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\{B1233652-2DFE-4123-834C-759E3E191C43}.exe
C:\Windows\{B1233652-2DFE-4123-834C-759E3E191C43}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
C:\Windows\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
C:\Windows\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\{849943A2-78AD-4010-82A1-F819E52D1843}.exe
C:\Windows\{849943A2-78AD-4010-82A1-F819E52D1843}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{84994~1.EXE > nul
8⤵
PID:1564

C:\Windows\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
C:\Windows\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
C:\Windows\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\{6F497069-8A05-465b-B529-465035C9AD8F}.exe
C:\Windows\{6F497069-8A05-465b-B529-465035C9AD8F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
C:\Windows\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{80B02~1.EXE > nul
12⤵
PID:1052

C:\Windows\{4809CC39-238C-4234-954F-D12598ABA705}.exe
C:\Windows\{4809CC39-238C-4234-954F-D12598ABA705}.exe
12⤵
- Executes dropped EXE
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F497~1.EXE > nul
11⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{41F6A~1.EXE > nul
10⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6D1~1.EXE > nul
9⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE5B4~1.EXE > nul
7⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2DF63~1.EXE > nul
6⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1233~1.EXE > nul
5⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{530C3~1.EXE > nul
4⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{42D5C~1.EXE > nul
3⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2452

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DF63C0D-440D-47dd-BE60-F0C0CD895CF7}.exe
Filesize
168KB

MD5
a67de922ac9d2395a720c2a2e4cf825a

SHA1
5690fcead4dc2d3d3dc2f4fce9290bbf8a7bdd64

SHA256
4ba590f2654a2346d406ff3ea2accd6751305e83bf4bb793d47aae34183cdf06

SHA512
4d3feabaadfa3fe8bfdbc89222a2f3a426b5fa7b36cac2b5ebcdd22ac9adcfe2879ca3aabf7a21e23e0eabdf901bff4dcbae38302f2b888e1ef0efa9f7ad099d

Download Submit
C:\Windows\{41F6AF58-D5A4-455e-8354-12772F5E926F}.exe
Filesize
168KB

MD5
dd93db67ab02fac97055bd28dfc70646

SHA1
3c66d3a662f95c363b5930753f1f9ebc2e370647

SHA256
23525539472706a05f3aa180511b4271459a16b6d99458c03e93de59f604c63d

SHA512
1f410a795f44510d350659c2d304711d5425d3efcdb3d46d152934580c61a0171f5bdd6fe6b3791475dad8cdf6cc27f2641e093bc3d54d0147a1100b31dd6bce

Download Submit
C:\Windows\{42D5C81F-7937-46d5-AC65-BE715B53C711}.exe
Filesize
168KB

MD5
79abe498aed3b9aa77844400b41bee69

SHA1
5a48943fcd437ab68253533526f1777e8759261f

SHA256
f3d949ed3324cd51164d9079088fddb27c27f82b16b7e92310814ec94f951c94

SHA512
5697bf4f8ed933283ae0222fbcd0a5d8e04281ce5d5ed573a51e400850b5e51fa823e7d38d428c412673caa9b9510eea0dd6941e19ac374b5d66286294bce0c9

Download Submit
C:\Windows\{4809CC39-238C-4234-954F-D12598ABA705}.exe
Filesize
168KB

MD5
b81c71062325ab241908cb49f430fc30

SHA1
de735991587e2e984954f977aba25e2262944887

SHA256
a6b31cd3058ff83b476d69a775fa1b70678f69f1ec4cec9d7728aac266985cb4

SHA512
274463436c2a9d5f8e4d6544bb87b5240fd0bb79311c7b400759cc0203b56c0b81ba78971bcdeca3e155d7775dd8cf127154621919a968f17735348b189ed430

Download Submit
C:\Windows\{530C35CB-A336-4714-93C9-F38F821895E6}.exe
Filesize
168KB

MD5
ffeb2ce54ae309e1273904a2454ca263

SHA1
1449a966ac480993f40016d3bb38ba3d69278d6f

SHA256
405cbfa047242f878f27041213334af3e760dc221806eb55170a25271466772a

SHA512
43e76669fbf6e66ddb361652a77cadd6ce349e2f0463ef9d5e817a0596a668c666a78f9e5f240a32fbeee73d48822722df1dd766dd19c00968e1065a1be97751

Download Submit
C:\Windows\{6F497069-8A05-465b-B529-465035C9AD8F}.exe
Filesize
168KB

MD5
7225b6c6166e1c4f1052152e90bac567

SHA1
f9a3c5fab364214a8e10bae92925fa81b4899947

SHA256
fc7533a69a922beb823d3ee548698f24e8188c11f7c09462ab73332529bdf331

SHA512
4f966a3297e4ccb39b1b6e26a408b1533b1e432281852e732732c92b2a1463d2c5dc809b19f43fc7c470c9bc3ac16c14d599e9fc670ece630dd07b6d20466147

Download Submit
C:\Windows\{80B02799-E56B-44f8-9DA5-2E8E4239592E}.exe
Filesize
168KB

MD5
8b8312a6b3fdce0c6052be4674d5ce70

SHA1
c48a0ce6a1f6185578c2a1ca7a85308fc0589f38

SHA256
6ba92fcaa88a6787f090bd95fd0969740aebd6b20f35bb7f0d6c5ef0381867d4

SHA512
c18768af7f95f1f66e3089e994d86e5a187a48e71db0b3fb2204ba071828e16d6954401d9353ca1bd4f94a160f7e136e886ae4822ddfaac2bd0d68470284cf52

Download Submit
C:\Windows\{849943A2-78AD-4010-82A1-F819E52D1843}.exe
Filesize
168KB

MD5
2f50fdb1799a855554e693cc9ad83f50

SHA1
80824ff9a851e8de4a81e0e2f0a1f7f1dd5f6d2b

SHA256
9aab80859c4c916d1b94acfb8bcfa7bc3f0b91cd9a5a378cca580580e30fce09

SHA512
1dc93672a52d72fa40789226bd3d825eacfb122676dc35e9da58bbe7a87630349d6ea48abe582391f3177563c1f51735f1c2333b63b1894c6b2f1343d44edce3

Download Submit
C:\Windows\{AF6D1B3B-3AE5-4b48-85C0-7444EC74E7A7}.exe
Filesize
168KB

MD5
e15d493f5dee39c7b0dd5f5ca42f0f82

SHA1
269f0b0961d6f05f1cfe6899165b773cbbd98720

SHA256
97605e71f0adede9c874b397bc4260afa9402f3dcb54d4c6118d86084f117df7

SHA512
da23010695087a777a1869633c0f5135e8160350ca4e624c5e4ba050904d8f3a1c233d431b6ad8be4cb4967c1c599a68accd61842d9dad6e08c3abffad100ec8

Download Submit
C:\Windows\{B1233652-2DFE-4123-834C-759E3E191C43}.exe
Filesize
168KB

MD5
154bf8a9dd4ac365f57ac4f97647f5ac

SHA1
e44bb051291786b0e684eeb8a78530df789853f6

SHA256
c36d5dc0ceab66d7a974747f67bc703e1432bae35d2d1cfbd93b3fdd2a31a1a8

SHA512
dc72742773386e102431bb259fd36ca17ea93f362cb14119c36e1c54c3a3d9ef07af6bab45c8bfed60f2b1bfdcacaeaa23e9d9df075acc6ddf5a18b1004585a7

Download Submit
C:\Windows\{DE5B486E-DDE3-4de4-AF37-2873A5311B47}.exe
Filesize
168KB

MD5
531f36666cd122dc946e73546f127cc8

SHA1
de6705f1dc8a91226a6073019ebdf8f224454633

SHA256
c150b009a66f78bbacb9db55d4b8a09d045bd0b38cc1ccd5e6bae373d1d2f57f

SHA512
9122ea522fd0241101491e4a648b7b0b958d96a6a12f415d551e989f3539a1e3303107976f159d0b206555c4e9e4f86e7c7f79357800e2bd470d670fe2cf335a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads