a4b5a5eb9a43ca8ef3f64d5f4c6722d14107628125b90ccc83bc850a4f1472eb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Size

180KB
MD5

780d9a0366a953f6b74dd4bf20da23dd
SHA1

88f263a7d696826dbc147af8cff02fa1ae2a8ebd
SHA256

a4b5a5eb9a43ca8ef3f64d5f4c6722d14107628125b90ccc83bc850a4f1472eb
SHA512

2cfc16a835645d70b9b1b3cca7c50b9539aa6ecdc9b009c2846ccd6dac05336cbf93bfe9718977147f9f17355ea5efdd80625709f2a8ed2048b1ca56f76a45f1
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe{49ED9821-F821-48b5-88C1-9B69C6378243}.exe{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe{59E50EE4-F048-4555-87CC-67AFE6161444}.exe{33C9267C-483E-4e57-9CDF-6046159D7699}.exe{16BDF902-3761-49c7-B6C8-CD481040F418}.exe2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe{B00B9435-BC16-40e6-B1E0-36632890259A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE0FA0A-7773-402a-88B1-833929E3712C}	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B00B9435-BC16-40e6-B1E0-36632890259A}	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B00B9435-BC16-40e6-B1E0-36632890259A}\stubpath = "C:\\Windows\\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe"	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BDF902-3761-49c7-B6C8-CD481040F418}	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BDF902-3761-49c7-B6C8-CD481040F418}\stubpath = "C:\\Windows\\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe"	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}\stubpath = "C:\\Windows\\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe"	{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}	{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49ED9821-F821-48b5-88C1-9B69C6378243}	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}\stubpath = "C:\\Windows\\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe"	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}	{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8555D3B8-6D80-471f-82E2-0F429336AC52}\stubpath = "C:\\Windows\\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe"	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE0FA0A-7773-402a-88B1-833929E3712C}\stubpath = "C:\\Windows\\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe"	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E50EE4-F048-4555-87CC-67AFE6161444}	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C9267C-483E-4e57-9CDF-6046159D7699}\stubpath = "C:\\Windows\\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe"	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}\stubpath = "C:\\Windows\\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe"	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8555D3B8-6D80-471f-82E2-0F429336AC52}	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E50EE4-F048-4555-87CC-67AFE6161444}\stubpath = "C:\\Windows\\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe"	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49ED9821-F821-48b5-88C1-9B69C6378243}\stubpath = "C:\\Windows\\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe"	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C9267C-483E-4e57-9CDF-6046159D7699}	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}\stubpath = "C:\\Windows\\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe"	{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2868 cmd.exe

pid	process
2868	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe{59E50EE4-F048-4555-87CC-67AFE6161444}.exe{49ED9821-F821-48b5-88C1-9B69C6378243}.exe{B00B9435-BC16-40e6-B1E0-36632890259A}.exe{33C9267C-483E-4e57-9CDF-6046159D7699}.exe{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe{16BDF902-3761-49c7-B6C8-CD481040F418}.exe{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe

pid	process
2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
1672	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
2216	{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
2880	{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe
2120	{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe

Drops file in Windows directory 11 IoCs

Processes:

{16BDF902-3761-49c7-B6C8-CD481040F418}.exe2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe{59E50EE4-F048-4555-87CC-67AFE6161444}.exe{B00B9435-BC16-40e6-B1E0-36632890259A}.exe{33C9267C-483E-4e57-9CDF-6046159D7699}.exe{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe{49ED9821-F821-48b5-88C1-9B69C6378243}.exe{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

description	ioc	process
File created	C:\Windows\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
File created	C:\Windows\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
File created	C:\Windows\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
File created	C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
File created	C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
File created	C:\Windows\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
File created	C:\Windows\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
File created	C:\Windows\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
File created	C:\Windows\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe	{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
File created	C:\Windows\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
File created	C:\Windows\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe	{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe{59E50EE4-F048-4555-87CC-67AFE6161444}.exe{49ED9821-F821-48b5-88C1-9B69C6378243}.exe{B00B9435-BC16-40e6-B1E0-36632890259A}.exe{33C9267C-483E-4e57-9CDF-6046159D7699}.exe{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe{16BDF902-3761-49c7-B6C8-CD481040F418}.exe{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
Token: SeIncBasePriorityPrivilege	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
Token: SeIncBasePriorityPrivilege	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
Token: SeIncBasePriorityPrivilege	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
Token: SeIncBasePriorityPrivilege	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
Token: SeIncBasePriorityPrivilege	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
Token: SeIncBasePriorityPrivilege	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
Token: SeIncBasePriorityPrivilege	1672	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
Token: SeIncBasePriorityPrivilege	2216	{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
Token: SeIncBasePriorityPrivilege	2880	{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1364 wrote to memory of 2928	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
PID 1364 wrote to memory of 2928	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
PID 1364 wrote to memory of 2928	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
PID 1364 wrote to memory of 2928	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
PID 1364 wrote to memory of 2868	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 1364 wrote to memory of 2868	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 1364 wrote to memory of 2868	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 1364 wrote to memory of 2868	1364	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 2928 wrote to memory of 2580	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
PID 2928 wrote to memory of 2580	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
PID 2928 wrote to memory of 2580	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
PID 2928 wrote to memory of 2580	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
PID 2928 wrote to memory of 2656	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	cmd.exe
PID 2928 wrote to memory of 2656	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	cmd.exe
PID 2928 wrote to memory of 2656	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	cmd.exe
PID 2928 wrote to memory of 2656	2928	{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe	cmd.exe
PID 2580 wrote to memory of 2804	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
PID 2580 wrote to memory of 2804	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
PID 2580 wrote to memory of 2804	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
PID 2580 wrote to memory of 2804	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
PID 2580 wrote to memory of 2696	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe	cmd.exe
PID 2804 wrote to memory of 2600	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
PID 2804 wrote to memory of 2600	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
PID 2804 wrote to memory of 2600	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
PID 2804 wrote to memory of 2600	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
PID 2804 wrote to memory of 2892	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	cmd.exe
PID 2804 wrote to memory of 2892	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	cmd.exe
PID 2804 wrote to memory of 2892	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	cmd.exe
PID 2804 wrote to memory of 2892	2804	{59E50EE4-F048-4555-87CC-67AFE6161444}.exe	cmd.exe
PID 2600 wrote to memory of 2024	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
PID 2600 wrote to memory of 2024	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
PID 2600 wrote to memory of 2024	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
PID 2600 wrote to memory of 2024	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
PID 2600 wrote to memory of 952	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	cmd.exe
PID 2600 wrote to memory of 952	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	cmd.exe
PID 2600 wrote to memory of 952	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	cmd.exe
PID 2600 wrote to memory of 952	2600	{49ED9821-F821-48b5-88C1-9B69C6378243}.exe	cmd.exe
PID 2024 wrote to memory of 2004	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
PID 2024 wrote to memory of 2004	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
PID 2024 wrote to memory of 2004	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
PID 2024 wrote to memory of 2004	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
PID 2024 wrote to memory of 2016	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	{B00B9435-BC16-40e6-B1E0-36632890259A}.exe	cmd.exe
PID 2004 wrote to memory of 1180	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
PID 2004 wrote to memory of 1180	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
PID 2004 wrote to memory of 1180	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
PID 2004 wrote to memory of 1180	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
PID 2004 wrote to memory of 2716	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	cmd.exe
PID 2004 wrote to memory of 2716	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	cmd.exe
PID 2004 wrote to memory of 2716	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	cmd.exe
PID 2004 wrote to memory of 2716	2004	{33C9267C-483E-4e57-9CDF-6046159D7699}.exe	cmd.exe
PID 1180 wrote to memory of 1672	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
PID 1180 wrote to memory of 1672	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
PID 1180 wrote to memory of 1672	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
PID 1180 wrote to memory of 1672	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
PID 1180 wrote to memory of 1624	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	cmd.exe
PID 1180 wrote to memory of 1624	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	cmd.exe
PID 1180 wrote to memory of 1624	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	cmd.exe
PID 1180 wrote to memory of 1624	1180	{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
C:\Windows\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
C:\Windows\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49ED9~1.EXE > nul
6⤵
PID:952

C:\Windows\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
C:\Windows\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B00B9~1.EXE > nul
7⤵
PID:2016

C:\Windows\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
C:\Windows\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
C:\Windows\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
C:\Windows\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
C:\Windows\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D8AE4~1.EXE > nul
11⤵
PID:268

C:\Windows\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe
C:\Windows\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe
C:\Windows\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe
12⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{367D1~1.EXE > nul
12⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16BDF~1.EXE > nul
10⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB65~1.EXE > nul
9⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33C92~1.EXE > nul
8⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{59E50~1.EXE > nul
5⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE0F~1.EXE > nul
4⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8555D~1.EXE > nul
3⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16BDF902-3761-49c7-B6C8-CD481040F418}.exe

Filesize
180KB

MD5
c1efefab4048493a2387c34c87c1c6ca

SHA1
e7e1793b05d20295d78422f817651539acdf5d40

SHA256
5176e1ab856d3c934e8b9e5b584a4dca20c441f6fbbd767120450a707c5bc5bf

SHA512
7d9ee874b65ebcc318471fa61546b4cbc81aead072ab04ff7c067dce00ac9626980d591501d02010a5a63886e1fbc372e3491805e7df0d805821999e2ad3859f

Download Submit
C:\Windows\{33C9267C-483E-4e57-9CDF-6046159D7699}.exe

Filesize
180KB

MD5
f147a63a026b565093c7ab305d15d277

SHA1
414b300da432f2084c81f181ef451d2eb7ca2b65

SHA256
cef9465d156af4458d361cc3eab472d3e1e4f15b6c9b8e5da9bf1130abbe7f24

SHA512
562cd448d2a88c429e525d01588cb0e5df6c1a91f36423f34aa99359ce596e6506ec71b51bff204acf69b0d393f4cfa773cb7ee440021e251a4b1fc613c264ea

Download Submit
C:\Windows\{367D10D1-AB3C-4324-A4E9-6A4D53CA531C}.exe

Filesize
180KB

MD5
2f86ab87b479314e3497862d7afedc89

SHA1
b3f80b6b88ff46e26ad26e1786b27a6a1525e4cb

SHA256
88d3066761aac54756b0c76399a502018d9b648fdd26d4b942251ae35f056b18

SHA512
f93747e1ee7006437db116420e28a154df9fdefc7c4f67b8870d89f6b76ab74ff4cf25d8032a5242f6441bddb3670b05aa8ab00c37b660f28a5df860ebd31965

Download Submit
C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe

Filesize
45KB

MD5
19a0d4271c61062625a22f8b588b145a

SHA1
ba195e1ffbefcfb504689b05160de526a537014c

SHA256
1aa1ae204f9a6fea4a1a64e06f845cfb68a9226db9473838e1be571c7ece6454

SHA512
52444594b7db3a336dfef4d29f761c35dcd517a4f17cc11ade626a4c588c2ccce1ea8d12946d44ec5ee7b243a09028833f8f8c8a370ed5327c9fc8714ed3e7b4

Download Submit
C:\Windows\{49ED9821-F821-48b5-88C1-9B69C6378243}.exe

Filesize
180KB

MD5
80dbc9b60e60b610390553f66e8149bd

SHA1
419c60bc9ac3eeb712f9eacb4815471d703bb269

SHA256
b4811e3759f1d87447347e5cc3106536a28f2f4420c081ab353a9a03b3e9e491

SHA512
fcdf3b01a8e03e14c95b44a35ee470bc824b2286cdb961f087b4360dccba2ca718450e9e2a0c3cddd247fffa1ee62585117da7ee569740c314ae0ee058d09d60

Download Submit
C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe

Filesize
180KB

MD5
47cc898fcb72ee9d846eb1d89283338e

SHA1
f786fe0d9eb16a34ba478a17f54dcf577f1e4ce8

SHA256
7159c151b93f232d5a3ca20e84729e6a0b50c93e2e70f15f31b7c5fdf8a10608

SHA512
5810502b3956adbe66271c4c4a091f3f74529120544d069840783e06adfa4b34434182a3a3b38bf0262a6108db05b297d92aa833f3a634a8130d8718e438cef7

Download Submit
C:\Windows\{59E50EE4-F048-4555-87CC-67AFE6161444}.exe

Filesize
100KB

MD5
98f8e3e78478eca174c591035c532adb

SHA1
1b3a7413d5864197dce2a8299de5648d193e3e40

SHA256
1cc4a88062cf51ecc770e0244d3c2ac24be38f2eae6ab72a2d3df1a03c6b8130

SHA512
fa5ebcb2b49853e553c1980ceef85cf2a87deb830fdf18c74fc15d5109e0ddfae059ce13faeb60e5beacdcfd1521fe40ac64a6ec19195f8ba1a766dbebb21b2f

Download Submit
C:\Windows\{8555D3B8-6D80-471f-82E2-0F429336AC52}.exe

Filesize
180KB

MD5
cec3a3f2aa08261f7f479018971d701a

SHA1
67b5a05486ab453d2d0f2f63170d947c36429d30

SHA256
9956989ffbdc0fed6b50785f84e9dd30dd07c8976f60878a715451d44829dd6e

SHA512
f148cfec5219ff23a9a827841a4f1e0c2de9d418a3542d74c69d3289ff12f0120e8cc1f9a2538358d77547984b7cb943b59543b28adb29e73ee2ab81fb79dee7

Download Submit
C:\Windows\{97B3E0F2-B147-43cd-8E96-AF55B08EB98D}.exe

Filesize
180KB

MD5
e03402487ca34334e549fbce6e50fd32

SHA1
ae291fac50394d1c39c2b64d19484168aa81f4b2

SHA256
716edfc4ddec644515cafec30657e79197932dc3e9ae4f101dc8995e7d0a69bd

SHA512
b3ae49dbe8b8001d6f08affa63fe8c960e8e096c8a993bc436e20d09e1a894a2dd29548b7dcc491cfe99dfa69db7b567db999e8eda61e56094a6a405cacae3f5

Download Submit
C:\Windows\{B00B9435-BC16-40e6-B1E0-36632890259A}.exe

Filesize
180KB

MD5
0e391ba6e78c85aca9cfbc0f323f9b85

SHA1
58dbafe564cd99ca20ebf15eab8349649fa895e4

SHA256
abccd80f665a4bad422e7c48b4f0a40c6761132032828b8cabd2cf44877a883a

SHA512
6e79476893a5be7b3e0dc50ca4500622abe23ff6fea9517584321fb2c0047407cd352f8d70d977dd6df2d46eec5db8643b4d05ed0c906b6c9aa43995162839be

Download Submit
C:\Windows\{BDE0FA0A-7773-402a-88B1-833929E3712C}.exe

Filesize
180KB

MD5
36fcd91becc907b83e571ea79ba60855

SHA1
9811cc25f0763da68aa5f88ee6f9ab680b0601db

SHA256
17533af99c03bb4707c41e615e5649a2b3834a5c27ff63a8158e4579034b04ce

SHA512
3d512709d5eb25f22904472208beb9fba5df69e2bfd14d8328bcd8602faece7fa067619b927e36a044d0aa61a0fe5d5bcc12b8c5ba2eab4b24a62a55dfcc4037

Download Submit
C:\Windows\{D8AE4954-57C2-4a7e-8FD3-D1F9ADCF04F8}.exe

Filesize
180KB

MD5
dd745d5f5b36d3259ba68c0f7ac81ad2

SHA1
5afd7b3b7871168e0f44cf4e8fd77c392b50b6f2

SHA256
d5c76c331986e1bd8fb65d246a32c39c733b342c8cee5f9462020f07fb001103

SHA512
106214a720279fc44e91780f205b36dd518da4c37b0068c3b0b692b7f9e89822ee351f845438dc2bc619a34107a313f82a16b6b9ee7cec2d47b98bb38a17adb6

Download Submit
C:\Windows\{FDB6575C-3CAE-44b7-B671-E2A5A7B222B5}.exe

Filesize
180KB

MD5
ef63be2eb04d48c6ddbfeb288a6a9131

SHA1
11906fb20441b7b57450bf3739e06ab4cc94d2ec

SHA256
e243e4af952b6724e01d20464d6aee96280d3ffc7dbc982a9680efef4d3127d6

SHA512
2408f3037780e984d53b40425881a93c4c9288825edd513e496dcd82c29d7c1b8026d0bc33eb0f4c7f59773c31b8194f296bc40ea19062c981963f1c0203b36e

Download Submit