18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Size

216KB
MD5

7c7b3edf03d7bfafbdd998980609e48a
SHA1

1c10476bccdff2e38d9e61f764e03b8389f1219d
SHA256

18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383
SHA512

b2702fdd987d8bcc3cf62039b67334139357f9db2d25aab7402885b8746d8c05074e309fd06112b2795e642813dd0de6c6d887b5b2bb6bdbd1f30b93fcd0e93a
SSDEEP

3072:jEGh0oXl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000015d70-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d88-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016110-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d70-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d70-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015d70-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}\stubpath = "C:\\Windows\\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe"	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0ACC2C1-31AA-4c54-88CC-C42553879749}	{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}\stubpath = "C:\\Windows\\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe"	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97389B98-1E05-420a-BF67-A8ECAB2F7336}	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97389B98-1E05-420a-BF67-A8ECAB2F7336}\stubpath = "C:\\Windows\\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe"	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}\stubpath = "C:\\Windows\\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe"	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}\stubpath = "C:\\Windows\\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe"	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0ACC2C1-31AA-4c54-88CC-C42553879749}\stubpath = "C:\\Windows\\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe"	{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}	{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}\stubpath = "C:\\Windows\\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe"	{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}\stubpath = "C:\\Windows\\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe"	{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}\stubpath = "C:\\Windows\\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe"	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}	{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}\stubpath = "C:\\Windows\\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe"	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FB5F6-1B1A-42bb-BB69-183B660D0222}	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FB5F6-1B1A-42bb-BB69-183B660D0222}\stubpath = "C:\\Windows\\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe"	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2860	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

pid	Process
2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
2044	{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
1860	{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
540	{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
1044	{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

Drops file in Windows directory 11 IoCs

Processes:

{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

description	ioc	Process
File created	C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe	{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
File created	C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
File created	C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
File created	C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe	{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
File created	C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe	{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
File created	C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
File created	C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
File created	C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
File created	C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
File created	C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
File created	C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
Token: SeIncBasePriorityPrivilege	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
Token: SeIncBasePriorityPrivilege	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
Token: SeIncBasePriorityPrivilege	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
Token: SeIncBasePriorityPrivilege	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
Token: SeIncBasePriorityPrivilege	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
Token: SeIncBasePriorityPrivilege	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
Token: SeIncBasePriorityPrivilege	2044	{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
Token: SeIncBasePriorityPrivilege	1860	{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
Token: SeIncBasePriorityPrivilege	540	{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2404 wrote to memory of 2672	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	28
PID 2404 wrote to memory of 2672	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	28
PID 2404 wrote to memory of 2672	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	28
PID 2404 wrote to memory of 2672	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	28
PID 2404 wrote to memory of 2860	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	29
PID 2404 wrote to memory of 2860	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	29
PID 2404 wrote to memory of 2860	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	29
PID 2404 wrote to memory of 2860	2404	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	29
PID 2672 wrote to memory of 2780	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	30
PID 2672 wrote to memory of 2780	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	30
PID 2672 wrote to memory of 2780	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	30
PID 2672 wrote to memory of 2780	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	30
PID 2672 wrote to memory of 2744	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	31
PID 2672 wrote to memory of 2744	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	31
PID 2672 wrote to memory of 2744	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	31
PID 2672 wrote to memory of 2744	2672	{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe	31
PID 2780 wrote to memory of 1664	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	33
PID 2780 wrote to memory of 1664	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	33
PID 2780 wrote to memory of 1664	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	33
PID 2780 wrote to memory of 1664	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	33
PID 2780 wrote to memory of 2572	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	32
PID 2780 wrote to memory of 2572	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	32
PID 2780 wrote to memory of 2572	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	32
PID 2780 wrote to memory of 2572	2780	{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe	32
PID 1664 wrote to memory of 1532	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	37
PID 1664 wrote to memory of 1532	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	37
PID 1664 wrote to memory of 1532	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	37
PID 1664 wrote to memory of 1532	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	37
PID 1664 wrote to memory of 2104	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	36
PID 1664 wrote to memory of 2104	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	36
PID 1664 wrote to memory of 2104	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	36
PID 1664 wrote to memory of 2104	1664	{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe	36
PID 1532 wrote to memory of 2820	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	38
PID 1532 wrote to memory of 2820	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	38
PID 1532 wrote to memory of 2820	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	38
PID 1532 wrote to memory of 2820	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	38
PID 1532 wrote to memory of 2840	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	39
PID 1532 wrote to memory of 2840	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	39
PID 1532 wrote to memory of 2840	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	39
PID 1532 wrote to memory of 2840	1532	{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe	39
PID 2820 wrote to memory of 2108	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	40
PID 2820 wrote to memory of 2108	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	40
PID 2820 wrote to memory of 2108	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	40
PID 2820 wrote to memory of 2108	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	40
PID 2820 wrote to memory of 1468	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	41
PID 2820 wrote to memory of 1468	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	41
PID 2820 wrote to memory of 1468	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	41
PID 2820 wrote to memory of 1468	2820	{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe	41
PID 2108 wrote to memory of 1980	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	42
PID 2108 wrote to memory of 1980	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	42
PID 2108 wrote to memory of 1980	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	42
PID 2108 wrote to memory of 1980	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	42
PID 2108 wrote to memory of 2180	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	43
PID 2108 wrote to memory of 2180	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	43
PID 2108 wrote to memory of 2180	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	43
PID 2108 wrote to memory of 2180	2108	{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe	43
PID 1980 wrote to memory of 2044	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	44
PID 1980 wrote to memory of 2044	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	44
PID 1980 wrote to memory of 2044	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	44
PID 1980 wrote to memory of 2044	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	44
PID 1980 wrote to memory of 2012	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	45
PID 1980 wrote to memory of 2012	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	45
PID 1980 wrote to memory of 2012	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	45
PID 1980 wrote to memory of 2012	1980	{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
  C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
    C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{87E41~1.EXE > nul
      4⤵
      PID:2572
  - - C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
      C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97389~1.EXE > nul
        5⤵
        
        PID:2104
    - - C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
        
        C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
        
        C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
        
        C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
        
        C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
        
        C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
        
        C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0ACC~1.EXE > nul
        11⤵
        
        PID:488
        
        C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
        
        C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe
        
        C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe
        12⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFE16~1.EXE > nul
        12⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA2A~1.EXE > nul
        10⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94EB5~1.EXE > nul
        9⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{768D1~1.EXE > nul
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{914FB~1.EXE > nul
        7⤵
        
        PID:1468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B67D~1.EXE > nul
        6⤵
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADCA~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

Filesize
216KB

MD5
5b6dd4c9a4bd73c300482d3b6f8e348b

SHA1
bb7975648a4b654c0a33df075ac64c0ecc101cf3

SHA256
8d00a670cffce1c5b41c1293101e91f867ecae9ef8fe7a000d0cc4e487923ff1

SHA512
ee976d93b5316e17fc996cd446453329c626cd43b0221db1531b48f8d99bac6514a3bf8f27e1aacdeb1073eae243797ef6ed85d582654edf59e671711c35666c

Download Submit
C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe

Filesize
216KB

MD5
33b879acd436e5fa843fd5a2a827efd8

SHA1
9c1cde48368beef0941669b954827cf8a089ec2e

SHA256
09384b165b5d67a67a7a265c412af83b9208c72dc54af40088c508ed636dcf0c

SHA512
d976117dd9e537a0a615e01a1df4f2e66d42d2b9377bb0f71f8ad2adb30d23b7b34ace2618b5f00e7c5686a768b868489bc54838acac4292d06769da4712ec05

Download Submit
C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe

Filesize
216KB

MD5
ff0920c54dd11bee0d10f621fc6678d3

SHA1
3878f4544958db757f10854f2acda1c658accfaa

SHA256
992992ff3d7ac2b10212dfa9bb8ce0d6c9fab99e6f6576385401e0b9757f25a6

SHA512
f3d02cc0fcb33ce689e4037183aae492724151ebce0e9e43e92ca5e1acd8880a03cdefdf341b9c92c2eaf6cb2218795396c183c0c1bcb4ad6d1385d5d1583216

Download Submit
C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe

Filesize
216KB

MD5
f5780656b25fdd72f0d81a5a3d91ba2d

SHA1
79f772ceffd54ecb2141e2189590afb0a972c374

SHA256
79ae65f4a3230530178afcc0d7dbb1d22e3b2a6c626ac6d9c1b46b11224f553a

SHA512
10d090fc1c0a961ccc6735bc274f5b0ce4796f467fdb0124f239e28ef3048be0db8ed67a574b40e597fa9d8f9f43074abc97f4bf3b20a2afa413e848851980fe

Download Submit
C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe

Filesize
216KB

MD5
b26d7977fdf17571d15386d121e956ef

SHA1
05042f2acf30b437d0a866371401b315fbb0996d

SHA256
a97780f21dd82803e0e530d807b3109b6e973ca89498ed2877653b4feaef6e5f

SHA512
81d19ead5c720725b0a2c9396d7599e4b8c326809c079c673b8e1203ac3357e9e79b95be0f14b253824885a251cb3aa95502b5e5796f7ddc506a4642794af5f3

Download Submit
C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe

Filesize
216KB

MD5
7e2372068d47b4171149f0f1cace9dcc

SHA1
e425a3296b4491b15dd799f877671a0cd620ebc8

SHA256
56aa25e1955f016bf9201f87acab33edbf4ddc21a0c0b99aa8fca9b525a28573

SHA512
ac84cc4c73a793f84f37586c5b0bc3a6ad5bd1cd3fc29192111300fb0203902a98bb7ddfd69af23a5936d3f4891e1d220cd67d6dbff2ef1e176fe711192e9b42

Download Submit
C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

Filesize
216KB

MD5
e702938513f098b96d2f93382700fee8

SHA1
523a223bffa0f8611f01f0d6202aaab57e3de7c6

SHA256
5dafe9327c681dba4e7e36ef3c248a900c5a5eeb3e4ec883f242212118b4c7a3

SHA512
2de2ec285598b36c96d1f8fa647803801e75a7ef3435d7a7f9619ab367617a368c846d7daaecc403cf741a68bbf7d616d6704c7f7830838517973ecf728a5918

Download Submit
C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe

Filesize
216KB

MD5
27dd5281edeab54fe477c7468e17a29b

SHA1
2865f6e217caec9fa34f8c70e56ec5aad32876f9

SHA256
74cb78644cbca0c2544f733a2478caca9daa4d6d10d4abfc8a9a36d500a1844d

SHA512
16ebb530bfde796ec757c31a295a2007de0f22549838ab57d20208d3707084503f79e905f0a5ebdd8cc75d1b5fbd6f35497762b556ca1b73a85a547383c34ac1

Download Submit
C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe

Filesize
216KB

MD5
f0b54aff638b19b93c01beb9b7ab4f5c

SHA1
5d906f38f8bf020f44776e79537d173f1b691536

SHA256
b6969996924412c771ca557c52e22c5e4980c07b7cef68ee6b53dcc7a4392e0c

SHA512
128bbe90dce3eb29a5f009f7c1b9ab8bcfd2105d278b4496b6ce8c2ed08df00732bfadd314e13e646901a026fe3a792186a494d59ea5a8abb122f39587387c21

Download Submit
C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

Filesize
216KB

MD5
d20bb5fda7a254dbea55ae36637ff687

SHA1
8eb76d7598f61eaa108968b248014baedc21fe71

SHA256
0e8122996f5d87b5224a91fdda139ef278db660e812ec81b6e647cca0eb09433

SHA512
f76ab5cf679eec27e9e1719196e2c21ba6c7e4add96c2956ae5ac9e26657dcbf5a7fab457a9d18667c9e33d0aab58acc94f5291ffb5d84b464af57f01511de7f

Download Submit
C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

Filesize
216KB

MD5
5d0d6aacd2c901308c902a5d1a9425f8

SHA1
9cba4df3d34d678f033512d820dabd926d7d6527

SHA256
d72e9b373824e2e8c0b75737b483eec0cfef33c6aaa9cfd8ce8545cbea732345

SHA512
6c8798acc370e6508ca550183571bae195d4dff801d7f252d8fac325e1018a3c451caaea031d537013c9497fa34b2913f5976ced29e1af2209157e65786c51ca

Download Submit