d26080a461a5eb56caf12e0974071d9e8615dd18b8f66f8851ca0de7f5ebb995

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Size

180KB
MD5

add0c32186c6990912bc0fe959b309cd
SHA1

54b5d13a34914aefeee12ad82ff03a4042c384cb
SHA256

d26080a461a5eb56caf12e0974071d9e8615dd18b8f66f8851ca0de7f5ebb995
SHA512

80ded41670d213d6f6e79127027910faff01463f513ebda22336db7d2d6bdf4c72abea6395f2ba9c5b0bd1e89e13f0ad72d94ad82c6cd65f8d596825205491aa
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGpl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}\stubpath = "C:\\Windows\\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe"	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3D3679-E182-4762-BF4C-A22B365F6960}\stubpath = "C:\\Windows\\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe"	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5484C114-788A-401f-8C3D-2F35A4AFE27D}	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501944C8-85B5-43a4-B623-36B93ED4BC90}	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501944C8-85B5-43a4-B623-36B93ED4BC90}\stubpath = "C:\\Windows\\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe"	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}\stubpath = "C:\\Windows\\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe"	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF42210D-4BCA-4407-A79E-C55922CC3207}	{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}\stubpath = "C:\\Windows\\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe"	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}\stubpath = "C:\\Windows\\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe"	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5484C114-788A-401f-8C3D-2F35A4AFE27D}\stubpath = "C:\\Windows\\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe"	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}\stubpath = "C:\\Windows\\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe"	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}	{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF42210D-4BCA-4407-A79E-C55922CC3207}\stubpath = "C:\\Windows\\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe"	{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3D3679-E182-4762-BF4C-A22B365F6960}	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}\stubpath = "C:\\Windows\\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe"	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}\stubpath = "C:\\Windows\\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe"	{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2060 cmd.exe

pid	process
2060	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe

pid	process
2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
2560	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
1196	{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
3020	{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe
708	{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe

Drops file in Windows directory 11 IoCs

Processes:

{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe

description	ioc	process
File created	C:\Windows\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
File created	C:\Windows\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
File created	C:\Windows\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
File created	C:\Windows\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
File created	C:\Windows\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
File created	C:\Windows\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
File created	C:\Windows\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
File created	C:\Windows\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
File created	C:\Windows\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
File created	C:\Windows\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe	{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
File created	C:\Windows\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe	{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
Token: SeIncBasePriorityPrivilege	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
Token: SeIncBasePriorityPrivilege	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
Token: SeIncBasePriorityPrivilege	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
Token: SeIncBasePriorityPrivilege	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
Token: SeIncBasePriorityPrivilege	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
Token: SeIncBasePriorityPrivilege	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
Token: SeIncBasePriorityPrivilege	2560	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
Token: SeIncBasePriorityPrivilege	1196	{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
Token: SeIncBasePriorityPrivilege	3020	{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1960 wrote to memory of 2848	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
PID 1960 wrote to memory of 2848	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
PID 1960 wrote to memory of 2848	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
PID 1960 wrote to memory of 2848	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
PID 1960 wrote to memory of 2060	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 1960 wrote to memory of 2060	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 1960 wrote to memory of 2060	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 1960 wrote to memory of 2060	1960	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 2848 wrote to memory of 2796	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
PID 2848 wrote to memory of 2796	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
PID 2848 wrote to memory of 2796	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
PID 2848 wrote to memory of 2796	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
PID 2848 wrote to memory of 2736	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe	cmd.exe
PID 2796 wrote to memory of 2628	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
PID 2796 wrote to memory of 2628	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
PID 2796 wrote to memory of 2628	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
PID 2796 wrote to memory of 2628	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
PID 2796 wrote to memory of 2740	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe	cmd.exe
PID 2628 wrote to memory of 2100	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
PID 2628 wrote to memory of 2100	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
PID 2628 wrote to memory of 2100	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
PID 2628 wrote to memory of 2100	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
PID 2628 wrote to memory of 1804	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe	cmd.exe
PID 2100 wrote to memory of 2964	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
PID 2100 wrote to memory of 2964	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
PID 2100 wrote to memory of 2964	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
PID 2100 wrote to memory of 2964	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
PID 2100 wrote to memory of 1288	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	cmd.exe
PID 2100 wrote to memory of 1288	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	cmd.exe
PID 2100 wrote to memory of 1288	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	cmd.exe
PID 2100 wrote to memory of 1288	2100	{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe	cmd.exe
PID 2964 wrote to memory of 644	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
PID 2964 wrote to memory of 644	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
PID 2964 wrote to memory of 644	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
PID 2964 wrote to memory of 644	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
PID 2964 wrote to memory of 288	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	cmd.exe
PID 2964 wrote to memory of 288	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	cmd.exe
PID 2964 wrote to memory of 288	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	cmd.exe
PID 2964 wrote to memory of 288	2964	{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe	cmd.exe
PID 644 wrote to memory of 1560	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
PID 644 wrote to memory of 1560	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
PID 644 wrote to memory of 1560	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
PID 644 wrote to memory of 1560	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
PID 644 wrote to memory of 1768	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	cmd.exe
PID 644 wrote to memory of 1768	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	cmd.exe
PID 644 wrote to memory of 1768	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	cmd.exe
PID 644 wrote to memory of 1768	644	{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe	cmd.exe
PID 1560 wrote to memory of 2560	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
PID 1560 wrote to memory of 2560	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
PID 1560 wrote to memory of 2560	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
PID 1560 wrote to memory of 2560	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
PID 1560 wrote to memory of 1232	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	cmd.exe
PID 1560 wrote to memory of 1232	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	cmd.exe
PID 1560 wrote to memory of 1232	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	cmd.exe
PID 1560 wrote to memory of 1232	1560	{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
C:\Windows\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
C:\Windows\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDEE~1.EXE > nul
4⤵
PID:2740

C:\Windows\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
C:\Windows\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5484C~1.EXE > nul
5⤵
PID:1804

C:\Windows\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
C:\Windows\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
C:\Windows\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
C:\Windows\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
C:\Windows\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
C:\Windows\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
C:\Windows\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe
C:\Windows\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe
C:\Windows\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe
12⤵
- Executes dropped EXE
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E09C~1.EXE > nul
12⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{87599~1.EXE > nul
11⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9577~1.EXE > nul
10⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED6B~1.EXE > nul
9⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B3D3~1.EXE > nul
8⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE58~1.EXE > nul
7⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50194~1.EXE > nul
6⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEDE~1.EXE > nul
3⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E09CEA0-E17D-433f-93E4-F623D7BC5D4B}.exe

Filesize
180KB

MD5
9908f74d0d9b7780819406833ae12cae

SHA1
4431e8c16ca05446bf90728a4cf9b45c562301bd

SHA256
20ca446546ac75e942b8dcd30d3310c74e184458a8baf5d2db8563a5e3042633

SHA512
6ca181af44157f5e64bb487d14d25668d99d548a8a1f7833f16bbce08bfabe37a44ecb97f0ad916d20bb58e98de20405fafa95cda305c465e9366c6c3b3520b2

Download Submit
C:\Windows\{0ED6BE15-A0AF-4dc3-99C3-33706D139EE2}.exe

Filesize
180KB

MD5
0248f610e3f0ffe02063a943ee8837df

SHA1
6a97700ec1bcfc99919712af39b7c7948b05e4cc

SHA256
cd03fbcfa3fa15d040ffe27f3f37bb793213f19f8a812bcb16fd8d6101b548e2

SHA512
767dadca0d4b541799fb696a1d1c723aba2af9ad48f7a22000c61e4e04797011b497843091d30567118ad2bf76b74b14f5e54b6b1b0c4f9c788d9fb11d4e93a8

Download Submit
C:\Windows\{501944C8-85B5-43a4-B623-36B93ED4BC90}.exe

Filesize
180KB

MD5
873965bf2b810f5b26284771cc2d3bef

SHA1
02ccde98b5305b9bbf8aa4a97fc9b5e87ea35b2f

SHA256
366802a39d0e44ba364f57ae1aa1b7fba8c9b5a9f438f82df8fbd3cb4ab0128f

SHA512
2615db804750becb87fedc5e1ea7f6e0898d21f09a99525714a09e81018fdb70c23f6a91a7793c76eac9a3365663ea8b67fe82077b043d4e7f9e56f2ad7f6f0e

Download Submit
C:\Windows\{5484C114-788A-401f-8C3D-2F35A4AFE27D}.exe

Filesize
180KB

MD5
f39743baa977ab5965bc7fc9eb43354a

SHA1
886c51904466833c26f8519fe67d3193435c0db4

SHA256
86103e349071c54ae8e26ea5b1ea244e50df9292adb368cd6f95e8bceefcfe4a

SHA512
e71d6bcd40492f90d5deaebf097f5e3e42c40e06b459581829750e3a90fe328a1df8d990d7c819b8c7fe9f8f2198249df7463cb22e9172eb03cdf7744a841014

Download Submit
C:\Windows\{7B3D3679-E182-4762-BF4C-A22B365F6960}.exe

Filesize
180KB

MD5
9001c3aa04b6fb097dacc749e1caf9ef

SHA1
9bfbba75935e416d8cd9cce7c8a756e781949639

SHA256
5faf3de1f9c83b0a03a058eb16ee552e10198a1162581f0ef2f82fb8d90e9b16

SHA512
97561741a7f2491f92f14b4babcc4506003ef75341892f23eadeb82e1089f252989e92a49437c481f0c428b6edbee4f1b93c2646fb1fd9eea614db1aa4aa71cb

Download Submit
C:\Windows\{87599EBB-BA49-49d9-AE9E-729A9DD8B6C6}.exe

Filesize
180KB

MD5
b2eeecd5e72b40674da35e968edab605

SHA1
162b7f27ad9b61b0287cdc2f3c2ee5eeac2d8cec

SHA256
8a20ff9676013d87bd606518174840ce72d25f316add64c866923135d6b98842

SHA512
912864bcd14c357e9348678fa4cbec6904e17e042953506224981dd930c2cd27bb9d0063d65cc7551752803d38e03fb16fedbd61b5c081bc33d69764732a5b60

Download Submit
C:\Windows\{A9577A9F-1AD2-4624-BB3D-FE59FFC392F8}.exe

Filesize
180KB

MD5
7142b82b5804940b6ea36bfd9ec47c1d

SHA1
f9fcf5c1f3a7446e1164bbf27dff07c7a5fa37dd

SHA256
875df589c297cf8a1d18fe7fb3f4c6dc7f4b2cc7c485ecde09eaddc4d78bd9d5

SHA512
8b5125b0de840e76a8704db3a09ead622e0e37fc4240ae2700e921661165af36eef01a23c59fbf3174c498aba866047ab08fe2eba66151fbe82d61487e3d7db3

Download Submit
C:\Windows\{DBDEE1FD-7B55-4218-8BFF-D9F2778ED3CB}.exe

Filesize
180KB

MD5
6af12eac48b299460c400f6fedb8e1b0

SHA1
cf8e6069f17ab15ae8cf79cc291fa3bd2f17e1cb

SHA256
bb70c35a20706c99daa09f3ec586aa986224ab9659c5bea41c42a9ac397fc2f1

SHA512
e3da276b9ce7c2fc47ff36398f1481e00fe33448379dccd6aa5ce22193ff9581d0cd4d374e44800460f2e99db94ba77ea1b0084ae8d1307875f786d656a271f0

Download Submit
C:\Windows\{EBEDE7DA-727C-4ce3-A708-587CE43C9BAA}.exe

Filesize
180KB

MD5
bb36654979a5063208ef48e85d572f40

SHA1
2d0d4b0834692f13f4f47b4077b75b95edc07d68

SHA256
aee38ce89a4d4d40388d68a53550ea62bba1afc028d341204f665d432d6c16ad

SHA512
a19632097ff473b5655a8792c5cf27c37ad73909a0134f174a67a6cfe5400e45d3536c5cf97033bd0ac946a3f19e2ca0e4357b5b050218d65799c14047b43ebf

Download Submit
C:\Windows\{EEE588BF-7FC8-4662-8FA9-3D1B7BF05B6E}.exe

Filesize
180KB

MD5
370b7e41dbebb78000999e034698a6cd

SHA1
c236b6c9ca5742483c276c3ee90d3ec01d6b7a3a

SHA256
d0241448154697cbb66560bbcc4705a2d56a1bbd3fe8153a4ee45e2bf2830077

SHA512
d2875bfd2cebc2446ea89f0d7d11e82d0b206baad784b57392f7e73df3980093ff99f58d95df39ffa87d97ba1374560f169f298e336aa1f5c35cf8e001adafb2

Download Submit
C:\Windows\{EF42210D-4BCA-4407-A79E-C55922CC3207}.exe

Filesize
180KB

MD5
29e51426e844c29de1d24754fff7614d

SHA1
5058f7b45240dd82be09e0c51bb4bc4217728877

SHA256
1c816b9af856fa7f31f4db085ab13e9d3fe5e3540fdeb416afaa5cf78e015983

SHA512
00f09e915af265ab8d4c1c71eb2583f82043f2580a14ab2e36f994025f0b0c9f497dc4077db11618edfce9bba6f122e95fbe284095cf84e474e049f997bab566

Download Submit