Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
-
Size
372KB
-
MD5
e9ce5a1b440fb4114446d8dee06b7782
-
SHA1
037c2635b615c2e552667074c4b6ca20a2c93801
-
SHA256
c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb
-
SHA512
b2c33d59289e9529b26c2145cc4b1466069b6b3608c7c95c7fa656674fddeb1f480c19df2f3256e1120dd6ff24c00ee98a0eec2f585c7fda228c4d46db8d9687
-
SSDEEP
3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
Processes:
resource yara_rule C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
Processes:
{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}\stubpath = "C:\\Windows\\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe" {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}\stubpath = "C:\\Windows\\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe" {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE465E0C-A716-40da-A7C2-FF81D046B430}\stubpath = "C:\\Windows\\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe" {4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD045A06-0F31-4f80-846C-846174FAF3EA}\stubpath = "C:\\Windows\\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe" {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588} {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}\stubpath = "C:\\Windows\\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe" {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D726E3DB-1DFC-404f-BF80-78C2F3232C47} {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE8157B-DC36-4640-AA7F-10138D83644D} {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}\stubpath = "C:\\Windows\\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe" {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE465E0C-A716-40da-A7C2-FF81D046B430} {4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{679C5439-0BBE-470e-98FA-C2E90739110C}\stubpath = "C:\\Windows\\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe" {DE465E0C-A716-40da-A7C2-FF81D046B430}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B} 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6} {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}\stubpath = "C:\\Windows\\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe" {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE8157B-DC36-4640-AA7F-10138D83644D}\stubpath = "C:\\Windows\\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe" {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0} {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}\stubpath = "C:\\Windows\\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe" 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0} {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}\stubpath = "C:\\Windows\\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe" {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A} {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{679C5439-0BBE-470e-98FA-C2E90739110C} {DE465E0C-A716-40da-A7C2-FF81D046B430}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD045A06-0F31-4f80-846C-846174FAF3EA} {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2972 cmd.exe -
Executes dropped EXE 11 IoCs
Processes:
{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe{679C5439-0BBE-470e-98FA-C2E90739110C}.exepid process 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe 2880 {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe 2088 {4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe 2044 {DE465E0C-A716-40da-A7C2-FF81D046B430}.exe 588 {679C5439-0BBE-470e-98FA-C2E90739110C}.exe -
Drops file in Windows directory 11 IoCs
Processes:
{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exedescription ioc process File created C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe File created C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe File created C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe {4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe File created C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe File created C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe File created C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe File created C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe File created C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe {DE465E0C-A716-40da-A7C2-FF81D046B430}.exe File created C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe File created C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe File created C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe{DE465E0C-A716-40da-A7C2-FF81D046B430}.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Token: SeIncBasePriorityPrivilege 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe Token: SeIncBasePriorityPrivilege 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe Token: SeIncBasePriorityPrivilege 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe Token: SeIncBasePriorityPrivilege 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe Token: SeIncBasePriorityPrivilege 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe Token: SeIncBasePriorityPrivilege 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe Token: SeIncBasePriorityPrivilege 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe Token: SeIncBasePriorityPrivilege 2880 {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe Token: SeIncBasePriorityPrivilege 2088 {4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe Token: SeIncBasePriorityPrivilege 2044 {DE465E0C-A716-40da-A7C2-FF81D046B430}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe{0CE8157B-DC36-4640-AA7F-10138D83644D}.exedescription pid process target process PID 1568 wrote to memory of 1608 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe PID 1568 wrote to memory of 1608 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe PID 1568 wrote to memory of 1608 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe PID 1568 wrote to memory of 1608 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe PID 1568 wrote to memory of 2972 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 1568 wrote to memory of 2972 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 1568 wrote to memory of 2972 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 1568 wrote to memory of 2972 1568 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 1608 wrote to memory of 2796 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe PID 1608 wrote to memory of 2796 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe PID 1608 wrote to memory of 2796 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe PID 1608 wrote to memory of 2796 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe PID 1608 wrote to memory of 2652 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe cmd.exe PID 1608 wrote to memory of 2652 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe cmd.exe PID 1608 wrote to memory of 2652 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe cmd.exe PID 1608 wrote to memory of 2652 1608 {6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe cmd.exe PID 2796 wrote to memory of 2984 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe PID 2796 wrote to memory of 2984 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe PID 2796 wrote to memory of 2984 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe PID 2796 wrote to memory of 2984 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe PID 2796 wrote to memory of 2584 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe cmd.exe PID 2796 wrote to memory of 2584 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe cmd.exe PID 2796 wrote to memory of 2584 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe cmd.exe PID 2796 wrote to memory of 2584 2796 {0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe cmd.exe PID 2984 wrote to memory of 2808 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe PID 2984 wrote to memory of 2808 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe PID 2984 wrote to memory of 2808 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe PID 2984 wrote to memory of 2808 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe PID 2984 wrote to memory of 2284 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe cmd.exe PID 2984 wrote to memory of 2284 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe cmd.exe PID 2984 wrote to memory of 2284 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe cmd.exe PID 2984 wrote to memory of 2284 2984 {1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe cmd.exe PID 2808 wrote to memory of 2960 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe PID 2808 wrote to memory of 2960 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe PID 2808 wrote to memory of 2960 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe PID 2808 wrote to memory of 2960 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe PID 2808 wrote to memory of 2092 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe cmd.exe PID 2808 wrote to memory of 2092 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe cmd.exe PID 2808 wrote to memory of 2092 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe cmd.exe PID 2808 wrote to memory of 2092 2808 {BD045A06-0F31-4f80-846C-846174FAF3EA}.exe cmd.exe PID 2960 wrote to memory of 2864 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe PID 2960 wrote to memory of 2864 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe PID 2960 wrote to memory of 2864 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe PID 2960 wrote to memory of 2864 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe PID 2960 wrote to memory of 1544 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe cmd.exe PID 2960 wrote to memory of 1544 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe cmd.exe PID 2960 wrote to memory of 1544 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe cmd.exe PID 2960 wrote to memory of 1544 2960 {D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe cmd.exe PID 2864 wrote to memory of 1772 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe PID 2864 wrote to memory of 1772 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe PID 2864 wrote to memory of 1772 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe PID 2864 wrote to memory of 1772 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe PID 2864 wrote to memory of 1784 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe cmd.exe PID 2864 wrote to memory of 1784 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe cmd.exe PID 2864 wrote to memory of 1784 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe cmd.exe PID 2864 wrote to memory of 1784 2864 {EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe cmd.exe PID 1772 wrote to memory of 2880 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe PID 1772 wrote to memory of 2880 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe PID 1772 wrote to memory of 2880 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe PID 1772 wrote to memory of 2880 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe {6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe PID 1772 wrote to memory of 2204 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe cmd.exe PID 1772 wrote to memory of 2204 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe cmd.exe PID 1772 wrote to memory of 2204 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe cmd.exe PID 1772 wrote to memory of 2204 1772 {0CE8157B-DC36-4640-AA7F-10138D83644D}.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exeC:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exeC:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exeC:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exeC:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exeC:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exeC:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exeC:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exeC:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exeC:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exeC:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exeC:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe12⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE465~1.EXE > nul12⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4EDEA~1.EXE > nul11⤵PID:2072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6DD33~1.EXE > nul10⤵PID:764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0CE81~1.EXE > nul9⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFAC1~1.EXE > nul8⤵PID:1784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D726E~1.EXE > nul7⤵PID:1544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BD045~1.EXE > nul6⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E427~1.EXE > nul5⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0C4E2~1.EXE > nul4⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E860~1.EXE > nul3⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5907cbd884bc873547063f340cbf7085b
SHA15681e6add60981ce458d7a0c53963e99871cde23
SHA2565f3a871e94ffdf58f4bb26b8ada1c05ab1418fa3772ef879fd8c31d3bd820d20
SHA51290ca3b205ec1bc6f4c9ac88c767f925ec2b37eaa1883038e96fcd7b3f52359a5e277232e417ee927dd177e4963637eb8b3ffbc12ee64f109bb89c85472720c1f
-
Filesize
372KB
MD5b9738adc5d6ba50b1fd490a96c97dbce
SHA1076578dc792b7aa995dff9ec0e181cfbdc095a2e
SHA25612a44f9c0a4a8c80ab9c02c5ebbfe68f4d3d8499600ac50684931998f80da0ed
SHA512172008ed79709f97669e5bd09a28e8b316d8bf008f3741a76c36020bea45883236969e293ac7d3bc7700e5d591226ef75cd4d7561338755ade1ee1d56e079bd9
-
Filesize
372KB
MD5895c9c4752089e4e752062c5b2a85306
SHA1e018149c1e0bdaa676663c7d90a68d0f20be1ded
SHA256505c2cd6059b38662ecac735ae80121c2deafd628719c1e8031bfd069b6c7d45
SHA512521b0d2d9555bf45fda19e45153088bcdc388b851f0ce8fc17c33194a34fcb2004763833539b65e1ca712287f228cb38647ba441d0c764f5eb681d618e5dd893
-
Filesize
372KB
MD55e6180a158e5f5c4151abfc05d58fdca
SHA15a9be92a2116bf99e3f4ad5279bcc7e33a401d3c
SHA2566c73d50b6556fb111be7e43d605461c817d9f017d81919f4fbbef4bd22856075
SHA512e0947cb7c153fc041b768ab8f27c53991223334862e275d4d6ce22aa791e60323feee9c497e98b85c6a371ffc88b244a60dcd6d5c9d6dd5092bbeeae1ddce432
-
Filesize
372KB
MD5b14cbcdfe47025f626967e9509f194c6
SHA1dd25222056ee90edb108cae942c7860f9e7aaa2c
SHA256b58bdf24c5c0b74e39c60ef7d658da3c6f94510357ec31eb80736ce7214b83f6
SHA512d1ddb4875678254370b02d333b0c46f08e1107c87594f3302bdcaabf135634538cc95f2f78b5ac5ae4f45cdacc82536503708d2e6af0ad6c2589b4ebef4ce1ba
-
Filesize
372KB
MD5466bd219fbf8077940dd6074fc49c7be
SHA183224ff0d483d1da73b306cbe2d843abbd7b3f06
SHA256cab15fa1349fc97187b8c0ea6da18bd8b05867bf955eeaed079510cc69e4c011
SHA51276594f3d59999ed6abf9172dfc561bc0cea39764c9ebb1abb2726c266aa7a9923b2964493fa12cfa7f5e0a5cc3051cbba273f326477e9164b3ccb0f21f436962
-
Filesize
372KB
MD5b51aea40f7d4f7cfd9fb4a96e5f4a69f
SHA14c3711895d97638683dbdc244aa31b87543281a4
SHA2562227ae2c69177d2d5a912e15ca1716be1f3a0bedb46f82b3c488a9d306c014c1
SHA5128015105cb322c78d16d931077f1c34d7b145b97156dc67d33128cc19d93ecaff87b7b6f655221ab8683fdef65513c3fc83c53605e78cf9c21635d2db6def4478
-
Filesize
372KB
MD5066ae44410e5c09af80d9a848a988bdc
SHA1b6beac6885ebb1dbdccf641db30078621668f20d
SHA2565dc772493c7d6a208c4e05b4cc2d5a793f3ad8a97f5123562d50ebd68e7aa8d4
SHA51292a361cb240b6adf94eae3d70ebb5b9f29aba87fdfca5b7a73075b89b67a3d3538735c2675e6dd708d82f02484d2607eb44024565b077cd769d0688ed68e8960
-
Filesize
372KB
MD502f97f4aaaa777cd7477af57a3c034fd
SHA1e5f49efebc0e3442c8a60dcd529baae22fc33a24
SHA256309a3347a88cfedf87e3f393803d0c631edc82d962f29e6f7c398ed8d3741f8e
SHA5125cada2e938cbad3e224aab08c8f44ae6a1788459e1bf60b42e2474fb2bb1049dd7ee3d184ccf154dfea5cfa4fcf53404755fbac57244e7f2928bb16aa106ee15
-
Filesize
372KB
MD5efa1329c5eba06b2c094aa76c7bd84f9
SHA132a88fddc69939f42b39aeaaec86644bba8a7331
SHA25621e29fa2596cfd4ae9d5d613d063d13c32e2b255964f63d50cfc81f82dce95ca
SHA512121c0b9169f5d9800da7e21592412db08661005e67b50724b250a2a7b3d9275319823624dcb53bc94846794bf4daa14f351d74280fb5835b2f69ec44658b6027
-
Filesize
372KB
MD5fd7a602c9b2ea63448c3da3802bd0300
SHA1307d9667fa231077a5f15557007633e2fa08d7c6
SHA25602fd3eb4f49d42c6da7e632233349970e72e2c744c64bee0f2411a5d12b4d98d
SHA512610521f6e39170849b8d80ce8b3e2f5d071409f7786ea22b9eea013a11a8839dbec07910faffc8222dde195efd2e5a1c0b9f72d09514ede066de44811da121a8