Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
-
Size
372KB
-
MD5
e9ce5a1b440fb4114446d8dee06b7782
-
SHA1
037c2635b615c2e552667074c4b6ca20a2c93801
-
SHA256
c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb
-
SHA512
b2c33d59289e9529b26c2145cc4b1466069b6b3608c7c95c7fa656674fddeb1f480c19df2f3256e1120dd6ff24c00ee98a0eec2f585c7fda228c4d46db8d9687
-
SSDEEP
3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
Processes:
resource yara_rule C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
Processes:
{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe{C03BBB33-E183-4926-A8DA-6484885E98AE}.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}\stubpath = "C:\\Windows\\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe" {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A} {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E} 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}\stubpath = "C:\\Windows\\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe" 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB} {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845210B9-9A38-4f4f-B9A4-5027D11BD20C} {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1} {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C06FFD2-A139-4540-A1D0-2D97DF06C012} {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D99E92-FED3-43b6-8616-677561A561B2}\stubpath = "C:\\Windows\\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe" {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5E049A-A142-43d5-80BB-67C5706BBB63}\stubpath = "C:\\Windows\\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe" {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7006D6-8C57-4004-A8E4-815C877D61D9} {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7006D6-8C57-4004-A8E4-815C877D61D9}\stubpath = "C:\\Windows\\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe" {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}\stubpath = "C:\\Windows\\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe" {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03BBB33-E183-4926-A8DA-6484885E98AE}\stubpath = "C:\\Windows\\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe" {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D99E92-FED3-43b6-8616-677561A561B2} {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}\stubpath = "C:\\Windows\\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe" {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2C4B19-502B-4995-82D3-F9FC0983D38C} {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03BBB33-E183-4926-A8DA-6484885E98AE} {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5E049A-A142-43d5-80BB-67C5706BBB63} {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}\stubpath = "C:\\Windows\\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe" {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}\stubpath = "C:\\Windows\\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe" {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}\stubpath = "C:\\Windows\\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe" {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619F19CC-DE83-47b7-8E85-0AF074336A87} {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619F19CC-DE83-47b7-8E85-0AF074336A87}\stubpath = "C:\\Windows\\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe" {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe -
Executes dropped EXE 12 IoCs
Processes:
{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe{B5D99E92-FED3-43b6-8616-677561A561B2}.exepid process 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe 4648 {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe 2628 {B5D99E92-FED3-43b6-8616-677561A561B2}.exe -
Drops file in Windows directory 12 IoCs
Processes:
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe{C03BBB33-E183-4926-A8DA-6484885E98AE}.exedescription ioc process File created C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe File created C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe File created C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe File created C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe File created C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe File created C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe File created C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe File created C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe File created C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe File created C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe File created C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe File created C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe{619F19CC-DE83-47b7-8E85-0AF074336A87}.exedescription pid process Token: SeIncBasePriorityPrivilege 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe Token: SeIncBasePriorityPrivilege 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe Token: SeIncBasePriorityPrivilege 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe Token: SeIncBasePriorityPrivilege 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe Token: SeIncBasePriorityPrivilege 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe Token: SeIncBasePriorityPrivilege 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe Token: SeIncBasePriorityPrivilege 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe Token: SeIncBasePriorityPrivilege 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe Token: SeIncBasePriorityPrivilege 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe Token: SeIncBasePriorityPrivilege 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe Token: SeIncBasePriorityPrivilege 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe Token: SeIncBasePriorityPrivilege 4648 {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe{C03BBB33-E183-4926-A8DA-6484885E98AE}.exedescription pid process target process PID 2092 wrote to memory of 4944 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe PID 2092 wrote to memory of 4944 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe PID 2092 wrote to memory of 4944 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe PID 2092 wrote to memory of 1940 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 2092 wrote to memory of 1940 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 2092 wrote to memory of 1940 2092 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe cmd.exe PID 4944 wrote to memory of 3064 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe PID 4944 wrote to memory of 3064 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe PID 4944 wrote to memory of 3064 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe PID 4944 wrote to memory of 4492 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe cmd.exe PID 4944 wrote to memory of 4492 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe cmd.exe PID 4944 wrote to memory of 4492 4944 {7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe cmd.exe PID 3064 wrote to memory of 1152 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe PID 3064 wrote to memory of 1152 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe PID 3064 wrote to memory of 1152 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe PID 3064 wrote to memory of 1944 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe cmd.exe PID 3064 wrote to memory of 1944 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe cmd.exe PID 3064 wrote to memory of 1944 3064 {5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe cmd.exe PID 1152 wrote to memory of 3968 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe PID 1152 wrote to memory of 3968 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe PID 1152 wrote to memory of 3968 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe PID 1152 wrote to memory of 1512 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe cmd.exe PID 1152 wrote to memory of 1512 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe cmd.exe PID 1152 wrote to memory of 1512 1152 {BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe cmd.exe PID 3968 wrote to memory of 2680 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe PID 3968 wrote to memory of 2680 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe PID 3968 wrote to memory of 2680 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe PID 3968 wrote to memory of 980 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe cmd.exe PID 3968 wrote to memory of 980 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe cmd.exe PID 3968 wrote to memory of 980 3968 {5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe cmd.exe PID 2680 wrote to memory of 4100 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe PID 2680 wrote to memory of 4100 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe PID 2680 wrote to memory of 4100 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe PID 2680 wrote to memory of 2800 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe cmd.exe PID 2680 wrote to memory of 2800 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe cmd.exe PID 2680 wrote to memory of 2800 2680 {845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe cmd.exe PID 4100 wrote to memory of 3408 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe PID 4100 wrote to memory of 3408 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe PID 4100 wrote to memory of 3408 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe PID 4100 wrote to memory of 3636 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe cmd.exe PID 4100 wrote to memory of 3636 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe cmd.exe PID 4100 wrote to memory of 3636 4100 {D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe cmd.exe PID 3408 wrote to memory of 4052 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe PID 3408 wrote to memory of 4052 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe PID 3408 wrote to memory of 4052 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe PID 3408 wrote to memory of 1096 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe cmd.exe PID 3408 wrote to memory of 1096 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe cmd.exe PID 3408 wrote to memory of 1096 3408 {7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe cmd.exe PID 4052 wrote to memory of 4500 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe PID 4052 wrote to memory of 4500 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe PID 4052 wrote to memory of 4500 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe PID 4052 wrote to memory of 640 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe cmd.exe PID 4052 wrote to memory of 640 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe cmd.exe PID 4052 wrote to memory of 640 4052 {728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe cmd.exe PID 4500 wrote to memory of 1520 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe PID 4500 wrote to memory of 1520 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe PID 4500 wrote to memory of 1520 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe PID 4500 wrote to memory of 2328 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe cmd.exe PID 4500 wrote to memory of 2328 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe cmd.exe PID 4500 wrote to memory of 2328 4500 {BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe cmd.exe PID 1520 wrote to memory of 4648 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe PID 1520 wrote to memory of 4648 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe PID 1520 wrote to memory of 4648 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe {619F19CC-DE83-47b7-8E85-0AF074336A87}.exe PID 1520 wrote to memory of 1608 1520 {C03BBB33-E183-4926-A8DA-6484885E98AE}.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exeC:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exeC:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D5E0~1.EXE > nul4⤵PID:1944
-
C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exeC:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exeC:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exeC:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exeC:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exeC:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exeC:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exeC:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exeC:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exeC:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{619F1~1.EXE > nul13⤵PID:1524
-
C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exeC:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe13⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C03BB~1.EXE > nul12⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC2C4~1.EXE > nul11⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{728F5~1.EXE > nul10⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7C06F~1.EXE > nul9⤵PID:1096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D36D6~1.EXE > nul8⤵PID:3636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{84521~1.EXE > nul7⤵PID:2800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5CD51~1.EXE > nul6⤵PID:980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB700~1.EXE > nul5⤵PID:1512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7CD79~1.EXE > nul3⤵PID:4492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5c2ab2233c82c53e02619d31f23abc401
SHA1d69cffc5f18efd3f3ed15c237f608717234ddf90
SHA2566f57e9ebd49558844061280b21f1d5289a5b1b5329cc3cead82ba93337d0c25f
SHA5121d7c5804ea3199b08d2e3c034774ea0a6c42765d3d56983ce4883436a327a3a1223bbfa90cdb77e9d28006e8034c0f18a8cfa552b7f10fa820bb320031c82d79
-
Filesize
372KB
MD5d66120a96c303c6ba40873016d900fdd
SHA1833776a5c8ac74178e70a79b0512dbf07d5fb2c2
SHA256f928d791f24a40b88dae28c667748804eeee6451fe4607dfe9af6d5ae1a24338
SHA512f6ea52e6b9ab8fbbc5834ab57516a41d025a4e17b53270684b135a6689b02af70a48e1bee27570f7462dc3f91b33cafeca2fe3d6484aa731226b886c043447ec
-
Filesize
372KB
MD5928eac2efb0d97a65ffd1efa5cee8904
SHA116a781ced4cc48034e6d778c89c7f84d9ef25dd8
SHA2569b387826aa866180f79db6bf22cb7a1139b6dd84af1a54688fed80a6924f23dd
SHA51290a9e3e4f16d62e8654331a2ca90251ad1edfadbab95db21c29e3bc47618616eae98a5dc5a7e2b2ee738872d70cb8ba929a31fef291413138b76ee7f01cf4fd9
-
Filesize
372KB
MD5f880468121c3099e1e5f28241aa13cb8
SHA1f13cef84c29f10c296fe0e4e5330c8e1e253b279
SHA2562f8d54d2e5dd9c0d99c94105e14ee45f65dab068b253af6b76f0e98f02178c14
SHA5129cc382f6abc84166c24c58f65ee837fa1d927801c6ecdb296c9a1cf56942d5ff0f291335d8d6e523d43feb58033cb41b7fecc6f7c878a35dade7c648c33e4a34
-
Filesize
372KB
MD52b5fd954b0ab2a3f5576b5889105a902
SHA10cdd47854cb8c809ee0f76c35d84771ceb3752b7
SHA2560aba647d6943c8832491a816d6baf5eed5edbc4fa15023d8c4762a9a5a9c6fe4
SHA51269ecc50dfae6223d39a6aae3fda30d25c87d5a565e38b12b94019cd1070b4e1d0906900a8b9efb33448db0e84a49851c3ea2ace758fbbc6724412088ad99add7
-
Filesize
372KB
MD51f166d88e5592cb46191c816e0f6f827
SHA1c664f0f56914c73b5da806b928d6db87b33e146d
SHA256bb1f5d6fea4a67135fe3b0be175adc383ace03519f4f8da8037c06ba5f5212c2
SHA512eb79bc3945cda700b2faf2fc59f5ecc1727bcfccdca94b1ffbbeef97bcb36daa97160912a30b1917436daa233b08de8db86003bad89aa147f4abeda672ad501c
-
Filesize
372KB
MD53543c85483a79c53f8916cdeffcd1db2
SHA1f272a7d28099a9fa38d0f9d70ad6342d0017b7d0
SHA256889a62e951cb3912ca8bc89e43ee867e494acd4e6f967d55a48ce801ebefa55c
SHA51291c7be2518c7d4b78eeeb1bcf0bf28f2dddeedd5930bc69ad6fbf164277f81e412060fbc34e0d23713940bcb10417a4ffc7ff734ff3bc1c3c7063facdc9ddf4c
-
Filesize
372KB
MD575500983d267881e6840cb83dfacd93b
SHA1a8deb2f1780d3eca7561f83ffe1ab9b3aa78a83d
SHA25614714cc2ba02513ff5d7745b11ebd09e8fbaa6a9e164cbaeff401dbf293fe63b
SHA512c8e3e2fc4978d7aed1423fa6d8ca673dc2f534a9314c995c733ff5807468f0db89ac8285ac0b5b3cc7846b64cad4b83aa33b13e80018476dd01caf1dfee0b62b
-
Filesize
372KB
MD5f49f736b4876a1a48938a68096e259c7
SHA1144fa21d28e5afd2eeb14ec372c3f08f4f9a4751
SHA256695c7a790230b3925dab56e2589f42f0e0ae574eafa541321449aed7dedca8d2
SHA512edebdaf91d925190fc9d51e6e0d57548c8a174e156f96d7cbf091f074b8a757be7317bb162494a28d98df94f77039b3900eeee32723a11d36a326c657e9c734b
-
Filesize
372KB
MD5482b736909ae7a1a558193d6ad59a1b5
SHA19286988db104ec8c985fcd02714b16c47bd9a39b
SHA2567eb49b1458e0bb865d68b908aebcf1f41d91ca05dea84d3a40af66c8e80cc2a8
SHA512dffa2998f4d8f148c71c25e956651460a0d33cff14f69d1b7a4391409d9c88bc3e6f2dda05ce0f5e17d66c561ca6d292adf1943a292a3c4b851858b3b3ddc33f
-
Filesize
372KB
MD5f16a1ffc1886363af0b777ce7c430149
SHA1f34ed8e40e1825a1aea4bac5270dcca29fcaaf42
SHA25604fcd30ae40503e35d8bd2d2fc6a63418e17cbcddf92e1a0ba8309eacb336f73
SHA51255b0370b411508a266628f42015a4bb00d94dde0afb43e748ed40f1f001c1e1bb56f42920afb2ac5341faf75454d4d953ce76050f3809be23d5f278b37bf56e1
-
Filesize
372KB
MD51a6f7f46287918d373d2601912665650
SHA15a70744ea4c1137b12df1f21b7111dbdc52e03d0
SHA2565ef0b9f9d6b5522171b2a1de17e83607c8e37703443b8d81e4bb0dd26e66ea3e
SHA5120e89816b5d6b8297b08d39564376bd46c14c2a0943abf0ceee226c17c9434293c7c118b20f86c4d89f06f9ae2ed072f42dca10ae22d54debd5318d87fb98b50d