2c62e0bdb7becc13f685db09dfc57e91f7ab47efc81d737beacdb2d7669edd3d

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
Size

180KB
MD5

1f73f4955698e20f42322d3498004d56
SHA1

e32a2dc0959249e315a056de13992c1443f7af3a
SHA256

2c62e0bdb7becc13f685db09dfc57e91f7ab47efc81d737beacdb2d7669edd3d
SHA512

5463a847455c174f1155af4ec5d0675c2e3260533850e9ee6135bccb85d18edc9a42cd098ef829a2f4f77b0c3aedf963e0b1436bf9adf0d1b6f2166c01c49f78
SSDEEP

3072:jEGh0oWlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe{FC748E87-92B0-41be-98D3-77E548D16D68}.exe{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}\stubpath = "C:\\Windows\\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe"	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}	{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C725AE5E-0127-4840-BC8D-51FD96978F90}\stubpath = "C:\\Windows\\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe"	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5487C2-8C65-4b56-B105-5738AB82AED2}	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5487C2-8C65-4b56-B105-5738AB82AED2}\stubpath = "C:\\Windows\\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe"	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}\stubpath = "C:\\Windows\\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe"	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}\stubpath = "C:\\Windows\\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe"	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC748E87-92B0-41be-98D3-77E548D16D68}	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F262C4B-4060-49fa-8EFF-797744B6D253}	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C657B932-04CD-4f75-ADCD-3B9E05C91471}\stubpath = "C:\\Windows\\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe"	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5311A949-60AB-4d43-90FE-02AD82A5E764}\stubpath = "C:\\Windows\\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe"	{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5311A949-60AB-4d43-90FE-02AD82A5E764}	{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC748E87-92B0-41be-98D3-77E548D16D68}\stubpath = "C:\\Windows\\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe"	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F262C4B-4060-49fa-8EFF-797744B6D253}\stubpath = "C:\\Windows\\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe"	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C657B932-04CD-4f75-ADCD-3B9E05C91471}	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}\stubpath = "C:\\Windows\\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe"	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C725AE5E-0127-4840-BC8D-51FD96978F90}	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}\stubpath = "C:\\Windows\\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe"	{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3056 cmd.exe

pid	process
3056	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{FC748E87-92B0-41be-98D3-77E548D16D68}.exe{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe

pid	process
2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
2192	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
3012	{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
2008	{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
2980	{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe

Drops file in Windows directory 11 IoCs

Processes:

{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe{FC748E87-92B0-41be-98D3-77E548D16D68}.exe

description	ioc	process
File created	C:\Windows\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
File created	C:\Windows\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
File created	C:\Windows\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
File created	C:\Windows\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
File created	C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
File created	C:\Windows\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe	{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
File created	C:\Windows\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe	{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
File created	C:\Windows\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
File created	C:\Windows\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
File created	C:\Windows\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
File created	C:\Windows\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe{FC748E87-92B0-41be-98D3-77E548D16D68}.exe{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
Token: SeIncBasePriorityPrivilege	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
Token: SeIncBasePriorityPrivilege	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
Token: SeIncBasePriorityPrivilege	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
Token: SeIncBasePriorityPrivilege	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
Token: SeIncBasePriorityPrivilege	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
Token: SeIncBasePriorityPrivilege	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
Token: SeIncBasePriorityPrivilege	2192	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
Token: SeIncBasePriorityPrivilege	3012	{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
Token: SeIncBasePriorityPrivilege	2008	{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1152 wrote to memory of 2064	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
PID 1152 wrote to memory of 2064	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
PID 1152 wrote to memory of 2064	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
PID 1152 wrote to memory of 2064	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
PID 1152 wrote to memory of 3056	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	cmd.exe
PID 1152 wrote to memory of 3056	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	cmd.exe
PID 1152 wrote to memory of 3056	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	cmd.exe
PID 1152 wrote to memory of 3056	1152	2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe	cmd.exe
PID 2064 wrote to memory of 2792	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
PID 2064 wrote to memory of 2792	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
PID 2064 wrote to memory of 2792	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
PID 2064 wrote to memory of 2792	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
PID 2064 wrote to memory of 2820	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	cmd.exe
PID 2064 wrote to memory of 2820	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	cmd.exe
PID 2064 wrote to memory of 2820	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	cmd.exe
PID 2064 wrote to memory of 2820	2064	{FC748E87-92B0-41be-98D3-77E548D16D68}.exe	cmd.exe
PID 2792 wrote to memory of 2888	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
PID 2792 wrote to memory of 2888	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
PID 2792 wrote to memory of 2888	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
PID 2792 wrote to memory of 2888	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
PID 2792 wrote to memory of 2632	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	cmd.exe
PID 2792 wrote to memory of 2632	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	cmd.exe
PID 2792 wrote to memory of 2632	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	cmd.exe
PID 2792 wrote to memory of 2632	2792	{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe	cmd.exe
PID 2888 wrote to memory of 2500	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
PID 2888 wrote to memory of 2500	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
PID 2888 wrote to memory of 2500	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
PID 2888 wrote to memory of 2500	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
PID 2888 wrote to memory of 3036	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	cmd.exe
PID 2888 wrote to memory of 3036	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	cmd.exe
PID 2888 wrote to memory of 3036	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	cmd.exe
PID 2888 wrote to memory of 3036	2888	{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe	cmd.exe
PID 2500 wrote to memory of 1292	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
PID 2500 wrote to memory of 1292	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
PID 2500 wrote to memory of 1292	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
PID 2500 wrote to memory of 1292	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
PID 2500 wrote to memory of 2684	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	cmd.exe
PID 2500 wrote to memory of 2684	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	cmd.exe
PID 2500 wrote to memory of 2684	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	cmd.exe
PID 2500 wrote to memory of 2684	2500	{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe	cmd.exe
PID 1292 wrote to memory of 2220	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
PID 1292 wrote to memory of 2220	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
PID 1292 wrote to memory of 2220	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
PID 1292 wrote to memory of 2220	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
PID 1292 wrote to memory of 2212	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	cmd.exe
PID 1292 wrote to memory of 2212	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	cmd.exe
PID 1292 wrote to memory of 2212	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	cmd.exe
PID 1292 wrote to memory of 2212	1292	{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe	cmd.exe
PID 2220 wrote to memory of 1884	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
PID 2220 wrote to memory of 1884	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
PID 2220 wrote to memory of 1884	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
PID 2220 wrote to memory of 1884	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
PID 2220 wrote to memory of 2484	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	cmd.exe
PID 2220 wrote to memory of 2484	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	cmd.exe
PID 2220 wrote to memory of 2484	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	cmd.exe
PID 2220 wrote to memory of 2484	2220	{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe	cmd.exe
PID 1884 wrote to memory of 2192	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
PID 1884 wrote to memory of 2192	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
PID 1884 wrote to memory of 2192	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
PID 1884 wrote to memory of 2192	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
PID 1884 wrote to memory of 1260	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	cmd.exe
PID 1884 wrote to memory of 1260	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	cmd.exe
PID 1884 wrote to memory of 1260	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	cmd.exe
PID 1884 wrote to memory of 1260	1884	{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_1f73f4955698e20f42322d3498004d56_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
C:\Windows\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
C:\Windows\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
C:\Windows\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0261F~1.EXE > nul
5⤵
PID:3036

C:\Windows\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
C:\Windows\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
C:\Windows\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
C:\Windows\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
C:\Windows\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
C:\Windows\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
C:\Windows\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe
C:\Windows\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe
12⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F518~1.EXE > nul
12⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C725A~1.EXE > nul
11⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D37ED~1.EXE > nul
10⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4CFFD~1.EXE > nul
9⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C657B~1.EXE > nul
8⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8F262~1.EXE > nul
7⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{553C0~1.EXE > nul
6⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8F548~1.EXE > nul
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FC748~1.EXE > nul
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:3056

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0261FA5A-1DF7-4c54-A167-3CBB411E99A6}.exe
Filesize
180KB

MD5
92348b90e1e06dc1d623089549a5293c

SHA1
8bda2c5cf6e254f8140bef06ae43d8afb33ddc28

SHA256
14ac6a078b9b9b14e0509e6fe08e9b432a20c931f460d9c3869bc6090510006f

SHA512
c53f55343c68bfd83daf547de2e220a2d3804eccadcc2f46ab99ce8251b9e4e82345b151929ce038db82d31fb4d691d8110989d6e221b31cc85456a7958f4c39

Download Submit
C:\Windows\{4CFFDD3D-F2C9-4a52-A7F2-5BF98B7BFEBE}.exe
Filesize
180KB

MD5
e794b1c5c34a20215f9cd7f213e94455

SHA1
b2a594b5556d2f2c688306b3b7df0f0152645786

SHA256
c9d846940a556ed2d324098e64bf6eb48208345a2113bb48da93c47a05af2fb4

SHA512
49a690aaf300309c6736881f57e46df0a6ccbef04d0c12e7cbd1797978b4f444aac5772b18c76edee16840cabd4e5e453b582c552de19496a5c50b36a7a2b912

Download Submit
C:\Windows\{4F518664-2FCD-4f01-B74F-6C29FF6786BD}.exe
Filesize
180KB

MD5
e1734c0d3787e2802934945d9498d992

SHA1
fa29e23aa204827c96270ec646e2953f8061379c

SHA256
5486475c6f8f80473657e53eebd34e9bae5940cf4b4b27f27d5260bccfc3f8c8

SHA512
724b1d066af663fed1c0db871915d83d5c06d3181ed8693fd70d9686a223d7077c9fc7faab2b489385fb13d3bef9087869ea3d93280863f929119904225013c1

Download Submit
C:\Windows\{5311A949-60AB-4d43-90FE-02AD82A5E764}.exe
Filesize
180KB

MD5
e62708803f771a1a3a1f05d963853f2e

SHA1
f123caa02ea74e3d08312b3e6bbfdbfea5fdceb1

SHA256
1a47fec4041080836f2e360b1b75cb3b93ccad038393ff45942169e04660c2be

SHA512
74c3cffa7e4d38783edbe6fdfb4ecd8d36c095a82b646e3c9f549702aa383f06ad790356fc05ff61adfda8daaeaf56be87aa11d3d3e452192b9c6ec70f921a2a

Download Submit
C:\Windows\{553C0F83-9BAE-4e81-9221-D4CB33D464B1}.exe
Filesize
180KB

MD5
87a0d658596d0a73c7855237b7ce0966

SHA1
4a131f2a9f8a2b72d560da872931df5cfc757938

SHA256
a82c8388e6b3179fbcf81ddcc962490d028710e969b0fd6adc8260da90f516b3

SHA512
9a2fef656564b1c092fef65429dc99127220a413a815805e095532dd2d5ccfe54e517d667863c7e8143575194c454208e87e997ad30c6fee0a6da3e317195fea

Download Submit
C:\Windows\{8F262C4B-4060-49fa-8EFF-797744B6D253}.exe
Filesize
180KB

MD5
d982faaca57f697cebccad5cdec3e3b4

SHA1
00a2996d77c1d0900149c87643ae2e0f4abeef62

SHA256
3f5ab558ddf71678c143c2e6de4d4ceddbdc521a712bffea706496f59561fb66

SHA512
31c1dd54b004d9d336dccf108d1907c1679103ca241a27a0e80827152d4d23026cf8db319395575259d89d2ad721b7a632e36ca52606b3a8b8121e64d9819ad1

Download Submit
C:\Windows\{8F5487C2-8C65-4b56-B105-5738AB82AED2}.exe
Filesize
180KB

MD5
55946d326441af3ca18d4a22a12b554d

SHA1
6e6f413d3f3bbbeb2b910894c2be73811bf344bf

SHA256
2902615e7c00b5d4e486fb21c135e5d00e72f79e5d027d4e703ada0e432d93ba

SHA512
41de1cde55b77dbf4f2fdde0075955864cb1c914062cf76bb6cb35790139a855a522b2f067c23044211193f05745ae642db9e6f00dab4b8c9fb9508ce72acef0

Download Submit
C:\Windows\{C657B932-04CD-4f75-ADCD-3B9E05C91471}.exe
Filesize
180KB

MD5
5fe4460b5cb5bca1133f13ec9a1e889c

SHA1
2ff4281ade5175f7c307883a8326a69677709737

SHA256
4d5ecc17727ee4f17970d93055034a103605d5a2184d82a7e81cb625d076c6ce

SHA512
834a1da1914c48f27c1bdabd4ef7f00ac4f4c57e624ab6c0ed412d84751d979ce28d9d59a5b5706bf0f3bcfad16d6d3acc3bbcf7a012b4f094d799373bfe3b9a

Download Submit
C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
Filesize
58KB

MD5
a79ccd6ab9379a6fbdb4feb1393b6880

SHA1
75c6bc41b43ef121a000eab7639156af297f70b9

SHA256
a8d637478e4880d67ae5afaddcd3bf7114a54b42b91a30060c82e41e804d7535

SHA512
e58bd20f0daa2428d1fdf2ed8559ac6d56fa1b13960d357f0cd2b87e9c40b5a74b17e4e716192210414fa1b4e480785b4d52052b454854aeca9431e2b146c2f8

Download Submit
C:\Windows\{C725AE5E-0127-4840-BC8D-51FD96978F90}.exe
Filesize
180KB

MD5
8b07148f1fa1aa54fa35a0da87b2b3cc

SHA1
3e46b861a8271e70d44e72a8df6ee3361b135cf2

SHA256
b56e6e2483d93d0318671c1f091c3e3d5ff3ecf4df2a4e94e40faf4aa6a1cd06

SHA512
547183fedf05fca7d43df89f96718f9e3ac33b01519ce11ec8551046650d404830a798a00913eebf784e7baf68468bc1608d3df5e29a4062c3cda5e1b178bf6e

Download Submit
C:\Windows\{D37EDEBA-4D68-430a-8A7B-BF59074DB031}.exe
Filesize
180KB

MD5
9bc1b8c672f096c60cdeddbbcaf50076

SHA1
5ad5f08cee8b042cb630c157b994a340965a03dd

SHA256
b18d019a6a528276a9f7bc024ac50e3b3d905d1129fcfb976bdb16812c334481

SHA512
b22632b3f13a23f87a3e67f99a62ad95593f1dc72c927f8061dfb1c447aee65c3dfa1261f5618de80196e3d4d5bce5a99b507eea4ec06aaafc5ed5123877933a

Download Submit
C:\Windows\{FC748E87-92B0-41be-98D3-77E548D16D68}.exe
Filesize
180KB

MD5
1e5e392d5ebfdf089a55274969b0662f

SHA1
6262ce4fd42af72f2054d312e2999b6d466fb29a

SHA256
e50862dc1e6424819edc3d6de342ebeb8b6fb82f4e586aa7c828e6f51fcb4992

SHA512
2b487455ee4163353a1eb7fbc9164497eeb02ebc7da0e0db28f53942f84b0624ccbeb353ea124e3492a3d13060cdfc2664a0ba2040569395db4c75ac1191ab14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads