9cd5791ec2b1578dd2c882a4c74e660649b60416780ca921984bbb2de16b69e6

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Size

180KB
MD5

6c95a31298c2f30c2ebd563aa054f496
SHA1

70c2ae1b4d89a6a27aa08ebd07cda5e77390f20c
SHA256

9cd5791ec2b1578dd2c882a4c74e660649b60416780ca921984bbb2de16b69e6
SHA512

6a3b3bbbe87e2f121c3e4ca6943ccbf67ac0fb4939594a3f369151cb23dda4b50823b8fa9fabbbfb61ebe131236b1f624f5058f421c3de4ffeaa04cbd29b2cd4
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGKl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6174FB9E-CB83-4465-9489-08472BA40567}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe{6174FB9E-CB83-4465-9489-08472BA40567}.exe{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6174FB9E-CB83-4465-9489-08472BA40567}\stubpath = "C:\\Windows\\{6174FB9E-CB83-4465-9489-08472BA40567}.exe"	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}\stubpath = "C:\\Windows\\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe"	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6174FB9E-CB83-4465-9489-08472BA40567}	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}\stubpath = "C:\\Windows\\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe"	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}\stubpath = "C:\\Windows\\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe"	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}	{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}\stubpath = "C:\\Windows\\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe"	{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}\stubpath = "C:\\Windows\\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe"	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}\stubpath = "C:\\Windows\\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe"	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13ED7576-4433-49f4-80FD-5F2056810AFE}\stubpath = "C:\\Windows\\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe"	{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D653817-7E1E-4daf-965B-813D3FD283E3}\stubpath = "C:\\Windows\\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe"	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}\stubpath = "C:\\Windows\\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe"	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}\stubpath = "C:\\Windows\\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe"	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13ED7576-4433-49f4-80FD-5F2056810AFE}	{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D653817-7E1E-4daf-965B-813D3FD283E3}	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe

pid	process
2680	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe{6174FB9E-CB83-4465-9489-08472BA40567}.exe{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe

pid	process
1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
2640	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
1644	{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
1712	{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
1660	{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe

Drops file in Windows directory 11 IoCs

Processes:

{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe{6174FB9E-CB83-4465-9489-08472BA40567}.exe{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe

description	ioc	process
File created	C:\Windows\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
File created	C:\Windows\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
File created	C:\Windows\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
File created	C:\Windows\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe	{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
File created	C:\Windows\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
File created	C:\Windows\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe	{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
File created	C:\Windows\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
File created	C:\Windows\{6174FB9E-CB83-4465-9489-08472BA40567}.exe	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
File created	C:\Windows\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
File created	C:\Windows\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
File created	C:\Windows\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe{6174FB9E-CB83-4465-9489-08472BA40567}.exe{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
Token: SeIncBasePriorityPrivilege	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
Token: SeIncBasePriorityPrivilege	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
Token: SeIncBasePriorityPrivilege	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
Token: SeIncBasePriorityPrivilege	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
Token: SeIncBasePriorityPrivilege	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
Token: SeIncBasePriorityPrivilege	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
Token: SeIncBasePriorityPrivilege	2640	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
Token: SeIncBasePriorityPrivilege	1644	{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
Token: SeIncBasePriorityPrivilege	1712	{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2216 wrote to memory of 1552	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
PID 2216 wrote to memory of 1552	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
PID 2216 wrote to memory of 1552	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
PID 2216 wrote to memory of 1552	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
PID 2216 wrote to memory of 2680	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 2216 wrote to memory of 2680	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 2216 wrote to memory of 2680	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 2216 wrote to memory of 2680	2216	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 1552 wrote to memory of 2560	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
PID 1552 wrote to memory of 2560	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
PID 1552 wrote to memory of 2560	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
PID 1552 wrote to memory of 2560	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	{6174FB9E-CB83-4465-9489-08472BA40567}.exe
PID 1552 wrote to memory of 2668	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	cmd.exe
PID 1552 wrote to memory of 2668	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	cmd.exe
PID 1552 wrote to memory of 2668	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	cmd.exe
PID 1552 wrote to memory of 2668	1552	{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe	cmd.exe
PID 2560 wrote to memory of 2688	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
PID 2560 wrote to memory of 2688	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
PID 2560 wrote to memory of 2688	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
PID 2560 wrote to memory of 2688	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
PID 2560 wrote to memory of 2616	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	cmd.exe
PID 2560 wrote to memory of 2616	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	cmd.exe
PID 2560 wrote to memory of 2616	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	cmd.exe
PID 2560 wrote to memory of 2616	2560	{6174FB9E-CB83-4465-9489-08472BA40567}.exe	cmd.exe
PID 2688 wrote to memory of 2100	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
PID 2688 wrote to memory of 2100	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
PID 2688 wrote to memory of 2100	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
PID 2688 wrote to memory of 2100	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
PID 2688 wrote to memory of 2904	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	cmd.exe
PID 2688 wrote to memory of 2904	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	cmd.exe
PID 2688 wrote to memory of 2904	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	cmd.exe
PID 2688 wrote to memory of 2904	2688	{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe	cmd.exe
PID 2100 wrote to memory of 2980	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
PID 2100 wrote to memory of 2980	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
PID 2100 wrote to memory of 2980	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
PID 2100 wrote to memory of 2980	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
PID 2100 wrote to memory of 2992	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	cmd.exe
PID 2100 wrote to memory of 2992	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	cmd.exe
PID 2100 wrote to memory of 2992	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	cmd.exe
PID 2100 wrote to memory of 2992	2100	{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe	cmd.exe
PID 2980 wrote to memory of 1620	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
PID 2980 wrote to memory of 1620	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
PID 2980 wrote to memory of 1620	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
PID 2980 wrote to memory of 1620	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
PID 2980 wrote to memory of 364	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	cmd.exe
PID 2980 wrote to memory of 364	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	cmd.exe
PID 2980 wrote to memory of 364	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	cmd.exe
PID 2980 wrote to memory of 364	2980	{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe	cmd.exe
PID 1620 wrote to memory of 308	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
PID 1620 wrote to memory of 308	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
PID 1620 wrote to memory of 308	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
PID 1620 wrote to memory of 308	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
PID 1620 wrote to memory of 1332	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	cmd.exe
PID 1620 wrote to memory of 1332	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	cmd.exe
PID 1620 wrote to memory of 1332	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	cmd.exe
PID 1620 wrote to memory of 1332	1620	{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe	cmd.exe
PID 308 wrote to memory of 2640	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
PID 308 wrote to memory of 2640	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
PID 308 wrote to memory of 2640	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
PID 308 wrote to memory of 2640	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
PID 308 wrote to memory of 700	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	cmd.exe
PID 308 wrote to memory of 700	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	cmd.exe
PID 308 wrote to memory of 700	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	cmd.exe
PID 308 wrote to memory of 700	308	{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
C:\Windows\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\{6174FB9E-CB83-4465-9489-08472BA40567}.exe
C:\Windows\{6174FB9E-CB83-4465-9489-08472BA40567}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
C:\Windows\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
C:\Windows\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
C:\Windows\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
C:\Windows\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
C:\Windows\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
C:\Windows\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
C:\Windows\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
C:\Windows\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe
C:\Windows\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe
12⤵
- Executes dropped EXE
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7B1~1.EXE > nul
12⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{01BC0~1.EXE > nul
11⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{177E9~1.EXE > nul
10⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{12F70~1.EXE > nul
9⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{63757~1.EXE > nul
8⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D653~1.EXE > nul
7⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DB490~1.EXE > nul
6⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A8D~1.EXE > nul
5⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6174F~1.EXE > nul
4⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61DED~1.EXE > nul
3⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2680

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01BC055E-8F46-48e1-8FDF-48E86E7B7459}.exe
Filesize
180KB

MD5
0c02429dd65543ba6f879fb97757719c

SHA1
14971590f6f895b5c0d4ae3e64cc8981e192dbcd

SHA256
c65f845f4ebaf81f08c4c313999126ed0a2af59990a9fb7dfce74254f22fc18b

SHA512
c9899c557763b1688f65acfa30983941968f2b846d22a0b15d23c3b5b5ed0c82a4b5a3a7d30f9522fd9c86e67f7acf156f266f94af8f6651cb0bd3f1c0992667

Download Submit
C:\Windows\{12F708C2-9075-4bf4-8E8F-BA6D4C3193FE}.exe
Filesize
180KB

MD5
68233ee4c131fc17a08f77d28da0c511

SHA1
4528a61b0a75957895a3b7bd41f055050ed2c92a

SHA256
28239513fa8491b517a38328e1deb3cdadc9ef19bed9ade07797a976f5b8caa4

SHA512
96a755ecf8ff8d485b41dddc7055658f5288d83d5598987703f9783c8f2c073516f7fa8836a7b15bfa1e81461fcfa741ed984635f3da49de99f0b8e7d171af5e

Download Submit
C:\Windows\{13ED7576-4433-49f4-80FD-5F2056810AFE}.exe
Filesize
180KB

MD5
cc21ad6fe7b2e8e6593fa2703a82cf6d

SHA1
7e06ec4aaa53df925a3ce9a6ce8fdd068b767440

SHA256
9f70ad8346691f2ca594c39ab0ca852ad8fdde923e29c2dc1cbf1f131aea625c

SHA512
a12116d05a848d92a6e539f7db038a6e6c26c51f7e4c9ea3535da0eee5b956881f59a5522284e8fda0d2660a5a308951666875627f73f071a3e151f9468e209d

Download Submit
C:\Windows\{177E915B-C9D2-4949-8E08-7F2FB04DA0AC}.exe
Filesize
180KB

MD5
0a1e9449d623dce573e6b6e3635bf959

SHA1
d0bb0ad8bf8a983bab4d2eea4273fe7e2e102622

SHA256
d1b6471b82280342d6366914bd2517512dbef37d7950ea0f51b24adb71e5ca04

SHA512
72da5214795eea4dd3edcb10b61fa9285559dc28412a89dc915dbce79068712dec1d03032b02fd828b180501e795db8865291807ec39cb0f6f1136ec95239393

Download Submit
C:\Windows\{6174FB9E-CB83-4465-9489-08472BA40567}.exe
Filesize
180KB

MD5
f5e9ed1ac346aebc3301b2cc4880896a

SHA1
f127d8e4e81d3c080dab6a4b8fe120369993dda2

SHA256
64bff70826337d21bef8f4fc1cb94e93357b91b2dcd6844a9b833a3be716e4ff

SHA512
682986cf47bc60b726377c39b414273f44cf18364b73f4e5f6411a53e558c76e1b65111becd8701ede0e79abe79bf819fa59e6dad2b20c34435465ec652d5f6c

Download Submit
C:\Windows\{61DED4D5-8183-45dd-91B6-C4BEEDD96F04}.exe
Filesize
180KB

MD5
01b2343edd9c3059e6d682e3ecb90c29

SHA1
73950015655f1b6218ba239772387d41c23abbf6

SHA256
32b6d92be6ad2557bd3c95967f6f7a9f71ac84f6c8030d69b5f0e13316d2858f

SHA512
c467b3cf59189015ce3182b1e9b73a13507d3b42d2184b104675c71947da37adc1086f30db00f348c5a09fe0b91f9b89651e3f94d24bd080eda0cc2b80ba68e5

Download Submit
C:\Windows\{637572DC-BAC8-4b95-8A21-E68DA3B2D49E}.exe
Filesize
180KB

MD5
f2242f0636b7537e41a5ebf9cfc540d6

SHA1
2a81fe529e2c70ada231a3c0df281fe1c7173be6

SHA256
1fabdb9b06e6dd6a5938eaa0ded5d85c40edca177b86e63d1cfbfc89a9872042

SHA512
41e5a6b7042bc8280913e4442f20432714623e34b181e29f3f0d7fdfe5335e1a3c0ceda092069ddea090b57b66365116ea51316f7eff999fde7daa60689369e8

Download Submit
C:\Windows\{7D653817-7E1E-4daf-965B-813D3FD283E3}.exe
Filesize
180KB

MD5
ce49b60bb67211d84ff815711c911818

SHA1
29128b89b39970b091231984cf3387155d0fc7e7

SHA256
94ce035cf2dea8a12b318ada87af1356476dc0f6a91396fa39f2c992a0493164

SHA512
74bf95be1438cd6cc3efdd3e81114be00a20493b9bcb28ff412fb058cff111f212c4024e805208ebccd2d8f9e8b652a5c00c4873145d1788a582ffc5063a8461

Download Submit
C:\Windows\{B4A8DDE0-FB5B-4328-94B9-50E95123E368}.exe
Filesize
180KB

MD5
d440e6eab1c793fd9b9531f621fa7775

SHA1
62f7939718b85571b611c108bcd633f39b5a5b5f

SHA256
5b51269ecfe646e11bdb93b942dec944ea5dacd604cf8fde3bd8e71bca0a7c8a

SHA512
e6693bb325e9129b7b686d63829b5f3073027336468a02eb2b151178c46131e1a6a152f6e621cba6c1843802b74fe64b5f5f30287083812a90985502f9f6a935

Download Submit
C:\Windows\{DB4905E8-08FE-43c3-B44C-DE7C813A75D6}.exe
Filesize
180KB

MD5
c22185648d7dcda6974fae7747d2d4ca

SHA1
e92dca61afe80f16ae39b9b04dab33f2049107bf

SHA256
fa5eef88901a6403095229100daafbc85e61a0db184d36cacfc1fbd2b5635ebd

SHA512
69f776937dcf19a0874f1a824df2b4c9c3d2f08756f12c46dea3f27e041f412bab81afcb7b818f635e9f36f74c3b220a3b1cd92864e3065693c3c6998317a2c4

Download Submit
C:\Windows\{EA7B1D57-FCEF-47f3-BEE8-607EC052D413}.exe
Filesize
180KB

MD5
f0717803f4d8b79950e3b65e356ed786

SHA1
0c187531dd26c8132404b61ee1ec2de4f8a4e101

SHA256
007a3385d1310c602930b26f57761a52db9d4c3eb58d6d2bc03b9f1fa70fd457

SHA512
4edc25405812d8c9f385ddad828878da3445a90ef5038a107dc9deb27561e3140e0a5b11ae1db89aa9f27964149207011952e1f69e9582e803e99717a0891ce8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads