Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
-
Size
168KB
-
MD5
0a5b152cb8c16f9ca55148f4565cb954
-
SHA1
28e8a9135e60e20862496f0007c9dc69c20a74ad
-
SHA256
9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689
-
SHA512
986751a468cd12a2a53bada435e623937e33c581f151621a89ed0aac7f2df300df9f7aefa48ee5952f770c21f1af64875ca071d092460f9db6c094b68930fe0d
-
SSDEEP
1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000a000000012241-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000012245-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012241-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00120000000055a2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012241-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00130000000055a2-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012241-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00140000000055a2-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012241-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00150000000055a2-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012241-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00350000000133a7-82.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}\stubpath = "C:\\Windows\\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe" {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240} {9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8} {4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}\stubpath = "C:\\Windows\\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe" {4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}\stubpath = "C:\\Windows\\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe" {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844} {8B963F48-001B-4332-9BBA-5109266F44E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54} {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82615CFC-85E9-4b39-BE0B-C9035496F600}\stubpath = "C:\\Windows\\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe" {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}\stubpath = "C:\\Windows\\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe" {82615CFC-85E9-4b39-BE0B-C9035496F600}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}\stubpath = "C:\\Windows\\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe" {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB3F306-B49F-42f0-A0BA-28185E3286CF} {82615CFC-85E9-4b39-BE0B-C9035496F600}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D} {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B} {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B963F48-001B-4332-9BBA-5109266F44E2} {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B963F48-001B-4332-9BBA-5109266F44E2}\stubpath = "C:\\Windows\\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe" {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}\stubpath = "C:\\Windows\\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe" {8B963F48-001B-4332-9BBA-5109266F44E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE} {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5261F3-E645-4037-AFAF-30BDCD25F287} {E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE} 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}\stubpath = "C:\\Windows\\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe" 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}\stubpath = "C:\\Windows\\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe" {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82615CFC-85E9-4b39-BE0B-C9035496F600} {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}\stubpath = "C:\\Windows\\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe" {9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5261F3-E645-4037-AFAF-30BDCD25F287}\stubpath = "C:\\Windows\\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe" {E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe -
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 1168 {82615CFC-85E9-4b39-BE0B-C9035496F600}.exe 1212 {9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe 2156 {E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe 1972 {4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe 1676 {80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe File created C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe File created C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe File created C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe {82615CFC-85E9-4b39-BE0B-C9035496F600}.exe File created C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe {9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe File created C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe {E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe File created C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe File created C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe File created C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe File created C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe {8B963F48-001B-4332-9BBA-5109266F44E2}.exe File created C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe File created C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe {4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Token: SeIncBasePriorityPrivilege 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe Token: SeIncBasePriorityPrivilege 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe Token: SeIncBasePriorityPrivilege 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe Token: SeIncBasePriorityPrivilege 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe Token: SeIncBasePriorityPrivilege 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe Token: SeIncBasePriorityPrivilege 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe Token: SeIncBasePriorityPrivilege 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe Token: SeIncBasePriorityPrivilege 1168 {82615CFC-85E9-4b39-BE0B-C9035496F600}.exe Token: SeIncBasePriorityPrivilege 1212 {9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe Token: SeIncBasePriorityPrivilege 2156 {E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe Token: SeIncBasePriorityPrivilege 1972 {4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 1752 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 28 PID 2140 wrote to memory of 1752 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 28 PID 2140 wrote to memory of 1752 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 28 PID 2140 wrote to memory of 1752 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 28 PID 2140 wrote to memory of 2088 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 29 PID 2140 wrote to memory of 2088 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 29 PID 2140 wrote to memory of 2088 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 29 PID 2140 wrote to memory of 2088 2140 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 29 PID 1752 wrote to memory of 2448 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 30 PID 1752 wrote to memory of 2448 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 30 PID 1752 wrote to memory of 2448 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 30 PID 1752 wrote to memory of 2448 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 30 PID 1752 wrote to memory of 2756 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 31 PID 1752 wrote to memory of 2756 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 31 PID 1752 wrote to memory of 2756 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 31 PID 1752 wrote to memory of 2756 1752 {BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe 31 PID 2448 wrote to memory of 2520 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 32 PID 2448 wrote to memory of 2520 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 32 PID 2448 wrote to memory of 2520 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 32 PID 2448 wrote to memory of 2520 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 32 PID 2448 wrote to memory of 2368 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 33 PID 2448 wrote to memory of 2368 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 33 PID 2448 wrote to memory of 2368 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 33 PID 2448 wrote to memory of 2368 2448 {EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe 33 PID 2520 wrote to memory of 2080 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 36 PID 2520 wrote to memory of 2080 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 36 PID 2520 wrote to memory of 2080 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 36 PID 2520 wrote to memory of 2080 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 36 PID 2520 wrote to memory of 2712 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 37 PID 2520 wrote to memory of 2712 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 37 PID 2520 wrote to memory of 2712 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 37 PID 2520 wrote to memory of 2712 2520 {D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe 37 PID 2080 wrote to memory of 2996 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 38 PID 2080 wrote to memory of 2996 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 38 PID 2080 wrote to memory of 2996 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 38 PID 2080 wrote to memory of 2996 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 38 PID 2080 wrote to memory of 580 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 39 PID 2080 wrote to memory of 580 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 39 PID 2080 wrote to memory of 580 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 39 PID 2080 wrote to memory of 580 2080 {8B963F48-001B-4332-9BBA-5109266F44E2}.exe 39 PID 2996 wrote to memory of 1964 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 40 PID 2996 wrote to memory of 1964 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 40 PID 2996 wrote to memory of 1964 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 40 PID 2996 wrote to memory of 1964 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 40 PID 2996 wrote to memory of 2040 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 41 PID 2996 wrote to memory of 2040 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 41 PID 2996 wrote to memory of 2040 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 41 PID 2996 wrote to memory of 2040 2996 {50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe 41 PID 1964 wrote to memory of 1532 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 42 PID 1964 wrote to memory of 1532 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 42 PID 1964 wrote to memory of 1532 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 42 PID 1964 wrote to memory of 1532 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 42 PID 1964 wrote to memory of 1892 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 43 PID 1964 wrote to memory of 1892 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 43 PID 1964 wrote to memory of 1892 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 43 PID 1964 wrote to memory of 1892 1964 {7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe 43 PID 1532 wrote to memory of 1168 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 44 PID 1532 wrote to memory of 1168 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 44 PID 1532 wrote to memory of 1168 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 44 PID 1532 wrote to memory of 1168 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 44 PID 1532 wrote to memory of 588 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 45 PID 1532 wrote to memory of 588 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 45 PID 1532 wrote to memory of 588 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 45 PID 1532 wrote to memory of 588 1532 {C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exeC:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exeC:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exeC:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exeC:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exeC:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exeC:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exeC:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exeC:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exeC:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exeC:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exeC:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exeC:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe13⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E526~1.EXE > nul13⤵PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E67BD~1.EXE > nul12⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DB3F~1.EXE > nul11⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{82615~1.EXE > nul10⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA7~1.EXE > nul9⤵PID:588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7C05F~1.EXE > nul8⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50F05~1.EXE > nul7⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B963~1.EXE > nul6⤵PID:580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8B8B~1.EXE > nul5⤵PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EED6C~1.EXE > nul4⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC275~1.EXE > nul3⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5d9e53cff0c7416cf19881cd8af84aabe
SHA1f1f960bec071cf452b9470ffb89a04f421927550
SHA2566de67f9b4de05038ea3388a8eaed035dbc7c223dff4ae829b5216dc255f9b7a6
SHA512c4e3317aae262493eed0b37b9f4da9ab37f664a7894b35714dda07a4fd204435248722eedd3d6fe8bed1df69c3869774aba759bfae509b0c6a9c9461c31c484f
-
Filesize
168KB
MD5c8729f000c1d8d62690489f56cf8b22f
SHA11c93b668df19c2b213f88fa550150a424c015413
SHA2562e5f1dc39563c33c729b3dd8d9985e865dcaa5da6a28b531d80988311055f8c2
SHA5120913ee1c09005cf2beef5a7444438dbd814f2ae4e137b102198abfcc215390baacd9119f3dc402cfd562b8b259ebeba3f28960ece151aceb3ac0d1e96bfea833
-
Filesize
168KB
MD5c68077a1f19cabc83bbc2c467d8d7031
SHA13b81248cd1b049940371c43b9927c580214d3a65
SHA2569490ee55655f967407790556e332c69b15ecd388e36423560b551de7ed64e919
SHA5127aeec26dcfbb3ae316a44897b39af5885895a80af94318b76c4a28c9ab425567a710e2395822e7c639f3c44021b61f1af958345ce970c7bce1c75194c750efab
-
Filesize
168KB
MD552d97fd0c95607f5202d29b86c9f6c79
SHA1aabd384a91c1a9c0477155e79a29aafa87a8dcc2
SHA256e42312a0d9a337ac1afc2aa19eebffb2312a4a8381d4c105270f3940ea5144da
SHA512e4da362deb83b491b96a1db3576fa7d7da1194994690ba8ea7fe4ebb4254bae3f895cb670fe89984a25cf1f6f876bd81e5f1a8d6d0b7106cb6717ebf5c60ee21
-
Filesize
168KB
MD5aab357d4b3e0e14a8310095a2ce5af8c
SHA1878f07764831d4a03824c37d326a26d8d6c48194
SHA2560ddedbb24dd6be90bc0d79feaaab7e5aae11d9bb53ea2c7de9f1cac85e957c7a
SHA512cdcefebf8c5b149dd641b2b39f864a1a0809aa0351a79912a4810dfa880b4e7abf01a56eafbc7f6d1d88d0ddc3953c1a0b1bda68cc2e487c0ae8a9ed78d26f2d
-
Filesize
168KB
MD560190b6859946ecea172554c14c8e6f7
SHA1d26cedc54d801157fa57999a389dc572eba2e400
SHA256ec0af3cbb9a99d4355ec7b8c3f276343227a96977b95fbc0afc80e23773b87e3
SHA5127d31805dc601826173b4148f6a94e5b15cf145bbc8ce57b6117ca211b784dfee36e4716df4eaaed4f7cdb440931e64a12d65552ad1eb33f045c7a2e5bfaaaa74
-
Filesize
168KB
MD53e6a89b74e8dea1f0c28a64f928d9c71
SHA11418acf7d9dbfebcfbcebda9a2b871cb3234bd9f
SHA256ec0f322296eb3ee997ecf20378eea5d7b32854a10c608b6548c3658f5f3dd088
SHA512487b2b0ec3a748c28fd463efe9b1d862997226ba5a63ca2f19fa4095a20fd43699c2e1fe7d711085a9807824ab3b15273b9260f84b2fe6eb978adc65c929c350
-
Filesize
168KB
MD59caa402c2ecda1b24807186a12ab26a1
SHA11624f79f1725cb0b1bc3efc2ca2c904d864b716f
SHA2566c3a6d52570d7f63bc4e1baed9438af82af244df7378d506084e17838c937b9f
SHA5121b26d852dc09c11df05263676127e6b6d68bc2c5056bc5165199151cb33cc456326be7e7d261eb14e70ca7b88c2a529e9572942b115481ea2ccf5b285c509c0a
-
Filesize
168KB
MD5e038dfd3c23c80927f9a33972f38c8f4
SHA1afad7a8c28803b575be2ef00abb07ab636be3471
SHA256ee1a7e6ea1a9a22aebd48832f2f4e988e563280d493182be3440b9f506fbe67e
SHA512f0b5a21c64be629e12be56dd9dbe85af364694cafb3387acc25a906c8bac5e95d353a18d1973fd7ac87c9e350d3eede57aeb6cb549385f9aa3727a73830a09f1
-
Filesize
168KB
MD53367e083a8d1329e3e9be49983d70384
SHA1e79832f9f276a09c366baac202cee9209f42dc97
SHA256fd896e8160e6297bd72e4608f53697b26b4811426125e0fe642b9570576cead1
SHA51272c0cb9386cb5299abbefdb58124b460dcbabd42e84f8c73597bc75c634c15ac6537f8fb8febf33f45149fd4df829d18ab83c7e4140229a69e5a55ba407bc67a
-
Filesize
168KB
MD506272e755c384de1a081d2395b7f7b2a
SHA18df14bca266be3ecfc3cc3fa2f4dc647634398ff
SHA25651d55b87e028ea0be9136782bb3411ebdbd30ea344ef3c815e4123cfa253e921
SHA512805ee201ed564e7693be3aecfc0c2d43baf18b753f95589f86eaa1d8d91ce5f52ade109679e3d4f8d90333dd076894886c472091bce526850dbc67c08c8eb072
-
Filesize
168KB
MD5437f553309631815b83524f6b0a8015c
SHA1c14b86e7fa9e0b3933f858a0bb64d3ef629763e2
SHA256536a383bbe9fc71556efab8d786a79e4c8957fa0fad34ed96c800e8c1bc92497
SHA512083a1564e00860d1ef96f4b93cc268fbeb6027633b7f41319f8d1901dfe81fab67b1740fc687439c747531ef394bc199a3e12124da74be3a4ebd82f0a53286e0