Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
-
Size
168KB
-
MD5
ce080d7ec34664896f059c69063afd74
-
SHA1
eeb93257d28374130d94b3898d0036dbab979c3f
-
SHA256
5563384b2a376a8d2599c41848198f4c7847fbc37711f65b0f9bf16de4d87f79
-
SHA512
3921eaf84bd8235c739b8aba6e743716b72e606f0b8538ec00987c398f062e870ee0fd19e57219000eb7a4797b298cfc8540d8ee4915dbb23df405ca182b4b91
-
SSDEEP
1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
Processes:
resource yara_rule C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
Processes:
{08E488D1-669E-4939-A937-9670D4076D10}.exe{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}\stubpath = "C:\\Windows\\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe" {08E488D1-669E-4939-A937-9670D4076D10}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89} {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}\stubpath = "C:\\Windows\\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe" {FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C7678A8-CE71-4316-AC4F-D64BB2063786} {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C7678A8-CE71-4316-AC4F-D64BB2063786}\stubpath = "C:\\Windows\\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe" {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B} {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2} {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}\stubpath = "C:\\Windows\\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe" {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E488D1-669E-4939-A937-9670D4076D10} {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}\stubpath = "C:\\Windows\\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe" {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5445D2-D314-4db0-9DFD-5678A04EC753}\stubpath = "C:\\Windows\\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe" {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}\stubpath = "C:\\Windows\\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe" {717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC} {FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}\stubpath = "C:\\Windows\\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe" 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E488D1-669E-4939-A937-9670D4076D10}\stubpath = "C:\\Windows\\{08E488D1-669E-4939-A937-9670D4076D10}.exe" {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5445D2-D314-4db0-9DFD-5678A04EC753} {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5} {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2771AFA-DC90-4edc-BDF7-83D932EB3762} 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}\stubpath = "C:\\Windows\\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe" {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A} {08E488D1-669E-4939-A937-9670D4076D10}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}\stubpath = "C:\\Windows\\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe" {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD2756F-29A2-4d90-BD83-1A515D25B81E} {717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2628 cmd.exe -
Executes dropped EXE 11 IoCs
Processes:
{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe{08E488D1-669E-4939-A937-9670D4076D10}.exe{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exepid process 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe 1452 {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe 2924 {717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe 2232 {FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe 1564 {9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe -
Drops file in Windows directory 11 IoCs
Processes:
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe{08E488D1-669E-4939-A937-9670D4076D10}.exe{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exedescription ioc process File created C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe File created C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe File created C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe File created C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe {08E488D1-669E-4939-A937-9670D4076D10}.exe File created C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe File created C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe File created C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe {717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe File created C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe {FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe File created C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe File created C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe File created C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe{08E488D1-669E-4939-A937-9670D4076D10}.exe{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exedescription pid process Token: SeIncBasePriorityPrivilege 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe Token: SeIncBasePriorityPrivilege 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe Token: SeIncBasePriorityPrivilege 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe Token: SeIncBasePriorityPrivilege 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe Token: SeIncBasePriorityPrivilege 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe Token: SeIncBasePriorityPrivilege 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe Token: SeIncBasePriorityPrivilege 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe Token: SeIncBasePriorityPrivilege 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe Token: SeIncBasePriorityPrivilege 1452 {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe Token: SeIncBasePriorityPrivilege 2924 {717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe Token: SeIncBasePriorityPrivilege 2232 {FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe{08E488D1-669E-4939-A937-9670D4076D10}.exe{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exedescription pid process target process PID 2084 wrote to memory of 1216 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe PID 2084 wrote to memory of 1216 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe PID 2084 wrote to memory of 1216 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe PID 2084 wrote to memory of 1216 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe PID 2084 wrote to memory of 2628 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe cmd.exe PID 2084 wrote to memory of 2628 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe cmd.exe PID 2084 wrote to memory of 2628 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe cmd.exe PID 2084 wrote to memory of 2628 2084 2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe cmd.exe PID 1216 wrote to memory of 2752 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe PID 1216 wrote to memory of 2752 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe PID 1216 wrote to memory of 2752 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe PID 1216 wrote to memory of 2752 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe PID 1216 wrote to memory of 2848 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe cmd.exe PID 1216 wrote to memory of 2848 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe cmd.exe PID 1216 wrote to memory of 2848 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe cmd.exe PID 1216 wrote to memory of 2848 1216 {F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe cmd.exe PID 2752 wrote to memory of 2648 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe PID 2752 wrote to memory of 2648 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe PID 2752 wrote to memory of 2648 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe PID 2752 wrote to memory of 2648 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe PID 2752 wrote to memory of 2712 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe cmd.exe PID 2752 wrote to memory of 2712 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe cmd.exe PID 2752 wrote to memory of 2712 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe cmd.exe PID 2752 wrote to memory of 2712 2752 {D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe cmd.exe PID 2648 wrote to memory of 2368 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe {08E488D1-669E-4939-A937-9670D4076D10}.exe PID 2648 wrote to memory of 2368 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe {08E488D1-669E-4939-A937-9670D4076D10}.exe PID 2648 wrote to memory of 2368 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe {08E488D1-669E-4939-A937-9670D4076D10}.exe PID 2648 wrote to memory of 2368 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe {08E488D1-669E-4939-A937-9670D4076D10}.exe PID 2648 wrote to memory of 1604 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe cmd.exe PID 2648 wrote to memory of 1604 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe cmd.exe PID 2648 wrote to memory of 1604 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe cmd.exe PID 2648 wrote to memory of 1604 2648 {A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe cmd.exe PID 2368 wrote to memory of 2780 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe PID 2368 wrote to memory of 2780 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe PID 2368 wrote to memory of 2780 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe PID 2368 wrote to memory of 2780 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe PID 2368 wrote to memory of 1952 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe cmd.exe PID 2368 wrote to memory of 1952 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe cmd.exe PID 2368 wrote to memory of 1952 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe cmd.exe PID 2368 wrote to memory of 1952 2368 {08E488D1-669E-4939-A937-9670D4076D10}.exe cmd.exe PID 2780 wrote to memory of 1776 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe PID 2780 wrote to memory of 1776 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe PID 2780 wrote to memory of 1776 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe PID 2780 wrote to memory of 1776 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe PID 2780 wrote to memory of 1800 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe cmd.exe PID 2780 wrote to memory of 1800 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe cmd.exe PID 2780 wrote to memory of 1800 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe cmd.exe PID 2780 wrote to memory of 1800 2780 {AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe cmd.exe PID 1776 wrote to memory of 2124 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe PID 1776 wrote to memory of 2124 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe PID 1776 wrote to memory of 2124 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe PID 1776 wrote to memory of 2124 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe PID 1776 wrote to memory of 760 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe cmd.exe PID 1776 wrote to memory of 760 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe cmd.exe PID 1776 wrote to memory of 760 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe cmd.exe PID 1776 wrote to memory of 760 1776 {CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe cmd.exe PID 2124 wrote to memory of 1452 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe PID 2124 wrote to memory of 1452 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe PID 2124 wrote to memory of 1452 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe PID 2124 wrote to memory of 1452 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe {1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe PID 2124 wrote to memory of 1428 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe cmd.exe PID 2124 wrote to memory of 1428 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe cmd.exe PID 2124 wrote to memory of 1428 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe cmd.exe PID 2124 wrote to memory of 1428 2124 {DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exeC:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exeC:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exeC:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exeC:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exeC:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exeC:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exeC:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exeC:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exeC:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exeC:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exeC:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe12⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FCD27~1.EXE > nul12⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{717BD~1.EXE > nul11⤵PID:380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1C767~1.EXE > nul10⤵PID:2428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA544~1.EXE > nul9⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC4EC~1.EXE > nul8⤵PID:760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AD4BF~1.EXE > nul7⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{08E48~1.EXE > nul6⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A4D53~1.EXE > nul5⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3ACC~1.EXE > nul4⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2771~1.EXE > nul3⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5487df655ce0f73fc635ca8488218a902
SHA1504409b73472ddda3174823bd13187348d2f0222
SHA256e16f97adab7e81c1b42a59e785a3ad4f63c3c0deb732b5a62a51c90279b85951
SHA512fa10d06dac3717ee6b47a559ec697ee953a1d4e9cec0f910df2a2f9a10bba41b6359890a1db231677003191772cbe5a7225bb094f0257c2589218a0c5c953cc8
-
Filesize
168KB
MD59237ed0c6b2becc073fa8ff9ebc0cb6e
SHA1b5654d1e533c1ff0574c64b0c8eb7ed89fa591e1
SHA256aababdbc54d9df34ecf708c4bfdb837951199a596a04b245fd219b3775219eec
SHA512bf94b0f61c5c3e9d35ae7cdb04dafb524d92c9ceb643c4f9e4d59af23fedaa7dcfc1dcab7dec11712881b61278e707e2e5ef803d50c270ceaa4affe11d9cfca4
-
Filesize
168KB
MD5fc1249ca9624c0fad525432f9b35a32d
SHA1c2f504b38292972ece56301d8e93b8d2bf5ac41a
SHA2569774538178380578c0d69732dcfa0f8dfa4d3691496570ff01cab0268ce67895
SHA512cf49b9bee65ba87e86c11e7839b542bad4352ce189c7b7c29ed3264297ae772d7c77b024d732768a35ea3a14954be93412e7446bb5fac2d1a723bbd7bbfcd81c
-
Filesize
168KB
MD515695576fc6994f67f21ca6424d7ef94
SHA160798fe197dda23af9febe7aa894a6d5b205c481
SHA2564dd0337c42240e6846250e461b0c265ec91f4701ad5809c0531c85e53a7baa4e
SHA51262d1923ccf0665f7bf30ddef048d6cb7c14a1dc4665ec39ce758442bb42863fbbd19ed7221632ebdec54794a29c61fd012467c519e7f139e9feb01473de6ce5f
-
Filesize
168KB
MD55b0f77c4ecdaa526f2af908b8f1280f8
SHA1d3e042e58c85161b17a3544824691ef4443eeff3
SHA256348da14ff185a84db75fae3ff2b04d7b85bd8b336b389ebe140e320ffab580bf
SHA512e3a7f47a43ec4fc1a6521fe91aacaabed9dc4d4305df4ead9d46017cd4ce686a226d1f2831391fc88b5f67730deafb5482e6a239e07b2e257ca103721bf57723
-
Filesize
168KB
MD5d8638e414b0c43b4111502af1a7f8fa7
SHA15ea82f5d91a5e5d6316cd510146d218a34538975
SHA256f18db156c3398992693949b2b983e82395a64ea69dade6a653b2d701c2393f84
SHA512d0d98d05da2e0d1285847ae8ee4c523c78d6fdc14d6afc459521b76e8c1376ae663351f4ad715f51073f185d6f9138edfb07ead839175cf5fb72e64eefe2a741
-
Filesize
168KB
MD547a5c5be7d32f7eed5d2279c2d197369
SHA16987a0bda8ae39e140e4458612a0097e39a12528
SHA25626bf7ae91a73183b6db5e81c7eb55d0fa005de63f0ed1234a1ca8a4de159a46e
SHA512c889c6ddfe234aca11e119ad9aee117809e0219132dff2a461729f4a047ab3e19a5467d2fb1404db1b3b997b25214a1cfdf05e9f0fabec506f024319fab83a1e
-
Filesize
168KB
MD5683626104f279c7763c8506442e3efd5
SHA144fd3ccd88444559d49ddcccc850296e69db9c33
SHA2569183b5b92e911247ee603b861e124ccb6d9d7ea2ee5d852fe9ccb7f7eb61fecf
SHA51298d5fcab407d20d675341f03c5ea5bdd5681b142fdd55947136879def9aba6f324934e04d2e7fe10a02aace80ee381fb45da55d8d0e8598bcf719cb59d14a1a6
-
Filesize
168KB
MD542e1edcf641f2c4148397668ddf054a0
SHA1c30b66933482ffdb1e637eb9f65ede800d660eb0
SHA25664c1f8aaff998c33263a0bc2888cc6e3116c399b0ffb6efaca1d0f84d95e41f4
SHA51210bb16bf531a7e2ff4d2c39a81264a000adcf63848a57e9c7cc39ce1294069d3b48590c473e6a526788de42053eeace73860216b1c7272e95b1a03a8a7e3b37f
-
Filesize
168KB
MD57d5e46d81942987883bb415178f9fdee
SHA19ba657323099428c0e48d6c2d3b09652d1cc9f32
SHA256e1c0b937518775c6cb2b132ffac840a9daa7f6c3cfca2cbfb45aabb10814b2fe
SHA512955baef29a6a02bae3798b26b5fcc285c1983166b76ea90b3a0d4dfdb548329cded3017d603fdc35b2e6daf190850cc56e1c4a434c2254810d1ee42f7527f6cb
-
Filesize
168KB
MD5122f3f1525fd8c91c6bab469330127f1
SHA1ed5c6b3261fd5da4cf2e6d84f2541aacf7210c6f
SHA256ebd5b7510370b1036037ba42723922fc3660b1c0937cb8dddc133a38bb96d4b8
SHA512c08eb1ad8d41216bce53bd75683341b313a42bb358540226c211faea03c9c54c799a9588d6a1d9b3ed5435456ef210d6b06915d57bbab1d6a819849e83a59287