925accd04f62c0628ccd361b8fb5aa197b3693158e7b3ac2781fb29b8b010f42

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Size

372KB
MD5

4410354ecf1f12dac32e7509180cf312
SHA1

5633c7d48a12ca700132e5de5d4c21422584c8ef
SHA256

925accd04f62c0628ccd361b8fb5aa197b3693158e7b3ac2781fb29b8b010f42
SHA512

593f1e8a25a25880f829e782f46c94110ccf9f3722a5a62b77b910abc57de7f491f1b9a6e07706aa0a75904b89d46682fc5fea4c84f7ef04f7a3d68da8ea9737
SSDEEP

3072:CEGh0oUmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000012223-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012266-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012266-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012266-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016d2f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016d3e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe{C819E259-D0FE-4730-8147-2AA62DB17572}.exe{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{804808BB-87A7-46d1-864C-390C5E42BCB3}\stubpath = "C:\\Windows\\{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe"	{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B46668-E810-48de-9146-B1E7379F79AD}\stubpath = "C:\\Windows\\{57B46668-E810-48de-9146-B1E7379F79AD}.exe"	{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}\stubpath = "C:\\Windows\\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe"	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383A539D-DEF2-4414-82BF-136D95CB1BA7}\stubpath = "C:\\Windows\\{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe"	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}\stubpath = "C:\\Windows\\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe"	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}\stubpath = "C:\\Windows\\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe"	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}	{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}\stubpath = "C:\\Windows\\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe"	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383A539D-DEF2-4414-82BF-136D95CB1BA7}	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}\stubpath = "C:\\Windows\\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe"	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{804808BB-87A7-46d1-864C-390C5E42BCB3}	{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B46668-E810-48de-9146-B1E7379F79AD}	{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}\stubpath = "C:\\Windows\\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe"	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}\stubpath = "C:\\Windows\\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe"	{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C819E259-D0FE-4730-8147-2AA62DB17572}	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C819E259-D0FE-4730-8147-2AA62DB17572}\stubpath = "C:\\Windows\\{C819E259-D0FE-4730-8147-2AA62DB17572}.exe"	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2848	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{C819E259-D0FE-4730-8147-2AA62DB17572}.exe{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe{57B46668-E810-48de-9146-B1E7379F79AD}.exe

pid	Process
2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
2648	{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
1476	{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
2064	{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe
1404	{57B46668-E810-48de-9146-B1E7379F79AD}.exe

Drops file in Windows directory 11 IoCs

Processes:

{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe{C819E259-D0FE-4730-8147-2AA62DB17572}.exe{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe

description	ioc	Process
File created	C:\Windows\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
File created	C:\Windows\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
File created	C:\Windows\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
File created	C:\Windows\{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
File created	C:\Windows\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
File created	C:\Windows\{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
File created	C:\Windows\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
File created	C:\Windows\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
File created	C:\Windows\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe	{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
File created	C:\Windows\{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe	{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
File created	C:\Windows\{57B46668-E810-48de-9146-B1E7379F79AD}.exe	{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe{C819E259-D0FE-4730-8147-2AA62DB17572}.exe{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
Token: SeIncBasePriorityPrivilege	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
Token: SeIncBasePriorityPrivilege	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
Token: SeIncBasePriorityPrivilege	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
Token: SeIncBasePriorityPrivilege	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
Token: SeIncBasePriorityPrivilege	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
Token: SeIncBasePriorityPrivilege	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
Token: SeIncBasePriorityPrivilege	2648	{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
Token: SeIncBasePriorityPrivilege	1476	{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
Token: SeIncBasePriorityPrivilege	2064	{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2268 wrote to memory of 2004	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	28
PID 2268 wrote to memory of 2004	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	28
PID 2268 wrote to memory of 2004	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	28
PID 2268 wrote to memory of 2004	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	28
PID 2268 wrote to memory of 2848	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	29
PID 2268 wrote to memory of 2848	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	29
PID 2268 wrote to memory of 2848	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	29
PID 2268 wrote to memory of 2848	2268	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	29
PID 2004 wrote to memory of 2336	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	30
PID 2004 wrote to memory of 2336	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	30
PID 2004 wrote to memory of 2336	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	30
PID 2004 wrote to memory of 2336	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	30
PID 2004 wrote to memory of 2740	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	31
PID 2004 wrote to memory of 2740	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	31
PID 2004 wrote to memory of 2740	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	31
PID 2004 wrote to memory of 2740	2004	{C819E259-D0FE-4730-8147-2AA62DB17572}.exe	31
PID 2336 wrote to memory of 1280	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	34
PID 2336 wrote to memory of 1280	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	34
PID 2336 wrote to memory of 1280	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	34
PID 2336 wrote to memory of 1280	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	34
PID 2336 wrote to memory of 2620	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	35
PID 2336 wrote to memory of 2620	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	35
PID 2336 wrote to memory of 2620	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	35
PID 2336 wrote to memory of 2620	2336	{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe	35
PID 1280 wrote to memory of 660	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	36
PID 1280 wrote to memory of 660	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	36
PID 1280 wrote to memory of 660	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	36
PID 1280 wrote to memory of 660	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	36
PID 1280 wrote to memory of 568	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	37
PID 1280 wrote to memory of 568	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	37
PID 1280 wrote to memory of 568	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	37
PID 1280 wrote to memory of 568	1280	{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe	37
PID 660 wrote to memory of 280	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	38
PID 660 wrote to memory of 280	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	38
PID 660 wrote to memory of 280	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	38
PID 660 wrote to memory of 280	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	38
PID 660 wrote to memory of 2828	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	39
PID 660 wrote to memory of 2828	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	39
PID 660 wrote to memory of 2828	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	39
PID 660 wrote to memory of 2828	660	{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe	39
PID 280 wrote to memory of 2616	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	40
PID 280 wrote to memory of 2616	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	40
PID 280 wrote to memory of 2616	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	40
PID 280 wrote to memory of 2616	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	40
PID 280 wrote to memory of 2208	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	41
PID 280 wrote to memory of 2208	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	41
PID 280 wrote to memory of 2208	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	41
PID 280 wrote to memory of 2208	280	{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe	41
PID 2616 wrote to memory of 1644	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	42
PID 2616 wrote to memory of 1644	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	42
PID 2616 wrote to memory of 1644	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	42
PID 2616 wrote to memory of 1644	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	42
PID 2616 wrote to memory of 1816	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	43
PID 2616 wrote to memory of 1816	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	43
PID 2616 wrote to memory of 1816	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	43
PID 2616 wrote to memory of 1816	2616	{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe	43
PID 1644 wrote to memory of 2648	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	44
PID 1644 wrote to memory of 2648	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	44
PID 1644 wrote to memory of 2648	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	44
PID 1644 wrote to memory of 2648	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	44
PID 1644 wrote to memory of 1868	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	45
PID 1644 wrote to memory of 1868	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	45
PID 1644 wrote to memory of 1868	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	45
PID 1644 wrote to memory of 1868	1644	{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
  C:\Windows\{C819E259-D0FE-4730-8147-2AA62DB17572}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
    C:\Windows\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
      C:\Windows\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
        
        C:\Windows\{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
        
        C:\Windows\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
        
        C:\Windows\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
        
        C:\Windows\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
        
        C:\Windows\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
        
        C:\Windows\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe
        
        C:\Windows\{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{57B46668-E810-48de-9146-B1E7379F79AD}.exe
        
        C:\Windows\{57B46668-E810-48de-9146-B1E7379F79AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80480~1.EXE > nul
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E59~1.EXE > nul
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBAF~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F0C~1.EXE > nul
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69806~1.EXE > nul
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77414~1.EXE > nul
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383A5~1.EXE > nul
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C55E1~1.EXE > nul
        5⤵
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3AC9D~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C819E~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18F0C342-0DDD-4cf7-9D44-02CFB6B4BC3E}.exe

Filesize
372KB

MD5
df02ac9989c3f91321e4bffaeef26639

SHA1
e4433e89e9287395c58e5011671c54704d6ee7e0

SHA256
cac52d55c85887790003e318785665dc4cd7011026a4661a6297ce75dbcbddc9

SHA512
fe2c09012d0553775d19bb886b30d1e77692db0f16c17d145a4bf9c096a4937d40570708c17370b35ab0e3e172d752e3a67d044db82209ae512cc7678c0ff30c

Download Submit
C:\Windows\{383A539D-DEF2-4414-82BF-136D95CB1BA7}.exe

Filesize
372KB

MD5
4a3e50a1566a4b00c66ce2ba9ebf232a

SHA1
f28dda3d2870f00c55f5a16ee79f21a2c212f816

SHA256
07a563e681b9fa75fb1eccc34879e4c6f924771378b29fff1490d77487a95595

SHA512
aafaa1bc12a490ae875b5b925188dcd1cddbf1a550d19c620b8132dd16955b55e99edf651f1e6b971f237f2de05e502d1841245e3f31347d6f4b54ae5745a3a6

Download Submit
C:\Windows\{3AC9D7C0-A92B-413f-9EF7-B0E6F280C6A3}.exe

Filesize
372KB

MD5
217cf1e88160960f62272fab8d6d7e91

SHA1
346c2bfcc43c5ba73248d020b7d19a22b06493b6

SHA256
bc9d77c35fa9af306ce60a84ed8725946ff137895144c7dff51f9466474b65b8

SHA512
7790a5f49ccef25dfc1c6a8ea6d89f15804bc8910245be24f8379a4ce5b0f763fc165bba7464c90060870fa3c7b62a610acaf5135ef7055e0f8ffc9734672f3c

Download Submit
C:\Windows\{44E59BAF-A2E0-4397-AFCF-B3C527A9CD8C}.exe

Filesize
372KB

MD5
0b9ce4e4f226f3c1270b899dc8167cde

SHA1
4b76b16995797499cff5472084b036fc7529928e

SHA256
22819b83a67c339adadd936bc0b3c27c5449f507b8bfa97bb78657fc76c7860c

SHA512
192f6dc577956505e8c9cb352766965b4400b52bca2a5ab619cbd33da69b9db24e469d5b9921669bdcf9119bba19fb4db3679050f1d7c2fe9dbd83f138fbe791

Download Submit
C:\Windows\{57B46668-E810-48de-9146-B1E7379F79AD}.exe

Filesize
372KB

MD5
bf09f65fd56cf81735a9316f3fc07541

SHA1
29c3695332699fb15cff225d2f77a324b53b362d

SHA256
bc09f85d7639794bb09c93932ae010b7be6a088860ca3434edf7a5638111fbbf

SHA512
c4d76f9cb37e85e6fd4286082cfe4d4fa0e2d7a9ffed3c1d85d76b2ec9e705cccf5c527256e65b993c4a2b06a4cf8784b291d5a50b973a012505e2dc73c0a217

Download Submit
C:\Windows\{69806ECA-87F5-4ad5-BD5D-4849BCEF1D83}.exe

Filesize
372KB

MD5
25901a38b7bee1fb5bf8b15cb7c3f1dc

SHA1
3739c03ace9ffb1475248f1474b1b382300f1aa1

SHA256
3eae3205210d8a28df111ad0194e4052b43035b2326112651a2788939a005e12

SHA512
9627f795b2fdc29a83d442aa399b3d3c4124cd07447103174ba44f58c640dcaa4092804b43f460f6ab4a384e8052283ba4f626183298a76c998cd536c84eda99

Download Submit
C:\Windows\{77414E4E-61B9-4901-B3BC-89A6ED3D372F}.exe

Filesize
372KB

MD5
870fbe79d925ed6daedd0e36babebeb8

SHA1
35919e0914912690cc41c8260f5ab49e8044cb34

SHA256
29bb5bfd4c16327bf5999aec4934e7a2c90a51982ee3a3abd5a9440b774ba0d5

SHA512
07f320dd6ee21b7182257fdee9e535cab32edf0890dc85435c2ea234e70feaaa7093ed4d6a8fb3d765b6af2a7f5c7808e742cfad9b87e2f2325c9f18963cc6fa

Download Submit
C:\Windows\{804808BB-87A7-46d1-864C-390C5E42BCB3}.exe

Filesize
372KB

MD5
6efa1d37b25d9e070d4a58b8a08c00da

SHA1
643859cf12e84db289f55327d1daf993dea40d2e

SHA256
30a28219347bc00ef8c120b2bc339d54fba8df6ddfbb6dc2af2eac275a10aa06

SHA512
00c41c27ad821b067d7bcf88ccadf71bcf12f89cae54b1de2433d417d859399cf6a0fbadff22cfc10cc11f1b087f7c754eeeb97e0bfd0fce6cbe0dc970ee9b02

Download Submit
C:\Windows\{C55E1AFC-53A8-4728-8255-15C0E0A3F38F}.exe

Filesize
372KB

MD5
cc726558f9e379ca9e332ab2db944293

SHA1
d8c8d4475bc63f751c367a3694f184949ff273d7

SHA256
a3c77e34bf335900c324d80876f691135ae8dd89ea2d3831589c66a8321ea1e1

SHA512
89a3f2c6a01d00152c74bbb52709e743a8634b3812c44a43bf784d114c90c486f5104c0f8c3ca3c2e1c0779d6813e84ae107584c59ae9d5b04263411802e9cf4

Download Submit
C:\Windows\{C819E259-D0FE-4730-8147-2AA62DB17572}.exe

Filesize
372KB

MD5
2c367e7b57db022f653115bdf82619ee

SHA1
649cecda844470321f94c7949c7a598cfdf9ad74

SHA256
17448ae8866808d1c2200794c0d10fed30d854dc224118019282b3e22f17d010

SHA512
38cfa0f1de7966d56b9e52e65bc11ea97e08c5f654c46d0c526d677dec18bfc2e016a9dfc63be050ab3e19ec2975fe7d33f6fb89a47f8f892a4c20ea9354cc9d

Download Submit
C:\Windows\{FEBAFB5D-C956-4597-8B6F-356E8870EBF9}.exe

Filesize
372KB

MD5
918580ff0b9a71d06b9ec6e636c9b9c1

SHA1
d4e39631119e5389b8333d6aa0bd67d5fb0eeb66

SHA256
13a539b7c24d282915954798be46a7c4744c1ae832ae89ad892d8a3471957b32

SHA512
d9af0f7565c587f1f9f7e7888f67d901613dc80145492470ca14636b4718d5336cd41e7a79df2df17e20cec18348b355b7b8b2a7905683f2a54a70fc47902629

Download Submit