7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Size

168KB
MD5

82a2b4cd281ab7846611643e00925108
SHA1

ab2bef54ffba61ef123055730d5f9cac7c1b2138
SHA256

7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54
SHA512

12f31160b0379c695c8eebd94b95717879a2cadecee8454a67d1b0269d671f8f758aa7ad7e329591761f8039f8ab2d407f87015d100c229d6b8b5d6e0aefd887
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe{19E08744-2D2E-4239-8953-DABFEF785620}.exe{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC03C27-27CC-4916-B343-2F4AC224F458}\stubpath = "C:\\Windows\\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe"	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E27B70-1D31-4c42-BF59-0E162E2AD381}	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E08744-2D2E-4239-8953-DABFEF785620}	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E08744-2D2E-4239-8953-DABFEF785620}\stubpath = "C:\\Windows\\{19E08744-2D2E-4239-8953-DABFEF785620}.exe"	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}\stubpath = "C:\\Windows\\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe"	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC03C27-27CC-4916-B343-2F4AC224F458}	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}\stubpath = "C:\\Windows\\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe"	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}\stubpath = "C:\\Windows\\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe"	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}	{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E27B70-1D31-4c42-BF59-0E162E2AD381}\stubpath = "C:\\Windows\\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe"	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}\stubpath = "C:\\Windows\\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe"	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}	{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}\stubpath = "C:\\Windows\\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe"	{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}\stubpath = "C:\\Windows\\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe"	{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}\stubpath = "C:\\Windows\\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe"	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}\stubpath = "C:\\Windows\\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe"	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2696 cmd.exe

pid	process
2696	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe{19E08744-2D2E-4239-8953-DABFEF785620}.exe{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

pid	process
1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
2604	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
1576	{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
2952	{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
2132	{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

Drops file in Windows directory 11 IoCs

Processes:

{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe{19E08744-2D2E-4239-8953-DABFEF785620}.exe{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe

description	ioc	process
File created	C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
File created	C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
File created	C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe	{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
File created	C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe	{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
File created	C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
File created	C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
File created	C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
File created	C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
File created	C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
File created	C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
File created	C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe{19E08744-2D2E-4239-8953-DABFEF785620}.exe{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
Token: SeIncBasePriorityPrivilege	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
Token: SeIncBasePriorityPrivilege	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
Token: SeIncBasePriorityPrivilege	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
Token: SeIncBasePriorityPrivilege	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
Token: SeIncBasePriorityPrivilege	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
Token: SeIncBasePriorityPrivilege	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
Token: SeIncBasePriorityPrivilege	2604	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
Token: SeIncBasePriorityPrivilege	1576	{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
Token: SeIncBasePriorityPrivilege	2952	{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2056 wrote to memory of 1032	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 2696	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 2056 wrote to memory of 2696	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 2056 wrote to memory of 2696	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 2056 wrote to memory of 2696	2056	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 1032 wrote to memory of 2680	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2716	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	cmd.exe
PID 1032 wrote to memory of 2716	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	cmd.exe
PID 1032 wrote to memory of 2716	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	cmd.exe
PID 1032 wrote to memory of 2716	1032	{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe	cmd.exe
PID 2680 wrote to memory of 2676	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2616	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	cmd.exe
PID 2680 wrote to memory of 2616	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	cmd.exe
PID 2680 wrote to memory of 2616	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	cmd.exe
PID 2680 wrote to memory of 2616	2680	{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe	cmd.exe
PID 2676 wrote to memory of 324	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 976	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	cmd.exe
PID 2676 wrote to memory of 976	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	cmd.exe
PID 2676 wrote to memory of 976	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	cmd.exe
PID 2676 wrote to memory of 976	2676	{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe	cmd.exe
PID 324 wrote to memory of 2776	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2852	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	cmd.exe
PID 324 wrote to memory of 2852	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	cmd.exe
PID 324 wrote to memory of 2852	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	cmd.exe
PID 324 wrote to memory of 2852	324	{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe	cmd.exe
PID 2776 wrote to memory of 864	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 308	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	cmd.exe
PID 2776 wrote to memory of 308	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	cmd.exe
PID 2776 wrote to memory of 308	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	cmd.exe
PID 2776 wrote to memory of 308	2776	{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe	cmd.exe
PID 864 wrote to memory of 1924	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1364	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	cmd.exe
PID 864 wrote to memory of 1364	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	cmd.exe
PID 864 wrote to memory of 1364	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	cmd.exe
PID 864 wrote to memory of 1364	864	{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe	cmd.exe
PID 1924 wrote to memory of 2604	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 1636	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	cmd.exe
PID 1924 wrote to memory of 1636	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	cmd.exe
PID 1924 wrote to memory of 1636	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	cmd.exe
PID 1924 wrote to memory of 1636	1924	{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16FC0~1.EXE > nul
4⤵
PID:2616

C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0FBED~1.EXE > nul
7⤵
PID:308

C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71E27~1.EXE > nul
8⤵
PID:1364

C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe
C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe
12⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE66~1.EXE > nul
12⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C873~1.EXE > nul
11⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{19E08~1.EXE > nul
10⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23DB0~1.EXE > nul
9⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC03~1.EXE > nul
6⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE15~1.EXE > nul
5⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4614~1.EXE > nul
3⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe

Filesize
168KB

MD5
cacadb5beead67697a4be3e4c49989dd

SHA1
0b3238dbf2a46fd1e7f7440ea6f5415d66f10c65

SHA256
4e33a1ad56df8dee7363ad726ec61713048fc5b9b7a5b62e177dd67a2c1f69c3

SHA512
35c3373336167046ec0c59f2bb9577531827fa224dc2cb83a1e60d3515c75032f1ef5a4f655f91996f92072b8477021c99cdefcc422e2163a6ee951dfb7aa3c2

Download Submit
C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe

Filesize
168KB

MD5
fe8fc635b6ec2cf27fda3217c652cb53

SHA1
283ef87ed4c81b6b13d205787cac0170789310b3

SHA256
f0facdf16413cc095f5c0f5e01d6493ed3e3f9d152c5de8ec7213e47b28a9d47

SHA512
c119e867484fda0cd7b3614c6ac755ee745d52cb234e71530fecda6030140cecc4d43d66935805f9ccae8ae8718aa15288f1835bac333e18859a061b179a8825

Download Submit
C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe

Filesize
168KB

MD5
18fcc94e776b63fd19a2adc7abce5d7b

SHA1
18354da0850abc62b1c298197ad337878dfa3078

SHA256
5b1c6c3d58f65467db09ddff8289813346f56fe259d78c94cbe2e4f32b9de5ef

SHA512
75c6273d56dc618fa7923f738adff7c7619f45206cf53d93b4d998d197b1abfb1786f6608ae5491398c4df7bb0bb64aadcf523e292558f666c3a79d9283596e6

Download Submit
C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe

Filesize
168KB

MD5
f78165ea49828b15f056ed764984cd81

SHA1
feeb3a7213344219b65a0e65498a4ca36d9a4579

SHA256
55e5567f0aa17a79f703c389c28d11589344e25758dd2f2205832d749d0db5f7

SHA512
6f3e61ed61571aea43c758307562df141b140202e29ef6d9ad2f0def4ae501a54e20f645a6eda3b33febed5e0e84de922bcd94a1633e9e3d3aa347680adc33de

Download Submit
C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe

Filesize
168KB

MD5
129cee2900c1c6dac514e5616fe4b89c

SHA1
52c8ee9712a37ec65a74d8735691a41aa0380988

SHA256
8f994f91206d7c2cf1d6ad1972c2a031debce15f936f51c3efe27baae6c01dfc

SHA512
4757d8872068451e6ac4126fed3a1295229c8201886b59404b90b863544abeb51503d090fa8e83549cd05452c6410bf2a7932e36d890f46b36823acd7bd641b5

Download Submit
C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe

Filesize
168KB

MD5
9db47a191c0a465c039a444678a8bc61

SHA1
cf369708cc42f8c177a7d055cccdb7614fe087e9

SHA256
46977a5b92aee18f63590f3b2c6c2857b3ae990bce1d602a31ebe89d77f634ed

SHA512
d6c3b4cd4809535acbe3479f0fe491eb498041d87f9e235900e3aec9b1798af5228cf986a1e1e2b4e49c7edd35cd05ebed775b26f7a2df0773f879d357902ec8

Download Submit
C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe

Filesize
168KB

MD5
80442e84d4a2585adb951a2e4e4bf054

SHA1
efc27472de185f7a52087460139ec4b57733988e

SHA256
135b9d7254e7d72b15633dce74ddaf67b26f46835ee177adf1bdfd221861febd

SHA512
155f6f55ba5e62f3effce159191d8404eb67fd8393ab8ced89b1f7c156d8ccd2e11cc9d7ebb31a9e39430c44d10d01911974075f219c39077631c684d71b1ef9

Download Submit
C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe

Filesize
168KB

MD5
892ecfb5909f6162a7a1c655fa96b62a

SHA1
9cb8be32fe84af119f5f14c19f1bf0e92ac7110d

SHA256
481a380a3ccacd070b3ab749551ea18a9f9b5794e6a2c1e0cd3aba1261ce28e8

SHA512
0a66c2b560542068e71e0cb832d309a869642f0bc6d97a3e6abdede5c9825bab92a5901ee2630cebb3befb6c29037893d4a6c2a1105bb96bb86440ceffcf46a3

Download Submit
C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe

Filesize
168KB

MD5
19f9c90d637b2d6bdc733ceda4b8f60c

SHA1
1b8e03776b79209b8c84138192e766510376d8a9

SHA256
6ec62ebce90b497f02ec64178822e4f5d6e3549b364e47eafbe07b118040a2e5

SHA512
d56ae1c95b613991aa1ed5286f77b4731c9d5ab55705cffdb6ef2424a6ff08019dd37fa8c5dfdce8cae676b271690aa50eda5644f7be2d0b9d6074678e1038dd

Download Submit
C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

Filesize
168KB

MD5
91e95812beaa2ae0234641d91afc62a1

SHA1
9400fdbcbe06656841fe572d212022d183fe6f59

SHA256
e3a08858f47f4cfb0d10425745ac70098bed9100911f3c413332125184e308ce

SHA512
f19e39225210f974bcb59faa3e71ba901237038f9412c096a5e4628b92934103a0bdad922014ed4a0056e68c07a0cbdefc6b4988353d7a9e498b280da62b6ec6

Download Submit
C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

Filesize
168KB

MD5
159af159816c1f151c9b377302c5f000

SHA1
ef64640a34d7ca48089b033aab96db8a78fba380

SHA256
9853f47603eefad6dcce978efeb1182070a280e9e70b84413f3fa19b82f00dd5

SHA512
e62bd2ce9002bd5ac4bec50e9d8bd4db70f8541d0f490420b334320cd26c30750dbf5c629f88b6eb53b5ca29f745c61387223284a8ba4ce92f89d7c784ecb883

Download Submit