cb468bfa4b86df6fe53dd138d892972e44f680edc756af3f27d3aa00164b030f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Size

344KB
MD5

8775b09a69c8c3f6524395e50dd16b35
SHA1

e688394efbe45b5e928393a761ad46fd8dc0d232
SHA256

cb468bfa4b86df6fe53dd138d892972e44f680edc756af3f27d3aa00164b030f
SHA512

9e90551f09a614f45e3338c892fd744089bbba177249fc626eaf0ac79525ebb9c82f599a42de9420737433cb9286ff1d6a189bdfbdb52c99d5483c3f2fa3ae19
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe{BECDE457-6212-413c-BE1C-9B272472E97E}.exe{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}\stubpath = "C:\\Windows\\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe"	{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB426A03-8F75-401c-9DAC-55CE00293E03}\stubpath = "C:\\Windows\\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe"	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}\stubpath = "C:\\Windows\\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe"	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECDE457-6212-413c-BE1C-9B272472E97E}\stubpath = "C:\\Windows\\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe"	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB426A03-8F75-401c-9DAC-55CE00293E03}	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BECDE457-6212-413c-BE1C-9B272472E97E}	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}\stubpath = "C:\\Windows\\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe"	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B19765E9-D336-4126-8A6D-3E06C52523DD}	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}	{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}	{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}\stubpath = "C:\\Windows\\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe"	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB20AB02-581B-4611-91CD-17B0B22A57A1}	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB20AB02-581B-4611-91CD-17B0B22A57A1}\stubpath = "C:\\Windows\\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe"	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}\stubpath = "C:\\Windows\\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe"	{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}\stubpath = "C:\\Windows\\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe"	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}\stubpath = "C:\\Windows\\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe"	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B19765E9-D336-4126-8A6D-3E06C52523DD}\stubpath = "C:\\Windows\\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe"	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe

pid	process
2728	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe{BECDE457-6212-413c-BE1C-9B272472E97E}.exe{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe

pid	process
2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
2920	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
1512	{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
2072	{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
2364	{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe

Drops file in Windows directory 11 IoCs

Processes:

{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe{BECDE457-6212-413c-BE1C-9B272472E97E}.exe{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe

description	ioc	process
File created	C:\Windows\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
File created	C:\Windows\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
File created	C:\Windows\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
File created	C:\Windows\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe	{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
File created	C:\Windows\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
File created	C:\Windows\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
File created	C:\Windows\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
File created	C:\Windows\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
File created	C:\Windows\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
File created	C:\Windows\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe	{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
File created	C:\Windows\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe{BECDE457-6212-413c-BE1C-9B272472E97E}.exe{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
Token: SeIncBasePriorityPrivilege	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
Token: SeIncBasePriorityPrivilege	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
Token: SeIncBasePriorityPrivilege	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
Token: SeIncBasePriorityPrivilege	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
Token: SeIncBasePriorityPrivilege	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
Token: SeIncBasePriorityPrivilege	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
Token: SeIncBasePriorityPrivilege	2920	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
Token: SeIncBasePriorityPrivilege	1512	{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
Token: SeIncBasePriorityPrivilege	2072	{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1744 wrote to memory of 2356	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
PID 1744 wrote to memory of 2356	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
PID 1744 wrote to memory of 2356	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
PID 1744 wrote to memory of 2356	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
PID 1744 wrote to memory of 2728	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 1744 wrote to memory of 2728	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 1744 wrote to memory of 2728	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 1744 wrote to memory of 2728	1744	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 2356 wrote to memory of 2972	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
PID 2356 wrote to memory of 2972	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
PID 2356 wrote to memory of 2972	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
PID 2356 wrote to memory of 2972	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
PID 2356 wrote to memory of 2248	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	cmd.exe
PID 2356 wrote to memory of 2248	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	cmd.exe
PID 2356 wrote to memory of 2248	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	cmd.exe
PID 2356 wrote to memory of 2248	2356	{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe	cmd.exe
PID 2972 wrote to memory of 2744	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
PID 2972 wrote to memory of 2744	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
PID 2972 wrote to memory of 2744	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
PID 2972 wrote to memory of 2744	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
PID 2972 wrote to memory of 2692	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	cmd.exe
PID 2972 wrote to memory of 2692	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	cmd.exe
PID 2972 wrote to memory of 2692	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	cmd.exe
PID 2972 wrote to memory of 2692	2972	{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe	cmd.exe
PID 2744 wrote to memory of 2484	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
PID 2744 wrote to memory of 2484	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
PID 2744 wrote to memory of 2484	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
PID 2744 wrote to memory of 2484	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
PID 2744 wrote to memory of 2968	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	cmd.exe
PID 2744 wrote to memory of 2968	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	cmd.exe
PID 2744 wrote to memory of 2968	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	cmd.exe
PID 2744 wrote to memory of 2968	2744	{BECDE457-6212-413c-BE1C-9B272472E97E}.exe	cmd.exe
PID 2484 wrote to memory of 2992	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
PID 2484 wrote to memory of 2992	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
PID 2484 wrote to memory of 2992	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
PID 2484 wrote to memory of 2992	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
PID 2484 wrote to memory of 3024	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	cmd.exe
PID 2484 wrote to memory of 3024	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	cmd.exe
PID 2484 wrote to memory of 3024	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	cmd.exe
PID 2484 wrote to memory of 3024	2484	{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe	cmd.exe
PID 2992 wrote to memory of 1224	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
PID 2992 wrote to memory of 1224	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
PID 2992 wrote to memory of 1224	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
PID 2992 wrote to memory of 1224	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
PID 2992 wrote to memory of 1648	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	cmd.exe
PID 2992 wrote to memory of 1648	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	cmd.exe
PID 2992 wrote to memory of 1648	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	cmd.exe
PID 2992 wrote to memory of 1648	2992	{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe	cmd.exe
PID 1224 wrote to memory of 2856	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
PID 1224 wrote to memory of 2856	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
PID 1224 wrote to memory of 2856	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
PID 1224 wrote to memory of 2856	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
PID 1224 wrote to memory of 584	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	cmd.exe
PID 1224 wrote to memory of 584	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	cmd.exe
PID 1224 wrote to memory of 584	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	cmd.exe
PID 1224 wrote to memory of 584	1224	{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe	cmd.exe
PID 2856 wrote to memory of 2920	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
PID 2856 wrote to memory of 2920	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
PID 2856 wrote to memory of 2920	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
PID 2856 wrote to memory of 2920	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
PID 2856 wrote to memory of 2904	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	cmd.exe
PID 2856 wrote to memory of 2904	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	cmd.exe
PID 2856 wrote to memory of 2904	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	cmd.exe
PID 2856 wrote to memory of 2904	2856	{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
C:\Windows\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
C:\Windows\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
C:\Windows\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
C:\Windows\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
C:\Windows\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
C:\Windows\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
C:\Windows\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
C:\Windows\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{293E5~1.EXE > nul
10⤵
PID:1232

C:\Windows\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
C:\Windows\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
C:\Windows\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe
C:\Windows\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe
12⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8205~1.EXE > nul
12⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1976~1.EXE > nul
11⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2C8~1.EXE > nul
9⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D3E1~1.EXE > nul
8⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB20A~1.EXE > nul
7⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A04B4~1.EXE > nul
6⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BECDE~1.EXE > nul
5⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F94EB~1.EXE > nul
4⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB426~1.EXE > nul
3⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{293E598B-3EDB-4d99-9DC9-D37F7B63B9DA}.exe

Filesize
344KB

MD5
85ac183b7dc1c6d1911e3ed2358279ae

SHA1
cee638535157f050d459942a66e793755ac7e2a0

SHA256
c08d53846fcd8398e0a14c4f5d441b7d5ff8ba24f9808f91133d356832ce0219

SHA512
eccfd4037d690cb7700e64c2d0d49f9c2a0f04bdbd57930a0cb2ec09ccd42fa37fc1917706f909a1188c4cc8990241ce8c47650408479c7c3ecb61249edcafc9

Download Submit
C:\Windows\{6F2C881E-E16E-4f87-87C5-C6548E2EE7AD}.exe

Filesize
344KB

MD5
362232ac6dfae7a465b0dca1743423dc

SHA1
6d53eac6006e3d678b1da58ce274cc07e89ed739

SHA256
c7a620abd0610668be38028d027b9072a4f1758471b288d82364989cf81d911a

SHA512
a3c9e19233186004f7893b38594e5144728061860d6856b873f233bc9efc950cb4ac4777a858ea67033534e345933792fc456136b849ea6fbebdb6288e737dac

Download Submit
C:\Windows\{7D3E1F4F-36DD-4eee-A163-4A86ED04402E}.exe

Filesize
344KB

MD5
4dce689d1cd0b79792a5469bd729f7e8

SHA1
90f97799c5ff5c2c004eb5697da9c3076305d234

SHA256
4daab7dfd13e0c9d33185b151504159305fb410ca6141469802149e70be80f9c

SHA512
6ad0fbdb2271e1b3f1e697995ef4b3774d67086fcd216803fe5aaa39419732c5c261de299597dd1dc2c5990a326867806b73d551a795e8db386bd587d92ad037

Download Submit
C:\Windows\{A04B4CC4-106B-4296-A916-FB8E6495EFB4}.exe

Filesize
344KB

MD5
0390cfd62422965f62aa3ac7e243791a

SHA1
a45040e5790d6cadb57711b880167ee6780e9726

SHA256
47b50f4e26a8cf3c722288da62a0bbe9f2d5f765aba20728ae72ce8044492b81

SHA512
b3dbae5e93057cfd34168fe23b557e5404f4bc57d33599c518eb117643f244abfc69168ddfcf5b5945255fa377694cd828f11787d9d16606b195306099b54d86

Download Submit
C:\Windows\{B19765E9-D336-4126-8A6D-3E06C52523DD}.exe

Filesize
344KB

MD5
34c23b8ac3803eb5213bad48ea0d6e5f

SHA1
478fa1131e0fd3ec24803211d1e207afcc0d9283

SHA256
3ab64a7070471a2fe27f9a0b0b055ddc64875470aa8bac03de3c1f3dc567cb5f

SHA512
8f9dbaf83da8521c3d075422cb3927cdfd2ad8964270a475adcdc13ca4da19ba7811350b73598509c0e2b50bcb34850b08616b17df7d5bb3afcbbc435ca820bf

Download Submit
C:\Windows\{B820563A-83D6-45f4-98EF-7C8FFEEBB448}.exe

Filesize
344KB

MD5
788935533d968a4f334392200c8a71fb

SHA1
78d324aa7e68a2808021cced0a389fa5df94f3ed

SHA256
660031b0131d2fd4fcc6a077abf910873c816832b39aa02c2e2b694bcdff89c3

SHA512
368486a2131586ac65483dd15cb46f428c8a4fa1ee3fc86eafa92602d054e661f66128398f51921c053595e9609da64e3170d1e553f9c3ccf442dbeec9469673

Download Submit
C:\Windows\{BB20AB02-581B-4611-91CD-17B0B22A57A1}.exe

Filesize
344KB

MD5
1572c3dd5999d4c58b97ce737a4b2a5c

SHA1
625656c2e91dbdfa2eaf6620d9250322437c5091

SHA256
820e67eeabdf867b7959e9494a80c5dfc68f1627091eebb1c955eb8c057dc9a7

SHA512
b3ae30a493ef160f2e49bbb4359bf81d0802f0b5987a824e4ec4a69159cbd80d093f59ba53e32ebe1f76390b31a8065fc6b9f503c3f7d7a836147f1d9b30bbf2

Download Submit
C:\Windows\{BECDE457-6212-413c-BE1C-9B272472E97E}.exe

Filesize
344KB

MD5
7d459d490f5280b726396efac953f6a4

SHA1
a333e1fef4683ef76b0846f5ee7a191733c5d531

SHA256
1941e0f3fa5896a1a2fcb126280efa4b8bcce1930bedf2f77da6f3bfe7f0fe82

SHA512
dc6babc18e9c4435349e93117ef4b46a11b5dc528fc20260bd8237d855cba19748ccb49c53cf0a8abcd9876156771cdd86d7c6c7a38c6ebeb647dd468629c9a6

Download Submit
C:\Windows\{D71488F6-9E4A-4b41-9C54-7FDCBC89FB34}.exe

Filesize
344KB

MD5
87e69f02bdcb5bb30dcbe3753f356447

SHA1
4dc37f8b762b87bd6b4e11e9d712b8abecd38cc4

SHA256
9edf39d435c35db8df3b3b754233aa541aceff1f4ca21d8690482c8d1b2a7e05

SHA512
3b978837776fe0d878750cdad451e032c2f8c68eaec3962b5dd7fda377aefd7108e61876b061d64880bcdb5e56e848d5d78b426fd00e553c45bd0f429672732a

Download Submit
C:\Windows\{F94EB374-0372-4f8a-B6C5-E42FED46C9B8}.exe

Filesize
344KB

MD5
791b2d8bb4699e9acaaf16b6ddae89d1

SHA1
3ad31f248149372102241d8016acfa422e418207

SHA256
480f6b28babcf8b46f265e4932a777dadc514d03fcaeb5d4f1dddb01f9cffa58

SHA512
666a04b7c93876172a1cc6748377e39de80a8d7dae5ef07b5f720917e1d87336eef39a19c0cf2d6bbc885e7d90713ce321209721c5211bb1059efb459a677a9f

Download Submit
C:\Windows\{FB426A03-8F75-401c-9DAC-55CE00293E03}.exe

Filesize
344KB

MD5
cb909f2b326b1069854d65d001208b50

SHA1
22c37a29b3660b6f5c63484f99049de3f269bb03

SHA256
492db32b99e85c3db89802b252e7e1fbabb8d4d8ce85ed412eb24c978129d540

SHA512
5755c3fa538c0fe1f69d5310c0458dc62fdb0543b13af60b27dba7ddfcbc908a15c40dd10ae490de3678fc855c5bf0cbaf0e57c56e2b598f4067a4598bba3a96

Download Submit