c6fd2dbb502cc870835c35c6595b481359b0dea8b68aa123c08b8aa4997b4920

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Size

408KB
MD5

89617b58056b84659001ffdef2bfff55
SHA1

8c2d868c7d39529144454b96225ec139dfa04ea5
SHA256

c6fd2dbb502cc870835c35c6595b481359b0dea8b68aa123c08b8aa4997b4920
SHA512

8a3aeecd1cc40e4790aabb86724d8421b3e51e8a37fd7b6aa2c67f8cf5f25df5640473d2eeb716711d29418c7f3340c712db0a28b4e2292708ba044ca5ea95c6
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000012284-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b9a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012284-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012284-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012284-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012284-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B28797-A14B-4cd9-BECE-44E1323E2658}\stubpath = "C:\\Windows\\{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe"	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}\stubpath = "C:\\Windows\\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe"	{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}\stubpath = "C:\\Windows\\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe"	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}\stubpath = "C:\\Windows\\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe"	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}\stubpath = "C:\\Windows\\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe"	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}\stubpath = "C:\\Windows\\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe"	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}\stubpath = "C:\\Windows\\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe"	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01E58932-EFC9-4c33-B72D-AE14F4877950}	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01E58932-EFC9-4c33-B72D-AE14F4877950}\stubpath = "C:\\Windows\\{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe"	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B28797-A14B-4cd9-BECE-44E1323E2658}	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}	{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}\stubpath = "C:\\Windows\\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe"	{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}\stubpath = "C:\\Windows\\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe"	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52668071-2F59-4dfa-A3DD-07072B66D51A}	{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52668071-2F59-4dfa-A3DD-07072B66D51A}\stubpath = "C:\\Windows\\{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe"	{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}	{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2752	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe

pid	Process
2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
976	{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
576	{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
2836	{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe
784	{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe

description	ioc	Process
File created	C:\Windows\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
File created	C:\Windows\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
File created	C:\Windows\{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
File created	C:\Windows\{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
File created	C:\Windows\{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe	{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
File created	C:\Windows\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
File created	C:\Windows\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
File created	C:\Windows\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
File created	C:\Windows\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
File created	C:\Windows\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe	{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
File created	C:\Windows\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe	{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
Token: SeIncBasePriorityPrivilege	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
Token: SeIncBasePriorityPrivilege	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
Token: SeIncBasePriorityPrivilege	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
Token: SeIncBasePriorityPrivilege	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
Token: SeIncBasePriorityPrivilege	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
Token: SeIncBasePriorityPrivilege	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
Token: SeIncBasePriorityPrivilege	976	{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
Token: SeIncBasePriorityPrivilege	576	{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
Token: SeIncBasePriorityPrivilege	2836	{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2276 wrote to memory of 2312	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	28
PID 2276 wrote to memory of 2312	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	28
PID 2276 wrote to memory of 2312	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	28
PID 2276 wrote to memory of 2312	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	28
PID 2276 wrote to memory of 2752	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	29
PID 2276 wrote to memory of 2752	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	29
PID 2276 wrote to memory of 2752	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	29
PID 2276 wrote to memory of 2752	2276	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	29
PID 2312 wrote to memory of 2844	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	31
PID 2312 wrote to memory of 2844	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	31
PID 2312 wrote to memory of 2844	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	31
PID 2312 wrote to memory of 2844	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	31
PID 2312 wrote to memory of 1172	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	30
PID 2312 wrote to memory of 1172	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	30
PID 2312 wrote to memory of 1172	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	30
PID 2312 wrote to memory of 1172	2312	{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe	30
PID 2844 wrote to memory of 2824	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	32
PID 2844 wrote to memory of 2824	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	32
PID 2844 wrote to memory of 2824	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	32
PID 2844 wrote to memory of 2824	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	32
PID 2844 wrote to memory of 2656	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	33
PID 2844 wrote to memory of 2656	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	33
PID 2844 wrote to memory of 2656	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	33
PID 2844 wrote to memory of 2656	2844	{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe	33
PID 2824 wrote to memory of 2924	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	36
PID 2824 wrote to memory of 2924	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	36
PID 2824 wrote to memory of 2924	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	36
PID 2824 wrote to memory of 2924	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	36
PID 2824 wrote to memory of 2896	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	37
PID 2824 wrote to memory of 2896	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	37
PID 2824 wrote to memory of 2896	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	37
PID 2824 wrote to memory of 2896	2824	{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe	37
PID 2924 wrote to memory of 2992	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	38
PID 2924 wrote to memory of 2992	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	38
PID 2924 wrote to memory of 2992	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	38
PID 2924 wrote to memory of 2992	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	38
PID 2924 wrote to memory of 1548	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	39
PID 2924 wrote to memory of 1548	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	39
PID 2924 wrote to memory of 1548	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	39
PID 2924 wrote to memory of 1548	2924	{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe	39
PID 2992 wrote to memory of 1764	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	40
PID 2992 wrote to memory of 1764	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	40
PID 2992 wrote to memory of 1764	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	40
PID 2992 wrote to memory of 1764	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	40
PID 2992 wrote to memory of 1644	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	41
PID 2992 wrote to memory of 1644	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	41
PID 2992 wrote to memory of 1644	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	41
PID 2992 wrote to memory of 1644	2992	{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe	41
PID 1764 wrote to memory of 1600	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	42
PID 1764 wrote to memory of 1600	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	42
PID 1764 wrote to memory of 1600	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	42
PID 1764 wrote to memory of 1600	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	42
PID 1764 wrote to memory of 560	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	43
PID 1764 wrote to memory of 560	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	43
PID 1764 wrote to memory of 560	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	43
PID 1764 wrote to memory of 560	1764	{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe	43
PID 1600 wrote to memory of 976	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	45
PID 1600 wrote to memory of 976	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	45
PID 1600 wrote to memory of 976	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	45
PID 1600 wrote to memory of 976	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	45
PID 1600 wrote to memory of 1508	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	44
PID 1600 wrote to memory of 1508	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	44
PID 1600 wrote to memory of 1508	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	44
PID 1600 wrote to memory of 1508	1600	{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
  C:\Windows\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{781B8~1.EXE > nul
    3⤵
    PID:1172
- - C:\Windows\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
    C:\Windows\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
      C:\Windows\{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
        
        C:\Windows\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
        
        C:\Windows\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
        
        C:\Windows\{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
        
        C:\Windows\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD71E~1.EXE > nul
        9⤵
        
        PID:1508
        
        C:\Windows\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
        
        C:\Windows\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
        
        C:\Windows\{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52668~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe
        
        C:\Windows\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe
        
        C:\Windows\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe
        12⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{226D4~1.EXE > nul
        12⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{772F9~1.EXE > nul
        10⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7B28~1.EXE > nul
        8⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF1EB~1.EXE > nul
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A02~1.EXE > nul
        6⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01E58~1.EXE > nul
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE1A~1.EXE > nul
      4⤵
      PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01E58932-EFC9-4c33-B72D-AE14F4877950}.exe

Filesize
408KB

MD5
921a391d884a5d386bf2b2bde4d8fbbe

SHA1
393427bde9286ee48b3e53d53edcd8fb86bdbce2

SHA256
540214fcf62330efc17e509780f68a54a0fa8e574255a6c3c6cee34ebc8e482a

SHA512
9eda3d1ab8e4949140aaa8696e9501a3d0ea9e35259fa022b7a0fe385bead269c08d6445c0e831dd83657751eed55574b17a3299e9deecd275c094e85f2a7ec5

Download Submit
C:\Windows\{226D4FCC-5A05-4741-BE11-C6FECCFA7CB3}.exe

Filesize
408KB

MD5
4aa660460c33d49e9bfddff41c079d65

SHA1
c2973f9bef310d495c98cfc394d948967541665b

SHA256
d3a1424cab08a0adba81c78e452eb1cfbab1c5a97fd0f71e1f4e57de50a0eb9b

SHA512
a30ab5370ad0fa77807983c55e4a3900b6850cc016ce52227bbb06cbb6a4d383e585afd3793462f987b8b78d926e8853ae9e6cd4930f47a69c0fa2ec94c2be5d

Download Submit
C:\Windows\{52668071-2F59-4dfa-A3DD-07072B66D51A}.exe

Filesize
408KB

MD5
7174e3d985b3160e4becaf25c26bcc48

SHA1
f2e33e5625038312a8592028fae937600a358ac2

SHA256
246c8dcc226622d4b5231619de62ae0a1237b65505d8cec7fb54bcac6523c4eb

SHA512
0073f2904e5a93ceecac1c80a1ef4d48bac33cca16e4d124914af0475e34602391b1cefb288f50a15ccf77083c9460ee1514c03b813ffa6749e555750ca2a063

Download Submit
C:\Windows\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe

Filesize
408KB

MD5
62c52a2630c1f4fa32fce44dbc25d986

SHA1
9f872e1cadea3dfa2d773fded8c156614558bf3c

SHA256
91010ee3d996766c674d33a23a3efcecb5921b3a3399cd8e0b79ee18c1f3f862

SHA512
7ceb6b8b3011e3e34cbe52c9b23f9b4da2e93572de258ce9e36366c9d78d4c536664fd5833369ec561f8a8eb0e6c8c532be1898100cddd878dd8cc14b741256c

Download Submit
C:\Windows\{772F9291-CC72-416a-AAE4-A6FD396D4CE3}.exe

Filesize
293KB

MD5
ab23d53f35aa53a8e17dd6059b82aaae

SHA1
d9d1a79cd1682f522203d1acf78ad4fe1571aa4a

SHA256
16e52242f94991a14a846a7ef076bd063ee7d9f14a3ee82d11113dd5a36613a5

SHA512
3150796223e67be18224a62212e5cf0936a4b5d194971d36b9cdaeb847320ac4d51e1de79db57552d59b73c985aa400a471cf89b3994a193a56297f321e5f726

Download Submit
C:\Windows\{781B85E6-F7AD-4893-9D37-16C0C7DB0EF9}.exe

Filesize
408KB

MD5
2e55341ebfcef839c70665bfcdfdf9fe

SHA1
06b9a732a3aecedc4d0ae9dcfef0f2f44ff477eb

SHA256
8e771e84d37c9923b5f5539cc4da4ebd0dda45f225ee9b05b29c504f393d6418

SHA512
74eca4332c66a47f6e71f9dae5be3b7928e1cec9e3b485d98e32e63a5857ed9970154e385595c2f25bc5eb02d38628f0eb464511d98b4e8ca06f8ebe27bb5149

Download Submit
C:\Windows\{87B9723C-E24B-4a96-84F1-5E70E0F7F3F8}.exe

Filesize
408KB

MD5
92d24015762377c537f40ca131fadee6

SHA1
1c4801c8029d611dd758266d8fba41d8b0ebbae0

SHA256
b9242416b8323a5b1795e96f007a5824901dbaf11586935a17f3b4efb02e4e01

SHA512
7a6436ffe2eef95f9ceb5bf10e07cc071f2cd1c8699c7f62b449f94c9243d075e10d42d73fd9760733de9a4f55fd664d6275002296e82891f7b540dd19f6e4aa

Download Submit
C:\Windows\{C2A0224C-32DA-400f-BBEF-FBC012B92F74}.exe

Filesize
408KB

MD5
d87e875c4209f5d39f783fd168a0a5ff

SHA1
52269ead628ecf7c7e7a5454d13ce1b323a7ca85

SHA256
7b3342003c4b2be5df0a42b315ad3787b5b686ec3b427f6c982f9a0c735ec1ad

SHA512
5e9ab47af4a35d0e4aa2f1e85334a9b8c80246d7e49c7bf757401c11299364d1df828d1037ca954fcb915f558f9158a5d8c4269d4dad9bfc37b634c8be155b11

Download Submit
C:\Windows\{CD71E9F9-3C25-49e7-B9C4-0CFB90DB9BE8}.exe

Filesize
408KB

MD5
cc9d8173035775a8e960bb4aa3e05a0a

SHA1
cc8946b9858b8dbe5f947f5b4c9fce359abf3fe8

SHA256
ac0cd9cabf69a9dbba3e0e264a0ba8333423111659a10272c6a85824eed5de04

SHA512
b43670e215eaeac2fe6aadf719ada6aa7300c65b2462fc6c65307a75ba6bda1f2f722f341815c8dfc6ebe3098a24d3213e16c62eb0adfd9b03d535d4eb7c5c6e

Download Submit
C:\Windows\{CDE1AE89-375F-417f-8FA3-A30ADFFF8250}.exe

Filesize
408KB

MD5
62d7e9fd8376e953cbd3623fe16f14d0

SHA1
1f8a2ddf783fcf6d1abc60c0146deed7baee5be8

SHA256
78207553d069d63c20e70dc2db72b28d72f0a1a8010e2885fd6b8215fa7d8936

SHA512
8b6ff149e8b6463f3f41ec91c9f7ab9d377811b181474ba22687923ce1b5ebff874a6fe167fa2fe1581821cd39a1b60aa421fce0484784fe7176ab132488e887

Download Submit
C:\Windows\{D7B28797-A14B-4cd9-BECE-44E1323E2658}.exe

Filesize
408KB

MD5
839f8fa68817ab47d41b7294854e8b87

SHA1
572af8c4ef42f6ab9b077e6fbe5b28d5173b0ad6

SHA256
438d000fe4ebfcaa76a711bfb2da8bd39b950a4e22eaa9663bb5bfbd49e0cc32

SHA512
7da4b80cb8c43b4ca199a299763cbe2f670ce3b161200699ca3e0746d7aeb006a2055f4bfc1f79dfb65e1806505301cf68329d68cab2ad35cf343adae92e5f97

Download Submit
C:\Windows\{EF1EB69C-0A09-49bb-BFA4-A3F3E107245C}.exe

Filesize
408KB

MD5
2edef02efbffa5e529bed07bfeff760e

SHA1
3066a9e124e5f4d688bdf7a70666134e71e1ee8f

SHA256
737c39932c01bf10cc1b2cd6e1021cece952e36a70d756cd0ffc26dff6128803

SHA512
efed64e1dc3c21b912730c974c0b90c41cc101e277999464edff4b312d4a8cb4e20c771577ce18a8c77a41dab0f85e7e4913451896ef0f3dbedd23a64fa4802e

Download Submit