6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Size

180KB
MD5

8d15983b44ca410b26bcb1edb2e588f3
SHA1

c918100f2164d5e25cc71b4bc742a01b64e836f7
SHA256

6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8
SHA512

d34a0263343aca76e4f9f995f0d25d6bd67ef1bf2762f4315c57587ae63733b9fcc4e8dff89c914a598a93356aa995cff3bb98fee2158ef99d326a45777fdf7e
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGll5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe{17D57832-8389-4759-8B99-C609C534F0D2}.exe{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe{7B9438F7-0228-47c5-80ED-CB1080927667}.exe{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe{3BF808C1-877E-44fe-8EE4-163492890F64}.exe{06622EAC-1E52-406b-B4E5-208306A316A9}.exe{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe{72F854BA-FF15-4632-9317-A804AA7D7866}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2}\stubpath = "C:\\Windows\\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe"	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2}\stubpath = "C:\\Windows\\{17D57832-8389-4759-8B99-C609C534F0D2}.exe"	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64}\stubpath = "C:\\Windows\\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe"	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866}	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}	{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866}\stubpath = "C:\\Windows\\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe"	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2}	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2}	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9}	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9}\stubpath = "C:\\Windows\\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe"	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}\stubpath = "C:\\Windows\\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe"	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667}\stubpath = "C:\\Windows\\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe"	{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64}	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}\stubpath = "C:\\Windows\\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe"	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}\stubpath = "C:\\Windows\\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe"	{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}\stubpath = "C:\\Windows\\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe"	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}\stubpath = "C:\\Windows\\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe"	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667}	{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1892 cmd.exe

pid	process
1892	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe{17D57832-8389-4759-8B99-C609C534F0D2}.exe{3BF808C1-877E-44fe-8EE4-163492890F64}.exe{06622EAC-1E52-406b-B4E5-208306A316A9}.exe{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe{72F854BA-FF15-4632-9317-A804AA7D7866}.exe{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe{7B9438F7-0228-47c5-80ED-CB1080927667}.exe{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

pid	process
2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
304	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
288	{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
2568	{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
1884	{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

Drops file in Windows directory 11 IoCs

Processes:

{3BF808C1-877E-44fe-8EE4-163492890F64}.exe{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe{72F854BA-FF15-4632-9317-A804AA7D7866}.exe{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe{7B9438F7-0228-47c5-80ED-CB1080927667}.exe{17D57832-8389-4759-8B99-C609C534F0D2}.exe{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe{06622EAC-1E52-406b-B4E5-208306A316A9}.exe{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe

description	ioc	process
File created	C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
File created	C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
File created	C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
File created	C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
File created	C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe	{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
File created	C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe	{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
File created	C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
File created	C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
File created	C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
File created	C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
File created	C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe{17D57832-8389-4759-8B99-C609C534F0D2}.exe{3BF808C1-877E-44fe-8EE4-163492890F64}.exe{06622EAC-1E52-406b-B4E5-208306A316A9}.exe{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe{72F854BA-FF15-4632-9317-A804AA7D7866}.exe{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
Token: SeIncBasePriorityPrivilege	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
Token: SeIncBasePriorityPrivilege	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
Token: SeIncBasePriorityPrivilege	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
Token: SeIncBasePriorityPrivilege	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
Token: SeIncBasePriorityPrivilege	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
Token: SeIncBasePriorityPrivilege	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
Token: SeIncBasePriorityPrivilege	304	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
Token: SeIncBasePriorityPrivilege	288	{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
Token: SeIncBasePriorityPrivilege	2568	{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2976 wrote to memory of 2972	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 1892	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	cmd.exe
PID 2976 wrote to memory of 1892	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	cmd.exe
PID 2976 wrote to memory of 1892	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	cmd.exe
PID 2976 wrote to memory of 1892	2976	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	cmd.exe
PID 2972 wrote to memory of 2308	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2192	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	cmd.exe
PID 2972 wrote to memory of 2192	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	cmd.exe
PID 2972 wrote to memory of 2192	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	cmd.exe
PID 2972 wrote to memory of 2192	2972	{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe	cmd.exe
PID 2308 wrote to memory of 2948	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2828	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	cmd.exe
PID 2308 wrote to memory of 2828	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	cmd.exe
PID 2308 wrote to memory of 2828	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	cmd.exe
PID 2308 wrote to memory of 2828	2308	{17D57832-8389-4759-8B99-C609C534F0D2}.exe	cmd.exe
PID 2948 wrote to memory of 2848	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2596	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	cmd.exe
PID 2948 wrote to memory of 2596	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	cmd.exe
PID 2948 wrote to memory of 2596	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	cmd.exe
PID 2948 wrote to memory of 2596	2948	{3BF808C1-877E-44fe-8EE4-163492890F64}.exe	cmd.exe
PID 2848 wrote to memory of 3032	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3036	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	cmd.exe
PID 2848 wrote to memory of 3036	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	cmd.exe
PID 2848 wrote to memory of 3036	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	cmd.exe
PID 2848 wrote to memory of 3036	2848	{06622EAC-1E52-406b-B4E5-208306A316A9}.exe	cmd.exe
PID 3032 wrote to memory of 1088	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 2164	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	cmd.exe
PID 3032 wrote to memory of 2164	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	cmd.exe
PID 3032 wrote to memory of 2164	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	cmd.exe
PID 3032 wrote to memory of 2164	3032	{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe	cmd.exe
PID 1088 wrote to memory of 1064	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1960	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	cmd.exe
PID 1088 wrote to memory of 1960	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	cmd.exe
PID 1088 wrote to memory of 1960	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	cmd.exe
PID 1088 wrote to memory of 1960	1088	{72F854BA-FF15-4632-9317-A804AA7D7866}.exe	cmd.exe
PID 1064 wrote to memory of 304	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 1180	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	cmd.exe
PID 1064 wrote to memory of 1180	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	cmd.exe
PID 1064 wrote to memory of 1180	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	cmd.exe
PID 1064 wrote to memory of 1180	1064	{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B0111~1.EXE > nul
7⤵
PID:2164

C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{72F85~1.EXE > nul
8⤵
PID:1960

C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{397F0~1.EXE > nul
9⤵
PID:1180

C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74F4C~1.EXE > nul
10⤵
PID:1592

C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD9D~1.EXE > nul
11⤵
PID:2324

C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe
12⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B943~1.EXE > nul
12⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06622~1.EXE > nul
6⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF80~1.EXE > nul
5⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{17D57~1.EXE > nul
4⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E54~1.EXE > nul
3⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe

Filesize
180KB

MD5
d194c922e63c9823f2aec3f23e1fd91b

SHA1
8024adb3219593497734a398f8e4876740a4c973

SHA256
4a9a8116e0f33f5190f0a31842691656856571de27d370fe1b5903a0a8b68124

SHA512
d85f32ea3783b61c4fdcbd252ed6159a4e3629e6832b8c28e431ad4ba2d58cadba6b8af664f8b29471949027059d3ab3886020059e33dc432c85f4b0fff6e92a

Download Submit
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe

Filesize
180KB

MD5
13e5638cb853afdf634c507892bcd9be

SHA1
c9744ac7b973f14149586bf3668ac36c36a4d92f

SHA256
58a961686c46b416a22ef01152c054580723e70bee485b095676bf262c530979

SHA512
91139837225f675bede0135b63c185f817d1f39244507a3913573a87a21c944c813835cac57ba935065cba457de0a16f4288d3a3465e5dcd15ef071b7c8872b2

Download Submit
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe

Filesize
180KB

MD5
ec10885b689c92a090835cf00e5436c2

SHA1
86dfdda0a842403f2bd1190c86b7a6f939e34a31

SHA256
e4083bcebd04998f1c37d7a51c46313c4c54fb0104d7b1904f7b497241dbb1c5

SHA512
59f4a192bbe9702355200bafe5e27d1d7da72f83d1ace7692f034973aef7d3eaba6e3ab402868783c876e95ed0970da2a40255caf044e46be458c674f1318409

Download Submit
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe

Filesize
180KB

MD5
3a0f27e631a0c863d4d91cdb38ad53fd

SHA1
af24d9a400eef6c27ec7e4ccf7dc59d19702db75

SHA256
8500fb7a3e3ead72a47e3e4096d2852cd0ab749f438c80d68a9c794bda02533a

SHA512
0d063a9c879da02e8a0225b868d4978fff8a929cab44e91e04321fb1ae5d45f21677898ee02af997e78a25c80ac418348e323104eda045c222956edfd2f3958e

Download Submit
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe

Filesize
180KB

MD5
5d3683ea4b9dc89da03598960b730747

SHA1
4deb700b70309b04d992159d3be5e4589f69a1dd

SHA256
266454793ae27281d2c381985b653ddb3f7a4fdd9c7bf8e4a60f039948178653

SHA512
7dcbf9cd5f7c24228b10a5bbf680bb26dd012e14863369409e8951abd84d3a54553771ac1d9de84a32ea22d155381876a6d500831865414f15f983469174fe42

Download Submit
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe

Filesize
180KB

MD5
b9f74aaf1c760a0381dee1072dfac1f7

SHA1
c99f3f4ec55b44ae54fc9ecbcdd33352d14ab1d5

SHA256
ab86044dc4279ec48e3ebcecf6966ffdcc22bfde932511a10086bd385fe5d1ce

SHA512
8b17889ac385e5d5fb8f8d334a04f33f0f2b2e038fa943da77f9cb4cb782ee4798cdb50bb59fb31c8877d0ba92b54e1e9d5737f9791f7e66a31f87a615f21029

Download Submit
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe

Filesize
180KB

MD5
59d36d4390294d11c15e8abfc516ba8d

SHA1
5b8bc0ace86a9d595c33ff0d501ccd8b6d2ef324

SHA256
23ec2f455766d08cac0aabaf4fcd79c9d6b804b779c4f44ba42fed9ce628ce42

SHA512
05527cdf3a32124e93dc8304f2963bb4ce20a0f947d9002fd002e14de6d8aa766d7cd06f3c75601148a94c88952e1eb93a4dd41c5df4d01e36d6bcd81f228dd9

Download Submit
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

Filesize
180KB

MD5
f83e728e819e98134dcd36b1ac108dff

SHA1
67e6ea54e3e9dbbc6e2cf1eaf66f953750b415dd

SHA256
b863792b3a93592970e09c897e428214e9878261d399673531aeb3c90be20922

SHA512
c6080e9819b6da1fd5f9eb61436632a21da15d805bacb462cba1dd1d106c0107e7af738c8354a8ab7ccbc1b4c0be461fe6b0688e4a09e5dce94dc76aedffd950

Download Submit
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

Filesize
180KB

MD5
15f5416fba8a0145e9dfe5af4a4e9795

SHA1
4b44de9f8863c869e7db8541fb8b82ec1cee632a

SHA256
4d712c38c94576fa0dcdf723bbfba4a99f9a460a3edc3209cfa96e70d4bf1b20

SHA512
38a0c3c8e428d9803e52490b87b391df4eac5cf441b76942278b53dedf35601297bb664e80c2a6f933a197417438be8e55bc026169261354850f26f6b8b14d7a

Download Submit
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe

Filesize
180KB

MD5
77ebeaf1c77cd232f5d58e301c9c9a0c

SHA1
7221fa6e5aa9ea1c8a828fcbf4cb19ff5cc0d025

SHA256
f1581e4e0e67803159d8cbfae61985440f61a6b5142f3bd7dd8aabdf083cff15

SHA512
cfa8ea3a5822440a9ea372f9511ac11487350e5ebeac8a86e2c9820f5442d5fd3d07eb52e6c2835efcfbef809f87d4480b8874e68d1d2e5f0b6e0ae2e47a68e3

Download Submit
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe

Filesize
180KB

MD5
f8636bd5f0ea0f40855002d55bc9d191

SHA1
f18ff5b31deb7a78ccfa4cdd3e37bf372507c725

SHA256
9b604c022fe5dbc51e32ad297d3c5d9c8766afb62ddc246bc0d73bf7f3d47835

SHA512
ca0277e35810334dc8e603aa3af0d9b358d7df50a692174ea1fc07b0fb012dea2c3ec6706a6efa2302199435f48b9946085151779349c661a8c2df803b174225

Download Submit