01def3ddd9531a31c4a54f8eff1922693d558526dfc2aa8566a9f1a1f00a3b08

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Size

408KB
MD5

aaa58d116e01e3fd4ab9c1f65efa3583
SHA1

88982993e1252c7c7680df51ef5c95d7bd3e4a6b
SHA256

01def3ddd9531a31c4a54f8eff1922693d558526dfc2aa8566a9f1a1f00a3b08
SHA512

0140d5acc9c3971e9bd82c8a70127d5c6cc8f9330e1e341a09d06e9f0e380db3a703dbc9cbdcd56bd0a97707f23be4e2984386829fbfea06ac1d0e4ee64cbf89
SSDEEP

3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGyldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012233-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000016231-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012233-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0016000000016426-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0017000000016426-53.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016a9d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe{12B179ED-F87C-4c82-8228-F4A81411842F}.exe{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{7649161B-9630-459c-937A-A0BDE299C252}.exe{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8B4351F-5219-489b-975D-AD6F652E0E26}	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8B4351F-5219-489b-975D-AD6F652E0E26}\stubpath = "C:\\Windows\\{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe"	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B179ED-F87C-4c82-8228-F4A81411842F}	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61C57087-0923-468c-9B35-5CE692A4E7A9}	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}\stubpath = "C:\\Windows\\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe"	{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B351235-79FE-4be0-88B4-3EF116ED72E3}	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61C57087-0923-468c-9B35-5CE692A4E7A9}\stubpath = "C:\\Windows\\{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe"	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}\stubpath = "C:\\Windows\\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe"	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C716D5A-AEBE-459b-B218-A4B4A7758383}\stubpath = "C:\\Windows\\{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe"	{7649161B-9630-459c-937A-A0BDE299C252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}\stubpath = "C:\\Windows\\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe"	{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C716D5A-AEBE-459b-B218-A4B4A7758383}	{7649161B-9630-459c-937A-A0BDE299C252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B351235-79FE-4be0-88B4-3EF116ED72E3}\stubpath = "C:\\Windows\\{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe"	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B179ED-F87C-4c82-8228-F4A81411842F}\stubpath = "C:\\Windows\\{12B179ED-F87C-4c82-8228-F4A81411842F}.exe"	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE70133F-9190-40ea-B8ED-29E558F880F9}	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE70133F-9190-40ea-B8ED-29E558F880F9}\stubpath = "C:\\Windows\\{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe"	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7649161B-9630-459c-937A-A0BDE299C252}\stubpath = "C:\\Windows\\{7649161B-9630-459c-937A-A0BDE299C252}.exe"	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7649161B-9630-459c-937A-A0BDE299C252}	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}	{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}	{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}\stubpath = "C:\\Windows\\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe"	{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}	{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe{12B179ED-F87C-4c82-8228-F4A81411842F}.exe{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe{7649161B-9630-459c-937A-A0BDE299C252}.exe{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe

pid	Process
2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe
1104	{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
2528	{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
2064	{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe
2436	{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe

Drops file in Windows directory 11 IoCs

Processes:

{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{12B179ED-F87C-4c82-8228-F4A81411842F}.exe{7649161B-9630-459c-937A-A0BDE299C252}.exe

description	ioc	Process
File created	C:\Windows\{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
File created	C:\Windows\{7649161B-9630-459c-937A-A0BDE299C252}.exe	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
File created	C:\Windows\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe	{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
File created	C:\Windows\{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
File created	C:\Windows\{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
File created	C:\Windows\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
File created	C:\Windows\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe	{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
File created	C:\Windows\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe	{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe
File created	C:\Windows\{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
File created	C:\Windows\{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
File created	C:\Windows\{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe	{7649161B-9630-459c-937A-A0BDE299C252}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe{12B179ED-F87C-4c82-8228-F4A81411842F}.exe{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe{7649161B-9630-459c-937A-A0BDE299C252}.exe{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
Token: SeIncBasePriorityPrivilege	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
Token: SeIncBasePriorityPrivilege	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
Token: SeIncBasePriorityPrivilege	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
Token: SeIncBasePriorityPrivilege	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
Token: SeIncBasePriorityPrivilege	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
Token: SeIncBasePriorityPrivilege	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe
Token: SeIncBasePriorityPrivilege	1104	{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
Token: SeIncBasePriorityPrivilege	2528	{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
Token: SeIncBasePriorityPrivilege	2064	{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 3032 wrote to memory of 2756	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	28
PID 3032 wrote to memory of 2756	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	28
PID 3032 wrote to memory of 2756	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	28
PID 3032 wrote to memory of 2756	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	28
PID 3032 wrote to memory of 2664	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	29
PID 3032 wrote to memory of 2664	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	29
PID 3032 wrote to memory of 2664	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	29
PID 3032 wrote to memory of 2664	3032	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	29
PID 2756 wrote to memory of 2804	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	32
PID 2756 wrote to memory of 2804	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	32
PID 2756 wrote to memory of 2804	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	32
PID 2756 wrote to memory of 2804	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	32
PID 2756 wrote to memory of 2864	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	33
PID 2756 wrote to memory of 2864	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	33
PID 2756 wrote to memory of 2864	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	33
PID 2756 wrote to memory of 2864	2756	{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe	33
PID 2804 wrote to memory of 2576	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	34
PID 2804 wrote to memory of 2576	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	34
PID 2804 wrote to memory of 2576	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	34
PID 2804 wrote to memory of 2576	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	34
PID 2804 wrote to memory of 2136	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	35
PID 2804 wrote to memory of 2136	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	35
PID 2804 wrote to memory of 2136	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	35
PID 2804 wrote to memory of 2136	2804	{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe	35
PID 2576 wrote to memory of 2392	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	36
PID 2576 wrote to memory of 2392	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	36
PID 2576 wrote to memory of 2392	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	36
PID 2576 wrote to memory of 2392	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	36
PID 2576 wrote to memory of 564	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	37
PID 2576 wrote to memory of 564	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	37
PID 2576 wrote to memory of 564	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	37
PID 2576 wrote to memory of 564	2576	{12B179ED-F87C-4c82-8228-F4A81411842F}.exe	37
PID 2392 wrote to memory of 572	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	38
PID 2392 wrote to memory of 572	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	38
PID 2392 wrote to memory of 572	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	38
PID 2392 wrote to memory of 572	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	38
PID 2392 wrote to memory of 1176	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	39
PID 2392 wrote to memory of 1176	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	39
PID 2392 wrote to memory of 1176	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	39
PID 2392 wrote to memory of 1176	2392	{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe	39
PID 572 wrote to memory of 2912	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	40
PID 572 wrote to memory of 2912	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	40
PID 572 wrote to memory of 2912	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	40
PID 572 wrote to memory of 2912	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	40
PID 572 wrote to memory of 2948	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	41
PID 572 wrote to memory of 2948	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	41
PID 572 wrote to memory of 2948	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	41
PID 572 wrote to memory of 2948	572	{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe	41
PID 2912 wrote to memory of 1992	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	42
PID 2912 wrote to memory of 1992	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	42
PID 2912 wrote to memory of 1992	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	42
PID 2912 wrote to memory of 1992	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	42
PID 2912 wrote to memory of 2212	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	43
PID 2912 wrote to memory of 2212	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	43
PID 2912 wrote to memory of 2212	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	43
PID 2912 wrote to memory of 2212	2912	{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe	43
PID 1992 wrote to memory of 1104	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	44
PID 1992 wrote to memory of 1104	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	44
PID 1992 wrote to memory of 1104	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	44
PID 1992 wrote to memory of 1104	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	44
PID 1992 wrote to memory of 1940	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	45
PID 1992 wrote to memory of 1940	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	45
PID 1992 wrote to memory of 1940	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	45
PID 1992 wrote to memory of 1940	1992	{7649161B-9630-459c-937A-A0BDE299C252}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
  C:\Windows\{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
    C:\Windows\{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
      C:\Windows\{12B179ED-F87C-4c82-8228-F4A81411842F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
        
        C:\Windows\{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
        
        C:\Windows\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
        
        C:\Windows\{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{7649161B-9630-459c-937A-A0BDE299C252}.exe
        
        C:\Windows\{7649161B-9630-459c-937A-A0BDE299C252}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
        
        C:\Windows\{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
        
        C:\Windows\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe
        
        C:\Windows\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe
        
        C:\Windows\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7534B~1.EXE > nul
        12⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A50E~1.EXE > nul
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C716~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76491~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE701~1.EXE > nul
        8⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFC0F~1.EXE > nul
        7⤵
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61C57~1.EXE > nul
        6⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12B17~1.EXE > nul
        5⤵
        
        PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8B43~1.EXE > nul
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B351~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12B179ED-F87C-4c82-8228-F4A81411842F}.exe

Filesize
408KB

MD5
168357c2c8b15138bbbdd3f2fbd8cab5

SHA1
7dbfc61b8692bc5f87b5a6babd1555d664a1bfe7

SHA256
0eac5559ae2701f6c8bc8879668eca4f95c14a44fabb2177f96db3aec29443c7

SHA512
2d182d08ced222f52f966330229cbf1d2af151ed9aabd195fb82753a4d86d8029663321073a8603b07749fc04ff53d069afa5eec05b1288c2184badce359e5ad

Download Submit
C:\Windows\{2B351235-79FE-4be0-88B4-3EF116ED72E3}.exe

Filesize
408KB

MD5
ae8c8b41e6d7c210df585b7608959f38

SHA1
d0304f8d49cfe15227df3355184f9bab4703c36f

SHA256
e30ede2cea3e0191b83218edb1cd0c9e58ca693139800fbacf68ce9c385f5076

SHA512
53e929d6f1d28ba549725550de374724010abc094e9076e84920ed8498953bb4380db7be47639b701105e2084ce9b0dede0fc1f38edaebc18f703d7043de1061

Download Submit
C:\Windows\{49A5A0C8-616A-4fc6-83D9-61C61AEEBAF6}.exe

Filesize
408KB

MD5
d29e0509be906b8ac3b74f80b35660fd

SHA1
31f73fe7e0a3d7ccde69d85ffb60d9a977d6f446

SHA256
728ba4199d7c2b3c0041a5540ce9be8358494ba2da66ce3d385a079abb42a27f

SHA512
92bb62a2afb66517a9d5f7be08ec76e6e52d550bc02ac5f1b93d3deadf60478d4cd35dd78ee6df9e7c4fb721a709f753c406225d502bf004e7e42054e785155a

Download Submit
C:\Windows\{61C57087-0923-468c-9B35-5CE692A4E7A9}.exe

Filesize
408KB

MD5
f5dcfcb1f73255d11db6a0a17a40a056

SHA1
e1f5d2ea9500ed7e88b84e99733e2327de79a996

SHA256
872246898c93df217baffd154af5ae390a370955a6a3f07fd6ac45a83f1662f9

SHA512
e9c82268d51921df1d8ba200689fbc0ffb3095b84ba425725fcd06ecb02680af1c91fd4bf2e1db529039c2eb5c7b4b433fec7a0f12464fa3dcc84f99f73c2063

Download Submit
C:\Windows\{7534BE0A-4302-42b2-B0D7-8C245703AFA8}.exe

Filesize
408KB

MD5
ee7a19d7df54a7c5934144d482ccccc2

SHA1
c92466185f953d6de4522cb6972fe287cb1e6c18

SHA256
8127b7cac1a87c1892f9a87edd1f729d208bd5e06b1c3e079ba8b53fd28d773b

SHA512
a740c5a289d6ceaa1c71a03de5c317a35167984789b38c4bdca42f1d23acb26d3903568aa2bf219cdd81ef255ce8f7ee016ffbdda9f14cdd755f10cb10b06572

Download Submit
C:\Windows\{7649161B-9630-459c-937A-A0BDE299C252}.exe

Filesize
408KB

MD5
77c8894ff10a966d277892e32df95c26

SHA1
f65c8f7912d4115544aa462fb2160c70d9f763e9

SHA256
36f7f599789214f225248bc03ec1025f0a7a0817db623bbaf0c0777104e08dac

SHA512
050264a31245b90d30c29cae28769458656c01108402efd8fada1e075e0b57beffaf4ed7f85f877132a265baae12de290c6faf756b0c2f45fce2bc75dbfd28f2

Download Submit
C:\Windows\{8C716D5A-AEBE-459b-B218-A4B4A7758383}.exe

Filesize
408KB

MD5
f80adb561a16b16ead7d65e9369c8faa

SHA1
7ade840d0a1b605a65c57f5130fd82c5f0f5c4d0

SHA256
daadc533c0a7e13995f6554d37e4fe9a489b5fc0b1c41f8dee179e9be7eddffe

SHA512
a225b4a25ba54713289f89a9bad6bbdc872bec75a029798333bc2bf7cba1a25e3514959c5ccae4bdfb8e9591d353a71d3981164fc66fc188b3410d9ce9535b26

Download Submit
C:\Windows\{9A50E829-CFDC-474a-9E66-6E9C2286EC5F}.exe

Filesize
408KB

MD5
51828611ff9c3dd069330aa2e092b6b1

SHA1
d72c987cf25c33884feaec21e7837bf72fb471b9

SHA256
117cd02007e5364435f9fe3a70c7f4e9babafba8b6677cfab41493fe3786f840

SHA512
620ee136d52dcaad2bb4fcbaf0351effcde6bb03c18e63eaa0b6b13d011ba8dc6c97ba46daac03faf5cd1bbfee6556128f2c2bd3b40d3dd7565282a9b7dc1e46

Download Submit
C:\Windows\{AFC0F07B-9B4E-48c6-B92D-6F6E60F37040}.exe

Filesize
408KB

MD5
b300f24db5baca2ea5aa8106e91f41b0

SHA1
d613902b019b4530bce1f73b45b4328b2a1dcf1e

SHA256
286af5ed0c9da1b2eb63f38d6d7398458e350de0a4783c53ed1ad3ea6adeb4fc

SHA512
3b0f81ee00239557e935577af577935b05bece3df94e36911855c118660719b76f2c1444ea3842ac4ffd5069bd814f5f0734b4e22b00b616febcbe363c117150

Download Submit
C:\Windows\{E8B4351F-5219-489b-975D-AD6F652E0E26}.exe

Filesize
408KB

MD5
d17f32ac09cf04138b1e16c4e452b829

SHA1
8fbd0335acaa5ecc8b076e644835b84b8752f127

SHA256
be7e0370d8fa3154b5c3afbb3b8654165e5491f25c3a771c88182130ef00e6df

SHA512
7b3b8adb8d98f2d02fff1c26c1fe0d57a228f7bf187d74ec47611d05e2992bf5a3b61b26a4efc7a30c4525ee3733ffe4c90fd067ef32efd302e91eb5b24a9ed9

Download Submit
C:\Windows\{FE70133F-9190-40ea-B8ED-29E558F880F9}.exe

Filesize
408KB

MD5
f4f959222b565c1cb45e19eba16d885e

SHA1
77307b952f729b544ad54005fb868df9d580a957

SHA256
e19ce630fd1c6021d19e0c436600d4cba38e52f1f0be07d676135dc1e05a4d44

SHA512
48372d7e793003dc18351040def725bef242145614b85d9fa667a85c323c9146a9559dac16ce2fad0d382f1324e1bbc2f54d58762cccd34371e7f9dab3d5c5c1

Download Submit