2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Size

408KB
MD5

adb394d19ea37b252289985445ae06dc
SHA1

aed199cd664896a5bba6a98f4d84912cdec917d2
SHA256

2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980
SHA512

0b135e4213718025ec8c77eec02ff0a3dece8e62ded3ea6fd1c7846208f4a46a82de509545d69865aaa01efc7badf45272f5b7bd917e0cd4e5e718e7cac1bfec
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000c0000000122db-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000142e4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122db-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe{36254855-E9F5-4547-8E7B-540F6379839E}.exe{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe{E39C733E-FA61-4711-A577-A232765B971F}.exe{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E22BA1-C76D-49e5-89A9-763790ABD691}	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39C733E-FA61-4711-A577-A232765B971F}	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}	{36254855-E9F5-4547-8E7B-540F6379839E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C1A253-1040-4f6e-8869-9581F6F072D6}\stubpath = "C:\\Windows\\{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe"	{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EB112F-296D-41b5-9A20-B7F4814170BB}\stubpath = "C:\\Windows\\{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe"	{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}\stubpath = "C:\\Windows\\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe"	{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C938DD-06A3-4925-86BE-8B802C1D44B9}	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39C733E-FA61-4711-A577-A232765B971F}\stubpath = "C:\\Windows\\{E39C733E-FA61-4711-A577-A232765B971F}.exe"	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189A57A0-4BBE-44cf-991D-1117B16418E1}\stubpath = "C:\\Windows\\{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe"	{E39C733E-FA61-4711-A577-A232765B971F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36254855-E9F5-4547-8E7B-540F6379839E}\stubpath = "C:\\Windows\\{36254855-E9F5-4547-8E7B-540F6379839E}.exe"	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EB112F-296D-41b5-9A20-B7F4814170BB}	{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E22BA1-C76D-49e5-89A9-763790ABD691}\stubpath = "C:\\Windows\\{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe"	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}\stubpath = "C:\\Windows\\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe"	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71036947-2605-4992-BABD-C0FCCB9A0DE0}\stubpath = "C:\\Windows\\{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe"	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36254855-E9F5-4547-8E7B-540F6379839E}	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}\stubpath = "C:\\Windows\\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe"	{36254855-E9F5-4547-8E7B-540F6379839E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C1A253-1040-4f6e-8869-9581F6F072D6}	{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}\stubpath = "C:\\Windows\\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe"	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71036947-2605-4992-BABD-C0FCCB9A0DE0}	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C938DD-06A3-4925-86BE-8B802C1D44B9}\stubpath = "C:\\Windows\\{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe"	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189A57A0-4BBE-44cf-991D-1117B16418E1}	{E39C733E-FA61-4711-A577-A232765B971F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}	{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2156	cmd.exe

Executes dropped EXE 12 IoCs

Processes:

{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe{E39C733E-FA61-4711-A577-A232765B971F}.exe{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe{36254855-E9F5-4547-8E7B-540F6379839E}.exe{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe

pid	Process
2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe
328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
1780	{36254855-E9F5-4547-8E7B-540F6379839E}.exe
2124	{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
1088	{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe
1104	{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
1864	{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe

Drops file in Windows directory 12 IoCs

Processes:

{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe{E39C733E-FA61-4711-A577-A232765B971F}.exe{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe{36254855-E9F5-4547-8E7B-540F6379839E}.exe{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe

description	ioc	Process
File created	C:\Windows\{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe	{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
File created	C:\Windows\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
File created	C:\Windows\{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
File created	C:\Windows\{E39C733E-FA61-4711-A577-A232765B971F}.exe	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
File created	C:\Windows\{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	{E39C733E-FA61-4711-A577-A232765B971F}.exe
File created	C:\Windows\{36254855-E9F5-4547-8E7B-540F6379839E}.exe	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
File created	C:\Windows\{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe	{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
File created	C:\Windows\{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
File created	C:\Windows\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
File created	C:\Windows\{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
File created	C:\Windows\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe	{36254855-E9F5-4547-8E7B-540F6379839E}.exe
File created	C:\Windows\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe	{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe{E39C733E-FA61-4711-A577-A232765B971F}.exe{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe{36254855-E9F5-4547-8E7B-540F6379839E}.exe{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
Token: SeIncBasePriorityPrivilege	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
Token: SeIncBasePriorityPrivilege	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
Token: SeIncBasePriorityPrivilege	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
Token: SeIncBasePriorityPrivilege	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
Token: SeIncBasePriorityPrivilege	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe
Token: SeIncBasePriorityPrivilege	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
Token: SeIncBasePriorityPrivilege	1780	{36254855-E9F5-4547-8E7B-540F6379839E}.exe
Token: SeIncBasePriorityPrivilege	2124	{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
Token: SeIncBasePriorityPrivilege	1088	{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe
Token: SeIncBasePriorityPrivilege	1104	{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2012 wrote to memory of 2140	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	28
PID 2012 wrote to memory of 2140	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	28
PID 2012 wrote to memory of 2140	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	28
PID 2012 wrote to memory of 2140	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	28
PID 2012 wrote to memory of 2156	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	29
PID 2012 wrote to memory of 2156	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	29
PID 2012 wrote to memory of 2156	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	29
PID 2012 wrote to memory of 2156	2012	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	29
PID 2140 wrote to memory of 2992	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	31
PID 2140 wrote to memory of 2992	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	31
PID 2140 wrote to memory of 2992	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	31
PID 2140 wrote to memory of 2992	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	31
PID 2140 wrote to memory of 2860	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	30
PID 2140 wrote to memory of 2860	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	30
PID 2140 wrote to memory of 2860	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	30
PID 2140 wrote to memory of 2860	2140	{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe	30
PID 2992 wrote to memory of 2580	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	34
PID 2992 wrote to memory of 2580	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	34
PID 2992 wrote to memory of 2580	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	34
PID 2992 wrote to memory of 2580	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	34
PID 2992 wrote to memory of 2620	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	35
PID 2992 wrote to memory of 2620	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	35
PID 2992 wrote to memory of 2620	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	35
PID 2992 wrote to memory of 2620	2992	{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe	35
PID 2580 wrote to memory of 1972	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	37
PID 2580 wrote to memory of 1972	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	37
PID 2580 wrote to memory of 1972	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	37
PID 2580 wrote to memory of 1972	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	37
PID 2580 wrote to memory of 2776	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	36
PID 2580 wrote to memory of 2776	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	36
PID 2580 wrote to memory of 2776	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	36
PID 2580 wrote to memory of 2776	2580	{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe	36
PID 1972 wrote to memory of 2960	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	38
PID 1972 wrote to memory of 2960	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	38
PID 1972 wrote to memory of 2960	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	38
PID 1972 wrote to memory of 2960	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	38
PID 1972 wrote to memory of 2096	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	39
PID 1972 wrote to memory of 2096	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	39
PID 1972 wrote to memory of 2096	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	39
PID 1972 wrote to memory of 2096	1972	{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe	39
PID 2960 wrote to memory of 1064	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	41
PID 2960 wrote to memory of 1064	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	41
PID 2960 wrote to memory of 1064	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	41
PID 2960 wrote to memory of 1064	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	41
PID 2960 wrote to memory of 2488	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	40
PID 2960 wrote to memory of 2488	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	40
PID 2960 wrote to memory of 2488	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	40
PID 2960 wrote to memory of 2488	2960	{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe	40
PID 1064 wrote to memory of 328	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	43
PID 1064 wrote to memory of 328	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	43
PID 1064 wrote to memory of 328	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	43
PID 1064 wrote to memory of 328	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	43
PID 1064 wrote to memory of 2448	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	42
PID 1064 wrote to memory of 2448	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	42
PID 1064 wrote to memory of 2448	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	42
PID 1064 wrote to memory of 2448	1064	{E39C733E-FA61-4711-A577-A232765B971F}.exe	42
PID 328 wrote to memory of 1780	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	45
PID 328 wrote to memory of 1780	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	45
PID 328 wrote to memory of 1780	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	45
PID 328 wrote to memory of 1780	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	45
PID 328 wrote to memory of 1656	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	44
PID 328 wrote to memory of 1656	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	44
PID 328 wrote to memory of 1656	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	44
PID 328 wrote to memory of 1656	328	{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
  C:\Windows\{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{58E22~1.EXE > nul
    3⤵
    PID:2860
- - C:\Windows\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
    C:\Windows\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
      C:\Windows\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{262FC~1.EXE > nul
        5⤵
        
        PID:2776
    - - C:\Windows\{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
        
        C:\Windows\{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
        
        C:\Windows\{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21C93~1.EXE > nul
        7⤵
        
        PID:2488
        
        C:\Windows\{E39C733E-FA61-4711-A577-A232765B971F}.exe
        
        C:\Windows\{E39C733E-FA61-4711-A577-A232765B971F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E39C7~1.EXE > nul
        8⤵
        
        PID:2448
        
        C:\Windows\{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
        
        C:\Windows\{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{189A5~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\{36254855-E9F5-4547-8E7B-540F6379839E}.exe
        
        C:\Windows\{36254855-E9F5-4547-8E7B-540F6379839E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36254~1.EXE > nul
        10⤵
        
        PID:1244
        
        C:\Windows\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
        
        C:\Windows\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1052D~1.EXE > nul
        11⤵
        
        PID:2264
        
        C:\Windows\{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe
        
        C:\Windows\{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2EB1~1.EXE > nul
        12⤵
        
        PID:1792
        
        C:\Windows\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
        
        C:\Windows\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe
        
        C:\Windows\{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AA6B~1.EXE > nul
        13⤵
        
        PID:1164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71036~1.EXE > nul
        6⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB295~1.EXE > nul
      4⤵
      PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1052DD48-7AF2-42d8-BE4A-979EEE3F6DED}.exe

Filesize
408KB

MD5
129958dd558221146b2e318663ef7b16

SHA1
994f3509374daf9ff24138466cc9edc9f6ddc8dd

SHA256
225a6d8e8e07317a9787a5807a47cc9b3afeaff4d96e54411ba4811cc409cb4c

SHA512
402df2e14887f05a4cbb7d71684d2198df250b7c807056b90c0c67ba39d82d033fa55e78e65bfb1222fa73eb5078cb42a5430aa4bdbb3a5fc140e071cbabb2f3

Download Submit
C:\Windows\{189A57A0-4BBE-44cf-991D-1117B16418E1}.exe

Filesize
408KB

MD5
d6b7c588baa30ee5d3b0d89ff530cae6

SHA1
916769e022216046486f579b48c51038bf6695a2

SHA256
ca1f93de82fea81fa9bad62999ef9f501770b2747b68ed90aee5a8c90e8cbf1f

SHA512
cb79f99eefc9d3689ea33ab98af2487d466a2706aec5d958367cd08f05536306d96c4911a879eefd31e4063bbaae9183da0a2e36dd334e8dd9812c5ad076233c

Download Submit
C:\Windows\{21C938DD-06A3-4925-86BE-8B802C1D44B9}.exe

Filesize
408KB

MD5
34711aa3a2f7df65b27cae618490c0da

SHA1
a34b37a018813db0c5ce1b3b76f069db598cd3ba

SHA256
942a2138dcc0aa60463391fa0ed96d73699827eeb77d30ba21d640531070641c

SHA512
93deba7650b00b321d62ba302807807e9bbef5a6f96d09cf99c816064fa918a260ef7dd2ded3e226d5ada3ed4ca2a99ab51477c072f1697c8bb8453995dfdff6

Download Submit
C:\Windows\{262FCAD0-7CF1-416b-BE27-F1FD3CE69105}.exe

Filesize
408KB

MD5
f8a9e832e10aaa54e26e785d377473c6

SHA1
76b541ea5490bc5f56c6fb4120bc19d740667f03

SHA256
211941b3c9858eea1e0c380d87f760cbe46c9a67af9c5835e285f892a175bb03

SHA512
132e586842dce7f7373558f166e541fbdf64db3fc02f6ad6a13e6bd6e9eca2f79b40b6c04846faf5c636fdca5b1846b887a70d5d19674fb12531f6558233105f

Download Submit
C:\Windows\{36254855-E9F5-4547-8E7B-540F6379839E}.exe

Filesize
408KB

MD5
5218ad39690e148aced15e5c754ed173

SHA1
3c5e835bc2044e08afa93f57aba0da3edfb91946

SHA256
b423823475b2a76c40dfd319629f71974d4885d01a0d4d24aa65dcfc85bdf82f

SHA512
a5fd750e7371004527af06ffe0a97b355ab8eb5737c2161a0813526ab97c1ce2e97b71bec18927eff0d712a6e87400412bcff1092746bd7da506edddef32361c

Download Submit
C:\Windows\{3AA6BBDE-23BD-4ccf-9F78-C0C9DC7AD5CF}.exe

Filesize
408KB

MD5
c7f01412b3296356fcb05a5312259c86

SHA1
0956edcb548ce6b8dd3558762808839d39718c72

SHA256
0c315579fdc34942b724bfe98e3fb87f128f38ab3a01281811408de7dbb2da90

SHA512
06aaad2b5dead03fb2c7a38aed5a85556c315cd5806dfe80b4d074ab54073519b206458a3d83f0c2b41fe6098a57929dceab467d51c04084944e55a8492f391f

Download Submit
C:\Windows\{58E22BA1-C76D-49e5-89A9-763790ABD691}.exe

Filesize
408KB

MD5
b22875926cbb2780156239d6445d7b13

SHA1
69d6389378a92bdc931e1692b672f0e68d195894

SHA256
e76f59f6c9f07b39560a25db48f7c0fef04e8a258bafaf2f5d15d89b8cfa7baa

SHA512
d874286b4748844e2b2312560ef668ecc2facd5cccf6e432af1f974badb5975d526e675a9de3813f13b3d85bcf7c1f205d516ec11e6055994e07e82467873acc

Download Submit
C:\Windows\{71036947-2605-4992-BABD-C0FCCB9A0DE0}.exe

Filesize
408KB

MD5
2bf9a2010c67d81e75d4bd19789b576e

SHA1
d5e017e0896e80e5584647be293b87127519dc67

SHA256
de65ccf601df99fd2b64f7f63a88aaa6e79bf80489b796b9b8037e73cb6c705f

SHA512
c4703aa3faa4051c62aa9406ae0dee51ca780c5d9062945422cb2f5a1a35fb9f3536c30bb22ead21acca79e0747622d6bae705f93ca88f9eee5fc4b601be299c

Download Submit
C:\Windows\{78C1A253-1040-4f6e-8869-9581F6F072D6}.exe

Filesize
408KB

MD5
820f4abf4ac71d9b62cd6b1483fc173e

SHA1
82c6067f36816d5aa9518abc97cbc1f8750c2977

SHA256
011283a1c040e440f60b8ba617118a2953556a6df974d31fce15b36cc2654484

SHA512
a297010a618c69be8c357c7160a9c2e5aac7c1bce2122e2c5d4718a63d83334bc2be88bd4a157d75e802c1c40d3958d92720f52dec2f7c7f998c391761c5f9c7

Download Submit
C:\Windows\{E2EB112F-296D-41b5-9A20-B7F4814170BB}.exe

Filesize
408KB

MD5
137e0557b965aa90759ee47e4f8d36f9

SHA1
1309e194ed27e9517b8911c9353eedc67084db0d

SHA256
2facab60321c30c8393ff78de23667b40fda79b05ff6fde6ae953f35304dd4ab

SHA512
bca852f4b91e2459efaa0ca7e008511657a32ae8039f71a4982e431ba95f83471a00d32ed937bbd28b1b4782ad2f25c2e0f05660941cdccb55e7f07fd1221661

Download Submit
C:\Windows\{E39C733E-FA61-4711-A577-A232765B971F}.exe

Filesize
408KB

MD5
b4a88877b966554532b05da16020c1a9

SHA1
56abd470de56eaba5f9d7d41a027c83604f098cf

SHA256
80a3b1f9e08d96105db7f4fd8f1282dd465f21d12dceef48904c8a238e2bc7b3

SHA512
a33aae31827537e9c6979e2fc0f140b252ffd7b66549c202c2257f060306b1f924f5218dd339075da844397ad3f166527feef7a6a42a1d47a6b23caa5c7e2fc9

Download Submit
C:\Windows\{EB295756-ACE1-4958-96A7-02BFE4A4AE6B}.exe

Filesize
408KB

MD5
10949632d06829b345ff627065772ad5

SHA1
8bdd39461304fa5ac31b579b6b4e0e3b1a53b652

SHA256
224e4f62eea344905ecbee5196156d83b3e9a36e5d77719896d901a036a292e3

SHA512
b4fb2f996bc4712c4a3cfdd5badb178b7005004b875f1015add7ec90a5960a41ad094d68915ec2359d0f1cb28090010e09bf06abaa851d40ef144643ace71f91

Download Submit