f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Size

408KB
MD5

b25995657451cc71f73ab21b1aaba40e
SHA1

82b2fe6e0f66f45bdd2ab9d34b4b7ea69344029c
SHA256

f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7
SHA512

753338a85af6a16cf34bb1382a66331fbdfb42d70b468b2cf72cf44805e532250ed8ecc7f65a1399b2920083d96c05213446c3923688c49eb5ead133d2a832c5
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000012248-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000001552e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122c3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000155df-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015610-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015be4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B}\stubpath = "C:\\Windows\\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe"	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01}	{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01}\stubpath = "C:\\Windows\\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe"	{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}\stubpath = "C:\\Windows\\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe"	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32}	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}\stubpath = "C:\\Windows\\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe"	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE}\stubpath = "C:\\Windows\\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe"	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}\stubpath = "C:\\Windows\\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe"	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B}	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B}	{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3}	{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}\stubpath = "C:\\Windows\\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe"	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3}\stubpath = "C:\\Windows\\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe"	{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32}\stubpath = "C:\\Windows\\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe"	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B}\stubpath = "C:\\Windows\\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe"	{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}\stubpath = "C:\\Windows\\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe"	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE}	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2812	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

pid	Process
2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
2608	{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
2456	{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
804	{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
1400	{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

Drops file in Windows directory 11 IoCs

Processes:

{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe

description	ioc	Process
File created	C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
File created	C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe	{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
File created	C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe	{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
File created	C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
File created	C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
File created	C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
File created	C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
File created	C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
File created	C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
File created	C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe	{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
File created	C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
Token: SeIncBasePriorityPrivilege	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
Token: SeIncBasePriorityPrivilege	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
Token: SeIncBasePriorityPrivilege	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
Token: SeIncBasePriorityPrivilege	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
Token: SeIncBasePriorityPrivilege	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
Token: SeIncBasePriorityPrivilege	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
Token: SeIncBasePriorityPrivilege	2608	{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
Token: SeIncBasePriorityPrivilege	2456	{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
Token: SeIncBasePriorityPrivilege	804	{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1932 wrote to memory of 2712	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	28
PID 1932 wrote to memory of 2712	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	28
PID 1932 wrote to memory of 2712	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	28
PID 1932 wrote to memory of 2712	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	28
PID 1932 wrote to memory of 2812	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	29
PID 1932 wrote to memory of 2812	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	29
PID 1932 wrote to memory of 2812	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	29
PID 1932 wrote to memory of 2812	1932	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	29
PID 2712 wrote to memory of 2072	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	30
PID 2712 wrote to memory of 2072	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	30
PID 2712 wrote to memory of 2072	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	30
PID 2712 wrote to memory of 2072	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	30
PID 2712 wrote to memory of 2732	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	31
PID 2712 wrote to memory of 2732	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	31
PID 2712 wrote to memory of 2732	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	31
PID 2712 wrote to memory of 2732	2712	{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe	31
PID 2072 wrote to memory of 3056	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	34
PID 2072 wrote to memory of 3056	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	34
PID 2072 wrote to memory of 3056	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	34
PID 2072 wrote to memory of 3056	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	34
PID 2072 wrote to memory of 2008	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	35
PID 2072 wrote to memory of 2008	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	35
PID 2072 wrote to memory of 2008	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	35
PID 2072 wrote to memory of 2008	2072	{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe	35
PID 3056 wrote to memory of 336	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	36
PID 3056 wrote to memory of 336	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	36
PID 3056 wrote to memory of 336	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	36
PID 3056 wrote to memory of 336	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	36
PID 3056 wrote to memory of 1000	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	37
PID 3056 wrote to memory of 1000	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	37
PID 3056 wrote to memory of 1000	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	37
PID 3056 wrote to memory of 1000	3056	{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe	37
PID 336 wrote to memory of 2828	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	38
PID 336 wrote to memory of 2828	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	38
PID 336 wrote to memory of 2828	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	38
PID 336 wrote to memory of 2828	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	38
PID 336 wrote to memory of 2904	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	39
PID 336 wrote to memory of 2904	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	39
PID 336 wrote to memory of 2904	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	39
PID 336 wrote to memory of 2904	336	{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe	39
PID 2828 wrote to memory of 940	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	40
PID 2828 wrote to memory of 940	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	40
PID 2828 wrote to memory of 940	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	40
PID 2828 wrote to memory of 940	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	40
PID 2828 wrote to memory of 932	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	41
PID 2828 wrote to memory of 932	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	41
PID 2828 wrote to memory of 932	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	41
PID 2828 wrote to memory of 932	2828	{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe	41
PID 940 wrote to memory of 2236	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	42
PID 940 wrote to memory of 2236	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	42
PID 940 wrote to memory of 2236	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	42
PID 940 wrote to memory of 2236	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	42
PID 940 wrote to memory of 1976	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	43
PID 940 wrote to memory of 1976	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	43
PID 940 wrote to memory of 1976	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	43
PID 940 wrote to memory of 1976	940	{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe	43
PID 2236 wrote to memory of 2608	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	44
PID 2236 wrote to memory of 2608	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	44
PID 2236 wrote to memory of 2608	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	44
PID 2236 wrote to memory of 2608	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	44
PID 2236 wrote to memory of 1672	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	45
PID 2236 wrote to memory of 1672	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	45
PID 2236 wrote to memory of 1672	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	45
PID 2236 wrote to memory of 1672	2236	{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
  C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
    C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
      C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
        
        C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
        
        C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
        
        C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
        
        C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
        
        C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
        
        C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
        
        C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe
        
        C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B19~1.EXE > nul
        12⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{329E3~1.EXE > nul
        11⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{761F8~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD6F~1.EXE > nul
        9⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA2D~1.EXE > nul
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB5F~1.EXE > nul
        7⤵
        
        PID:932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C0E~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FD7~1.EXE > nul
        5⤵
        
        PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6D5~1.EXE > nul
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2203~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe

Filesize
408KB

MD5
5121560d9c7b27bd1f6bd1343285b3c7

SHA1
2eca5b200b0d294b8ef7ad51fc63d755dabb9dde

SHA256
310cd477aad24dbccc318d82474d90fc527ebaccad535fa3569c66c59297c769

SHA512
3bed528af8b976bf322692d97e1d2012d22ca3c5da8444d90ed12c8246fa9f94ca13e64bccacfd573bd734b766c6948f4d3d56d92f596de39bd24c7acf805d18

Download Submit
C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

Filesize
408KB

MD5
09478b1b0b60a04ccc19eb96f2c7639d

SHA1
d6ef3078c522e0b78850f3988e2ae3d29b1fe40e

SHA256
9738555394d63d8d0eb3b3dc895ce394ab496914aa47af71c84c917aca67a4fd

SHA512
3178691e75822ce93c3a0c09d7665d9cf00c08b85f05fa5f1373dc231bbf2df90bed6d5d24620984847b2b39b61023fb326b17b4dd50bdd7f4c23438d9b73db6

Download Submit
C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe

Filesize
408KB

MD5
789a2daed7f46f8245848477d39387b8

SHA1
b0df7fd30f965459dfddde25810c6764ead3ca0c

SHA256
a60a9a1ab03f054a85d56e41b96bf8036103b37f400c2bda0d5e4425eed027de

SHA512
c641ff6a3fa10409f4b462152ea9393c31d44e66f4666bda4d17f713b5298b1f0d9ac1218026e8036958415ac5f2d1935023caa554dac993153ee9ce0cc3221e

Download Submit
C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe

Filesize
408KB

MD5
525cc651d1bb22f20ff19838ed6cb213

SHA1
87356727da1de0f862ee507ecc8d06cb671263bd

SHA256
21e72d61c2730f3c8bb128898a2afcd193b101f3adf287a70b846d2e3f4ab079

SHA512
bf05c04511e2a7d47880a7238e8d483090abc2fc6776c397c1d110e3cd19951e7b9c311a0f1e203e39a41acc32c72956aa1471cb4d1f0c7dd5ffa458113135ea

Download Submit
C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe

Filesize
408KB

MD5
19e8f65c7bd46c08d1f9195bf135b7c5

SHA1
1d73cf8d23d00d7d5d44c699930986ab8616c4ef

SHA256
2aa839190bd3c9a618a6e3f04cf2e416ba5b930f5cdac28bc4491c1cce3cfc27

SHA512
362b2275f6c0a9d099990ba07e95ad1c1b914d0042c1584174481d1570c82557a42d70ae5346fcb2804ee8384ce20e4b3b33c60a7cb9a593427ac1eaf55c5a92

Download Submit
C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe

Filesize
408KB

MD5
3d1a8cc9a22323c8b5bd4856afeb97ef

SHA1
a137948c84026f774ddfd5bf407160cfe0266dce

SHA256
49ff13c5015fd582c7d76b0eeaa80fda4a8b962df402306c34385ce71ff81760

SHA512
fbd963026e20d8ea4292ebdbd0d8991ebe6d325f6eb0a1947e4feae14b5921d40d9f27695cf5292078c016cb498637a741d8a0ca26be82cc7b9072263e0c44ae

Download Submit
C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe

Filesize
408KB

MD5
f0d3d67f6e118a2c48da4dd583b830b7

SHA1
0d82d2e86aef0c7c80afe775c30905cbbef6f788

SHA256
28198ae310fb3dca0f7bae2301d061ca94d123f5ea6dd75cdbd753e7c2fa306f

SHA512
84dd07e7b388db1cc54ae6e77e9abe52e2757bf1aca53ad4897e9a02d829fb06b77bac3db39bc954c1bdef8fd13da7e3247cfb0b6c04747558d05229b27d1c63

Download Submit
C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe

Filesize
408KB

MD5
d040805ee8e2997a065268c8465ef8fb

SHA1
b801c312e1398dca896dca2ce007518b39841051

SHA256
26d3216cf07554d352cc3f9888722eba56063fea2571289412460cf4885ea2ed

SHA512
6875479b37f785e606d5f8e13582024f31cef44afca5270772ce754289694bfc3080c8288ed2accdf019762667141f0ea5cc7de49e637ba79ec674421e18eb84

Download Submit
C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe

Filesize
408KB

MD5
47ffb9d1a74fc3f6d8eee8a33a267085

SHA1
a593c59cc0a288ce55b079b341f34d0c82bbeba0

SHA256
890a73326fc6b57cf06df206cbdf87a41f8e37e07e34476ac9ff0ef7a02fb67c

SHA512
5ef78ea012f8c634b6b00f8c6b42ae13a9218e63e4df56ccb9defe94d16b8aa516f70e75a33bca58c2a3bff6d9d55ca564b48d8165176ea8e56d69c7757c6987

Download Submit
C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

Filesize
408KB

MD5
7384dadd21bc33db21c3f2d1acfd1510

SHA1
5fb8804f387e7b310db17bb555ca97a3d3b630eb

SHA256
3d1bfc113c620c2e314388f8c753e01db5d169ef328dcf68e3cfccca1180e1f2

SHA512
8ba57ec77dc7359b0d1348a601a89047229e01bca48f2fbe9389d393790da80614d102da93775f1ad248ddd66fb61b341292862ee741d4fd3fa85e77896ae01b

Download Submit
C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe

Filesize
408KB

MD5
7b16cb8525808061c27d5af2a80f4a9d

SHA1
05a4823c9c8b7308c515ad6421138c52da1b3541

SHA256
57faa34f1f88192a32754325ac24412397179140673a996ddbd782ea57936383

SHA512
eb4b71c2b9ddb38387fec77b8feada41d5bef7fc6cb299b75f34642cfd9c6a403b58791c03509424c54d44c3446d810fed7985eea763b552bdd42fb19ae88350

Download Submit