973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Size

180KB
MD5

fdcfce7e3b70c3aeadd26e39048dbfd1
SHA1

2bb5e66ab5f69c58e8f0d6c2107892ce249fa31d
SHA256

973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb
SHA512

b3e769b66f326fe05c72aa2fac37d31aef9e31d0983f22d4be65f6a9d5b97916589ecbfb5fb3345722ad8dc92aa5f2243d90128f3d055fcbde87f0e234219030
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGel5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe{A787BF33-4841-4f5e-933A-41878E71260F}.exe{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}\stubpath = "C:\\Windows\\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe"	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BA1464-C80B-4041-B7B4-F454C420BF68}\stubpath = "C:\\Windows\\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe"	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}	{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}\stubpath = "C:\\Windows\\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe"	{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}\stubpath = "C:\\Windows\\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe"	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC39135E-07C4-40bf-A28A-B24589363BB3}	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC39135E-07C4-40bf-A28A-B24589363BB3}\stubpath = "C:\\Windows\\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe"	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}\stubpath = "C:\\Windows\\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe"	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BA1464-C80B-4041-B7B4-F454C420BF68}	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787BF33-4841-4f5e-933A-41878E71260F}	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}\stubpath = "C:\\Windows\\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe"	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}\stubpath = "C:\\Windows\\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe"	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}\stubpath = "C:\\Windows\\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe"	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}	{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}\stubpath = "C:\\Windows\\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe"	{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787BF33-4841-4f5e-933A-41878E71260F}\stubpath = "C:\\Windows\\{A787BF33-4841-4f5e-933A-41878E71260F}.exe"	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1736 cmd.exe

pid	process
1736	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe{A787BF33-4841-4f5e-933A-41878E71260F}.exe{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

pid	process
2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
1656	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
2928	{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
2132	{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
1444	{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

Drops file in Windows directory 11 IoCs

Processes:

{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe{A787BF33-4841-4f5e-933A-41878E71260F}.exe{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

description	ioc	process
File created	C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe	{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
File created	C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe	{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
File created	C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
File created	C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
File created	C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
File created	C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
File created	C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
File created	C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
File created	C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
File created	C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
File created	C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe{A787BF33-4841-4f5e-933A-41878E71260F}.exe{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
Token: SeIncBasePriorityPrivilege	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
Token: SeIncBasePriorityPrivilege	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
Token: SeIncBasePriorityPrivilege	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
Token: SeIncBasePriorityPrivilege	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
Token: SeIncBasePriorityPrivilege	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
Token: SeIncBasePriorityPrivilege	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
Token: SeIncBasePriorityPrivilege	1656	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
Token: SeIncBasePriorityPrivilege	2928	{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
Token: SeIncBasePriorityPrivilege	2132	{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2412 wrote to memory of 2916	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 1736	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 1736	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 1736	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 1736	2412	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	cmd.exe
PID 2916 wrote to memory of 2552	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2656	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	cmd.exe
PID 2916 wrote to memory of 2656	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	cmd.exe
PID 2916 wrote to memory of 2656	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	cmd.exe
PID 2916 wrote to memory of 2656	2916	{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe	cmd.exe
PID 2552 wrote to memory of 2708	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2848	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	cmd.exe
PID 2552 wrote to memory of 2848	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	cmd.exe
PID 2552 wrote to memory of 2848	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	cmd.exe
PID 2552 wrote to memory of 2848	2552	{A787BF33-4841-4f5e-933A-41878E71260F}.exe	cmd.exe
PID 2708 wrote to memory of 2684	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2692	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	cmd.exe
PID 2708 wrote to memory of 2692	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	cmd.exe
PID 2708 wrote to memory of 2692	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	cmd.exe
PID 2708 wrote to memory of 2692	2708	{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe	cmd.exe
PID 2684 wrote to memory of 1980	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 2488	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	cmd.exe
PID 2684 wrote to memory of 2488	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	cmd.exe
PID 2684 wrote to memory of 2488	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	cmd.exe
PID 2684 wrote to memory of 2488	2684	{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe	cmd.exe
PID 1980 wrote to memory of 1936	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1328	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	cmd.exe
PID 1980 wrote to memory of 1328	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	cmd.exe
PID 1980 wrote to memory of 1328	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	cmd.exe
PID 1980 wrote to memory of 1328	1980	{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe	cmd.exe
PID 1936 wrote to memory of 2548	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2000	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	cmd.exe
PID 1936 wrote to memory of 2000	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	cmd.exe
PID 1936 wrote to memory of 2000	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	cmd.exe
PID 1936 wrote to memory of 2000	1936	{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe	cmd.exe
PID 2548 wrote to memory of 1656	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1892	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	cmd.exe
PID 2548 wrote to memory of 1892	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	cmd.exe
PID 2548 wrote to memory of 1892	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	cmd.exe
PID 2548 wrote to memory of 1892	2548	{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A787B~1.EXE > nul
4⤵
PID:2848

C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD9E~1.EXE > nul
6⤵
PID:2488

C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F2315~1.EXE > nul
8⤵
PID:2000

C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{87BA1~1.EXE > nul
11⤵
PID:324

C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D76C3~1.EXE > nul
12⤵
PID:2072

C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe
C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe
12⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E22C~1.EXE > nul
10⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5F35A~1.EXE > nul
9⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4419D~1.EXE > nul
7⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC391~1.EXE > nul
5⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{178BA~1.EXE > nul
3⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe

Filesize
180KB

MD5
b581318ff2a2b609cafbc70e3ab0fec9

SHA1
55c48b197bd34eca3d7a7a639cfd60372de536d3

SHA256
2e643b8a1f24b541f99b61d78b406d7d25a1e099ea2fdb75081191e900bd6d63

SHA512
e10ad317d7235f87063567f2c74c34a907f4f69f3d4fa1ea6ec366eb4a5f74907bfa1713d117e7e62016c6770aecda0c957478eccf7fb15431ad32c05cf9c4b4

Download Submit
C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe

Filesize
180KB

MD5
c29380d15b0f43e82154ff0a53c2b04b

SHA1
636ac2312bc15a04babaebb13553ffa745119c2f

SHA256
163f151c8e9278f932c4448ea53d35a1ee01e299f11219283f2110be3e6c6595

SHA512
2c8b29ccd05a39621c5df9cdc298cb8487f089dd79686605c69ad1acd54f6611c49f97533778ee94d04d54883a149a2605d08a1c5f97f55592509d1051341682

Download Submit
C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

Filesize
180KB

MD5
85082190fc3a980c0b22342460bcf739

SHA1
2953bb942431eb06ec8b41a8b2ce725d922bd411

SHA256
576036f2449797164209418df6d2222180d3f724524955ccf165d286aba9258e

SHA512
2239f3f7183aef8ee5fd1a496557884e80f7ce17cb9e9c683aa7e3cc1c88625c63a13597e491620f707c50c3eb35a717c4e732848557ede45c641e12eab099d0

Download Submit
C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe

Filesize
180KB

MD5
d85d8279b5cfdfeda54eb5e71dfe1f6d

SHA1
758f64f777dd813626a06eba714473dba277a0ef

SHA256
5e5db6983e8967f333daa8d7ecee81a37c9b837afe47b97a52bcd84928bcc7cb

SHA512
712b98c6f84d27a2f141cd7178a68b7643591944444e5a8b6e076b5ed1494f6762333dfa55aeaca1b0730cf5e3dde99a1893f26c42ee0a9b5d3364668580c292

Download Submit
C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

Filesize
180KB

MD5
43e430f247121a13078d0c65c5d3ba60

SHA1
90b2c2c9a04f181e5ec241ecf1446810b8661d34

SHA256
2a1f852b0fa81fa29451c6641035e77893d67a1e275d2f2a844e28dfcb4c66f5

SHA512
a522e66454d206a65a2abe29df5780c8782b734bdf039376aff51187a7066d9b5646a43ce0e05416a97ccb843409fc8df98efd2854e15cfe7dffcd2a5d804383

Download Submit
C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe

Filesize
180KB

MD5
0da250d6cfb44b0da4c5a71b82d9770b

SHA1
e46f29a8a3151b15cb3f09359487c4ac00e3662c

SHA256
d8167402f13a1840cd630a66e9753a3c7821c58e96fd14941e45350f006bac5d

SHA512
6725f719ba6872230c18dd88cb2726d29b36d779a93d9217de5ae6e6507ad70f01b2b0f58daeaa612fb87a64bbfb45ce57e3f4a453fb05362dce7f77afa28e03

Download Submit
C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe

Filesize
180KB

MD5
b85784477f7ed347251fffb10417161c

SHA1
5a21ec2b4788cd0d1e90bfa6230bcfa554df5c66

SHA256
8cb752a54a614341b7711a32892b11981991706bf726061d25a35067df404d92

SHA512
cab9bc965bf62e545769206f3908673a7d07959236e75dd673100b81a94e1115f37f1dcd878aa6fc129d325fb24d8b8646b6e444a22c7fdd894c661359ba9045

Download Submit
C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe

Filesize
180KB

MD5
658e73818fa257085447efb6be8bbe8c

SHA1
ff6ffc9ad4288dbf1ffaabf57d20edaa946d5469

SHA256
fe66356e51e23308e1a185785b3a69b1ab421734a376ad25a94f7c1c19bd2d83

SHA512
0cd72016451a3e04fc0afa905dda1a21d8e3a04a9dd477643e43f59647e617ff10db5fcfa685db29ded0849df68575a7d019c7881630a4ccd9bed55f8bc7f02f

Download Submit
C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

Filesize
180KB

MD5
a9d447bdddfd1c6067b9bb0f81dc00f6

SHA1
c151877a78141ce242c88899010d6c9a43d880f1

SHA256
51f75d94884b5c313396428ea3732c91f96fb9935dffdba21a5c38ea6bb286c9

SHA512
6db93645c7b4c0c13fef6a78fe5c8a0250e9fa0fd2fcee8e8d40d68f6de6993305408ee28b94ef112e3b56910ec6d2a03907b14f328561683d4afbaf311cf0a8

Download Submit
C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe

Filesize
180KB

MD5
d272bd0a63cadad99b3fc437618a3b72

SHA1
b0fbdbc820c3857f1488c90bd238c985cf355b0c

SHA256
fd105441604d8f1b0830eb72ae0673f7d80281e914df56ae9989afdf435e93ce

SHA512
caf03b484b0870600cf0f2dfd24582a98e98046d152ce76e1ed2d25d18c7711e380ff068d4729c34273a5b78b9aabeb4248c75889bebed95e26402f9fb852f10

Download Submit
C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe

Filesize
180KB

MD5
d28959937b3d7d986eab52b4b011a016

SHA1
323180fec625fc3cf153f02876cc1fc1612362de

SHA256
3327d42681cc5c25a5d7369816acaee6e26011612d4b828512c8aeab407617d3

SHA512
d0af11cab8aeb87e2c4125c0bac370869032a2c54c8aa680e990e28a3d08847da9bc338f33b3e2be704c927f42a9393bde35f44b6eaaa8c4deebdc432f6c2211

Download Submit