aece22f431e7f98bd911223303575cb0b8a13583ff09d2f4ce5db62f5cd60258

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Size

408KB
MD5

781dc4a1b9dcd39ea89cc10c9ac8d131
SHA1

48c97e0843e5c324eed5d23a1015c3f14475e14f
SHA256

aece22f431e7f98bd911223303575cb0b8a13583ff09d2f4ce5db62f5cd60258
SHA512

9675b45f901d4b04307bc0ba12081009dab53cd7c718df0e08ede1702c857faa4d33825c57a6b88fbe3b2b3a138e9e9a8a3faa4386a63fc176ca70a9bb08af1d
SSDEEP

3072:CEGh0ogl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGuldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe{58B4A950-2330-4fd8-98C5-08B513609C04}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}\stubpath = "C:\\Windows\\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe"	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}\stubpath = "C:\\Windows\\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe"	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B4A950-2330-4fd8-98C5-08B513609C04}	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}	{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A39C7588-F4F3-462e-914D-B01CA63CDE56}\stubpath = "C:\\Windows\\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe"	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}\stubpath = "C:\\Windows\\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe"	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E82F30-5E7E-4188-A84A-70C82EFA711E}	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}\stubpath = "C:\\Windows\\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe"	{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}\stubpath = "C:\\Windows\\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe"	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A39C7588-F4F3-462e-914D-B01CA63CDE56}	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}\stubpath = "C:\\Windows\\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe"	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}\stubpath = "C:\\Windows\\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe"	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B4A950-2330-4fd8-98C5-08B513609C04}\stubpath = "C:\\Windows\\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe"	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}	{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}\stubpath = "C:\\Windows\\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe"	{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E82F30-5E7E-4188-A84A-70C82EFA711E}\stubpath = "C:\\Windows\\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe"	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2688 cmd.exe

pid	process
2688	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe{58B4A950-2330-4fd8-98C5-08B513609C04}.exe{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe

pid	process
2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
1188	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
1092	{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
2356	{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
960	{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe

Drops file in Windows directory 11 IoCs

Processes:

{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{58B4A950-2330-4fd8-98C5-08B513609C04}.exe{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe

description	ioc	process
File created	C:\Windows\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
File created	C:\Windows\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
File created	C:\Windows\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
File created	C:\Windows\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
File created	C:\Windows\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
File created	C:\Windows\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
File created	C:\Windows\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
File created	C:\Windows\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
File created	C:\Windows\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe	{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
File created	C:\Windows\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe	{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
File created	C:\Windows\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe{58B4A950-2330-4fd8-98C5-08B513609C04}.exe{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
Token: SeIncBasePriorityPrivilege	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
Token: SeIncBasePriorityPrivilege	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
Token: SeIncBasePriorityPrivilege	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
Token: SeIncBasePriorityPrivilege	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
Token: SeIncBasePriorityPrivilege	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
Token: SeIncBasePriorityPrivilege	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
Token: SeIncBasePriorityPrivilege	1188	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
Token: SeIncBasePriorityPrivilege	1092	{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
Token: SeIncBasePriorityPrivilege	2356	{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2372 wrote to memory of 2384	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
PID 2372 wrote to memory of 2384	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
PID 2372 wrote to memory of 2384	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
PID 2372 wrote to memory of 2384	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
PID 2372 wrote to memory of 2688	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 2372 wrote to memory of 2688	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 2372 wrote to memory of 2688	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 2372 wrote to memory of 2688	2372	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 2384 wrote to memory of 2780	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
PID 2384 wrote to memory of 2780	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
PID 2384 wrote to memory of 2780	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
PID 2384 wrote to memory of 2780	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
PID 2384 wrote to memory of 2744	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	cmd.exe
PID 2384 wrote to memory of 2744	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	cmd.exe
PID 2384 wrote to memory of 2744	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	cmd.exe
PID 2384 wrote to memory of 2744	2384	{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe	cmd.exe
PID 2780 wrote to memory of 2988	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
PID 2780 wrote to memory of 2988	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
PID 2780 wrote to memory of 2988	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
PID 2780 wrote to memory of 2988	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
PID 2780 wrote to memory of 2700	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	cmd.exe
PID 2780 wrote to memory of 2700	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	cmd.exe
PID 2780 wrote to memory of 2700	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	cmd.exe
PID 2780 wrote to memory of 2700	2780	{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe	cmd.exe
PID 2988 wrote to memory of 1520	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
PID 2988 wrote to memory of 1520	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
PID 2988 wrote to memory of 1520	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
PID 2988 wrote to memory of 1520	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
PID 2988 wrote to memory of 860	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	cmd.exe
PID 2988 wrote to memory of 860	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	cmd.exe
PID 2988 wrote to memory of 860	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	cmd.exe
PID 2988 wrote to memory of 860	2988	{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe	cmd.exe
PID 1520 wrote to memory of 2788	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
PID 1520 wrote to memory of 2788	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
PID 1520 wrote to memory of 2788	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
PID 1520 wrote to memory of 2788	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
PID 1520 wrote to memory of 296	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	cmd.exe
PID 1520 wrote to memory of 296	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	cmd.exe
PID 1520 wrote to memory of 296	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	cmd.exe
PID 1520 wrote to memory of 296	1520	{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe	cmd.exe
PID 2788 wrote to memory of 1452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
PID 2788 wrote to memory of 1452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
PID 2788 wrote to memory of 1452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
PID 2788 wrote to memory of 1452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
PID 2788 wrote to memory of 2452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	cmd.exe
PID 2788 wrote to memory of 2452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	cmd.exe
PID 2788 wrote to memory of 2452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	cmd.exe
PID 2788 wrote to memory of 2452	2788	{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe	cmd.exe
PID 1452 wrote to memory of 1608	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
PID 1452 wrote to memory of 1608	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
PID 1452 wrote to memory of 1608	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
PID 1452 wrote to memory of 1608	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
PID 1452 wrote to memory of 2928	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	cmd.exe
PID 1452 wrote to memory of 2928	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	cmd.exe
PID 1452 wrote to memory of 2928	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	cmd.exe
PID 1452 wrote to memory of 2928	1452	{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe	cmd.exe
PID 1608 wrote to memory of 1188	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
PID 1608 wrote to memory of 1188	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
PID 1608 wrote to memory of 1188	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
PID 1608 wrote to memory of 1188	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
PID 1608 wrote to memory of 864	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	cmd.exe
PID 1608 wrote to memory of 864	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	cmd.exe
PID 1608 wrote to memory of 864	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	cmd.exe
PID 1608 wrote to memory of 864	1608	{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
C:\Windows\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
C:\Windows\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
C:\Windows\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
C:\Windows\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5483B~1.EXE > nul
6⤵
PID:296

C:\Windows\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
C:\Windows\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18E82~1.EXE > nul
7⤵
PID:2452

C:\Windows\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
C:\Windows\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B677C~1.EXE > nul
8⤵
PID:2928

C:\Windows\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
C:\Windows\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE21~1.EXE > nul
9⤵
PID:864

C:\Windows\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
C:\Windows\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{031DE~1.EXE > nul
10⤵
PID:1956

C:\Windows\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
C:\Windows\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
C:\Windows\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe
C:\Windows\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe
12⤵
- Executes dropped EXE
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4817D~1.EXE > nul
12⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{58B4A~1.EXE > nul
11⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A39C7~1.EXE > nul
5⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{143FB~1.EXE > nul
4⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B6A7~1.EXE > nul
3⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{031DEE09-F6EC-4718-B72C-D931F7C2F4B0}.exe

Filesize
408KB

MD5
5e7a7347ae5c565627bbb1386b7cc379

SHA1
42f68195007ae978c045aa94da83b71a5470b30b

SHA256
aae53b4849c7a28f42bfbc11fed08a85f6b454e1c9454791a071f275d80fb14e

SHA512
7bb86e84834d57800ee82edd296cbfd4c900f9df3d1bd12238358f93989a58969201e1a11b3d4800f238b1d07bc2c70714366d40b967b8516abb57c955e8bdd6

Download Submit
C:\Windows\{143FBD86-2B3A-44e5-AB03-5D99E672CD56}.exe

Filesize
408KB

MD5
8a91f0bc519922a844e7e5cd86893250

SHA1
46e6f00457efd38eea8e00a1dafc6a6270862138

SHA256
b79618c0d239c0f855dde751e4cf64dbba5af004ee45d14897c4720a1449f595

SHA512
4eb2d0cc1de250a873bcb5375aa91be9d21b65b7adca07170e69b198361387cf4fd4e0974d4e9c6e49c4c42a5277d0d087d504408b2832605f0a54f4979fd656

Download Submit
C:\Windows\{18E82F30-5E7E-4188-A84A-70C82EFA711E}.exe

Filesize
408KB

MD5
816b20b30c9b36cbf0559618f57cd2c9

SHA1
e3dfe719f39baae1575b2296069ef457e2756bb2

SHA256
52b9cb8f5102c54a19ebac6892edea0e0a10c0b68a61cc0c6734652e16f968a4

SHA512
13f4aac133be3bb78e2d9e21d48a4d73477e45902d310cc7a6b3d6e4b7bf0467a68a47abf6b9f1c517d235c7626297434c02efa3d585efaa1dc9090f725a0824

Download Submit
C:\Windows\{4817DDF0-5951-42fa-A3ED-AE60A8A5C8C3}.exe

Filesize
408KB

MD5
93a0104fa2ad3ba36e4c13fe65047629

SHA1
e6ed5c81d36a7dda51ed051e9f61c25ed4a9dc73

SHA256
278d605327116d5956cfc55f19c805022489839e981a40d68cbf783903fc08a2

SHA512
47e598afd0fe7e62c73e5671dffa988b83106893a3a292814e58a226b85ece89123507b1e54411fa378f11418c5ba48fc5384cf52852baacbd34d7d236b0d91e

Download Submit
C:\Windows\{4B6A705C-F679-43dc-85CC-408A5BF78BC3}.exe

Filesize
408KB

MD5
b72fa6105903fe44c96a0d5859187a18

SHA1
4057c5f6d60176d0573ee7db509aed41ed972f8b

SHA256
3bab5f8629c568eaf0adec3f880addb7f1b3773f3d27df18ab5a832fbb475cc2

SHA512
54847f0d268cff9c743faee64825f5cb9baa168cc190dd30e51bdaa0e1b5481796a9920f7699b766bcdc204e9c8f468a9a8beed9f374c0f1035d9abf5a80f381

Download Submit
C:\Windows\{5483BADD-91BB-4d2a-A2CD-D06CE491E088}.exe

Filesize
408KB

MD5
fbafcbc46c9d433462781a5168cf8d6c

SHA1
9a337c4d7ed9923d49b6935787e7f20fefc6fa5c

SHA256
f8cc51d1e1aa0edeb7a455614326f1522071b63b9b5d0ad1ec60de51955b85d7

SHA512
ff65070e7b70b662ac928680965cef27800139c0e00e795188212a61322eec10792b1b1edfb4231fd8d720a824aaae30ebb632eab0950d830fcb386e1d752601

Download Submit
C:\Windows\{58B4A950-2330-4fd8-98C5-08B513609C04}.exe

Filesize
408KB

MD5
a071cb9ab06ed647fc60351777a60db2

SHA1
b25c632a722b532544f296c92a2a48abbff9ceb0

SHA256
57dbe429c9ac4a69ac17515239af90c60a0b6efa180b58b41f0ff3c57122adfd

SHA512
4ed3d14fe1736f4632b754767fc46226b21623896b82cd5f95dea730647d79683f2e896b82b2cc500b349850f41d2115e89c29afedbff7d1f9798717fcc038df

Download Submit
C:\Windows\{9DE2131D-6BDE-41b1-8F53-AACD8548CD79}.exe

Filesize
408KB

MD5
dd8877403f247c6d8a46c8eb5179fdc6

SHA1
b88287b785ae3f58e6c5f3970df873c5a0545983

SHA256
763ce14a6c8d2afe926df7d6896e74f1695d6d5c814ee0c8e4097546ea97488c

SHA512
aa55d6370b9a20017a0e948c56e2812a4499c3332b7e7d46324ae707ccd231f330c455e63d95cbf3d4bb6f2b2783880a1fa847171754f6415b68e66a13907ad3

Download Submit
C:\Windows\{A39C7588-F4F3-462e-914D-B01CA63CDE56}.exe

Filesize
408KB

MD5
dfc95b1d2142eebec71a3cbdabab15f2

SHA1
8fe0d31b6377001db866ed00ef1e0bc63485013c

SHA256
09530cecba4d1273fb60a56510dee17ba0e867bdc3e5946ade089f296f39cdfd

SHA512
0db5340ae9d2451808946b7e2fb032aea0b9d5a9fb5c495883c9704d5afd33d05973ebe58b27758609d1e1be143158433db4873ec1a2de7d04ff3c38ac6e22a3

Download Submit
C:\Windows\{ACEED5DE-C1AD-43e3-BD1C-D46A33CB1894}.exe

Filesize
408KB

MD5
917c04673b20aebe6813fa4544106762

SHA1
71846de86348c5740dea188f4d362e5ded40cfa1

SHA256
e3bef4c4cff92a78db8b966ddff219fea4108c76fdd567073ef9edfbf2539eb6

SHA512
94fbaae4ddb26470f9c400e1caa863b37f298d314a30c7929af07699cdaa06fdcfbcb481290f4b25af7ef4aba438c1e4e19a5d458119d0b96a4c732e1dc8bd86

Download Submit
C:\Windows\{B677C5DD-0DC1-460b-9315-E940E12B9DFC}.exe

Filesize
408KB

MD5
7ffd5e704905d201c9a11f260589c582

SHA1
912a4494a558b8783bee6ea72cf5d8b7b3747db3

SHA256
bda434ae19d2cca21f87d16f979e577905ceba8e7aad44d115caf16033ce59f6

SHA512
834e7753fd3b14d440919615ed7bf634df07f2e9c2cb4556e1922e52a6178ebbd9fa9c02236a64941d73a7b8a9fb0a53b4bd53f89f6d35d55adc713db8f07413

Download Submit