aece22f431e7f98bd911223303575cb0b8a13583ff09d2f4ce5db62f5cd60258

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Size

408KB
MD5

781dc4a1b9dcd39ea89cc10c9ac8d131
SHA1

48c97e0843e5c324eed5d23a1015c3f14475e14f
SHA256

aece22f431e7f98bd911223303575cb0b8a13583ff09d2f4ce5db62f5cd60258
SHA512

9675b45f901d4b04307bc0ba12081009dab53cd7c718df0e08ede1702c857faa4d33825c57a6b88fbe3b2b3a138e9e9a8a3faa4386a63fc176ca70a9bb08af1d
SSDEEP

3072:CEGh0ogl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGuldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe{A8931D19-07A5-483a-9267-14C1F748D90E}.exe{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C7FAA5-B749-4ed8-9096-0269D25E012A}\stubpath = "C:\\Windows\\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe"	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F40151-D59F-40e8-871A-64CCD0B56C7F}\stubpath = "C:\\Windows\\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe"	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C7FAA5-B749-4ed8-9096-0269D25E012A}	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}\stubpath = "C:\\Windows\\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe"	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5407BF7A-783A-4728-972E-4AC72A1EB506}	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE49D894-6005-4fa8-8C6A-201F1CE35777}	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F40151-D59F-40e8-871A-64CCD0B56C7F}	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5407BF7A-783A-4728-972E-4AC72A1EB506}\stubpath = "C:\\Windows\\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe"	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{972E1449-9384-478b-9B16-CE5E43D6BAA7}\stubpath = "C:\\Windows\\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe"	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}\stubpath = "C:\\Windows\\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe"	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}\stubpath = "C:\\Windows\\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe"	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8931D19-07A5-483a-9267-14C1F748D90E}	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8931D19-07A5-483a-9267-14C1F748D90E}\stubpath = "C:\\Windows\\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe"	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE49D894-6005-4fa8-8C6A-201F1CE35777}\stubpath = "C:\\Windows\\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe"	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{972E1449-9384-478b-9B16-CE5E43D6BAA7}	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}\stubpath = "C:\\Windows\\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe"	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}\stubpath = "C:\\Windows\\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe"	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA698A8-31A9-4302-A38D-67C761BC17C0}	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA698A8-31A9-4302-A38D-67C761BC17C0}\stubpath = "C:\\Windows\\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe"	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe

Executes dropped EXE 12 IoCs

Processes:

{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe{A8931D19-07A5-483a-9267-14C1F748D90E}.exe{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe

pid	process
448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
3956	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
1856	{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe

Drops file in Windows directory 12 IoCs

Processes:

{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe{A8931D19-07A5-483a-9267-14C1F748D90E}.exe{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe

description	ioc	process
File created	C:\Windows\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
File created	C:\Windows\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
File created	C:\Windows\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
File created	C:\Windows\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
File created	C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
File created	C:\Windows\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
File created	C:\Windows\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
File created	C:\Windows\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
File created	C:\Windows\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
File created	C:\Windows\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
File created	C:\Windows\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
File created	C:\Windows\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe{A8931D19-07A5-483a-9267-14C1F748D90E}.exe{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
Token: SeIncBasePriorityPrivilege	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
Token: SeIncBasePriorityPrivilege	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
Token: SeIncBasePriorityPrivilege	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
Token: SeIncBasePriorityPrivilege	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
Token: SeIncBasePriorityPrivilege	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
Token: SeIncBasePriorityPrivilege	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
Token: SeIncBasePriorityPrivilege	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
Token: SeIncBasePriorityPrivilege	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
Token: SeIncBasePriorityPrivilege	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
Token: SeIncBasePriorityPrivilege	1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
Token: SeIncBasePriorityPrivilege	3956	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3160 wrote to memory of 448	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
PID 3160 wrote to memory of 448	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
PID 3160 wrote to memory of 448	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
PID 3160 wrote to memory of 3704	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 3160 wrote to memory of 3704	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 3160 wrote to memory of 3704	3160	2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe	cmd.exe
PID 448 wrote to memory of 1200	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
PID 448 wrote to memory of 1200	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
PID 448 wrote to memory of 1200	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
PID 448 wrote to memory of 2020	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	cmd.exe
PID 448 wrote to memory of 2020	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	cmd.exe
PID 448 wrote to memory of 2020	448	{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe	cmd.exe
PID 1200 wrote to memory of 1556	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
PID 1200 wrote to memory of 1556	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
PID 1200 wrote to memory of 1556	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
PID 1200 wrote to memory of 3308	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	cmd.exe
PID 1200 wrote to memory of 3308	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	cmd.exe
PID 1200 wrote to memory of 3308	1200	{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe	cmd.exe
PID 1556 wrote to memory of 2540	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
PID 1556 wrote to memory of 2540	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
PID 1556 wrote to memory of 2540	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
PID 1556 wrote to memory of 3576	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	cmd.exe
PID 1556 wrote to memory of 3576	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	cmd.exe
PID 1556 wrote to memory of 3576	1556	{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe	cmd.exe
PID 2540 wrote to memory of 4224	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
PID 2540 wrote to memory of 4224	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
PID 2540 wrote to memory of 4224	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
PID 2540 wrote to memory of 2684	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	cmd.exe
PID 2540 wrote to memory of 2684	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	cmd.exe
PID 2540 wrote to memory of 2684	2540	{A8931D19-07A5-483a-9267-14C1F748D90E}.exe	cmd.exe
PID 4224 wrote to memory of 2368	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
PID 4224 wrote to memory of 2368	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
PID 4224 wrote to memory of 2368	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
PID 4224 wrote to memory of 4500	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	cmd.exe
PID 4224 wrote to memory of 4500	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	cmd.exe
PID 4224 wrote to memory of 4500	4224	{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe	cmd.exe
PID 2368 wrote to memory of 1504	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
PID 2368 wrote to memory of 1504	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
PID 2368 wrote to memory of 1504	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
PID 2368 wrote to memory of 5020	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	cmd.exe
PID 2368 wrote to memory of 5020	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	cmd.exe
PID 2368 wrote to memory of 5020	2368	{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe	cmd.exe
PID 1504 wrote to memory of 2896	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
PID 1504 wrote to memory of 2896	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
PID 1504 wrote to memory of 2896	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
PID 1504 wrote to memory of 2100	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	cmd.exe
PID 1504 wrote to memory of 2100	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	cmd.exe
PID 1504 wrote to memory of 2100	1504	{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe	cmd.exe
PID 2896 wrote to memory of 3060	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
PID 2896 wrote to memory of 3060	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
PID 2896 wrote to memory of 3060	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
PID 2896 wrote to memory of 4588	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	cmd.exe
PID 2896 wrote to memory of 4588	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	cmd.exe
PID 2896 wrote to memory of 4588	2896	{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe	cmd.exe
PID 3060 wrote to memory of 1996	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
PID 3060 wrote to memory of 1996	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
PID 3060 wrote to memory of 1996	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
PID 3060 wrote to memory of 2260	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	cmd.exe
PID 3060 wrote to memory of 2260	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	cmd.exe
PID 3060 wrote to memory of 2260	3060	{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe	cmd.exe
PID 1996 wrote to memory of 3956	1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
PID 1996 wrote to memory of 3956	1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
PID 1996 wrote to memory of 3956	1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
PID 1996 wrote to memory of 1080	1996	{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_781dc4a1b9dcd39ea89cc10c9ac8d131_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
C:\Windows\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B85CD~1.EXE > nul
4⤵
PID:3308

C:\Windows\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
C:\Windows\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
C:\Windows\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
C:\Windows\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
C:\Windows\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
C:\Windows\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
C:\Windows\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
C:\Windows\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
C:\Windows\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
C:\Windows\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe
C:\Windows\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe
13⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{972E1~1.EXE > nul
13⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5407B~1.EXE > nul
12⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96F40~1.EXE > nul
11⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8F0~1.EXE > nul
10⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE49D~1.EXE > nul
9⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA69~1.EXE > nul
8⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43C7F~1.EXE > nul
7⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A8931~1.EXE > nul
6⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE9AB~1.EXE > nul
5⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28A8C~1.EXE > nul
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe

Filesize
310KB

MD5
5809555c02754734812cf4cb1e41461e

SHA1
2d91b1b7dfd3bf5cee450bd82ff1454f0a3c4472

SHA256
e1720863756faf665e57eac450d6f185af0639d204ceacd338eb5510dd17e5ab

SHA512
16f787a298559bf2cb95b04655eb189b4160cef9ec0e0e8dfe6be6f911c23fd73e71bfd7821e88d71912daa6d786a3d00058a1dfedb8ba99cd9f5cb27612e76e

Download Submit
C:\Windows\{28A8C109-E4BF-4f65-BEE2-AA50A46C849C}.exe

Filesize
408KB

MD5
e2ae5a15eac16d983b03b2f0d0de3962

SHA1
6ac9386cffd3b680438ee7d701abd425d5b3ca43

SHA256
27da3b1acd57068cc85be7835222bb0dd9c92df7f5b65f37870444a14fec665c

SHA512
e5fc99d617b995eb64b60038e06ce29d5b8ee5ed588a82dd790e3bd28f0a85f2083e86daff7009f0bc8d141c745142f5a1ca8d6b1526da91874c8910c3ad4dec

Download Submit
C:\Windows\{43C7FAA5-B749-4ed8-9096-0269D25E012A}.exe

Filesize
408KB

MD5
bcbdac2bb76edb83020b6f08de7dabf0

SHA1
4a0a297f37099e45a6506c45b8dfffd8768c0cda

SHA256
40fbdba01d891bddfefea289928ee523e80ad2cb8c83340671f463aa3d9462a6

SHA512
324b10a774e859f0e19ce7d7d710bba1a04afffaee50bf015dcd69f8331a8670bcf8379e63df48182fd81d36edcc9492ea724b84ad0e862412503e389024064b

Download Submit
C:\Windows\{5407BF7A-783A-4728-972E-4AC72A1EB506}.exe

Filesize
408KB

MD5
8504eb1c2c9042715d680c2bab5154a2

SHA1
7187c788d57373a659b1bd2d70b02d0262e59a16

SHA256
d7802b72f911850507d2083f564e17cfc268d5d1f1233c4a85eecb236bba7c2a

SHA512
0d2f3717a223ad5ab0c9d4a9bbfa6574ba246e68a7da5edaca8965ca351319fe5cc5dea3324fff58a75d96c3b16e4b6d9456e4bb7e42e09887fc862dc608aeaa

Download Submit
C:\Windows\{6DA698A8-31A9-4302-A38D-67C761BC17C0}.exe

Filesize
408KB

MD5
f260894e48af4c8e1f098cecae49a116

SHA1
6742e8bfb76d0d75df9f1eb34bd97e1242567ba6

SHA256
522870d80ab187ada663a74aac7c6096b7cde9fefc3e9ad66691cb43e030e00e

SHA512
c00111b316f955a2bf43ba1b26c5c95a807fe818363f3cd9b89bc429c1fb65eca55e3c77eaa8e194d1f5cf9f160f4c35291879ac675f2f6430258df2a3e3f437

Download Submit
C:\Windows\{96F40151-D59F-40e8-871A-64CCD0B56C7F}.exe

Filesize
408KB

MD5
ccfa6fbc7fa3ed0458a95d309d1894c7

SHA1
4d5e95d21e86783c4a23653556606046df131756

SHA256
f1e90c2c000804f0bd5c59b13eb6201b66666fda3e79b1dae534d48dd25a1ae9

SHA512
e2825c5fb7e9679342eae3fba7d904b99d62f042d30723132d827333a6025c4781ed853c22fe2217d570a61d3f4fff30786f8a31fedf761c1bc1cc212b34a129

Download Submit
C:\Windows\{972E1449-9384-478b-9B16-CE5E43D6BAA7}.exe

Filesize
408KB

MD5
b9fc891dba5c3481245c6802847df7d9

SHA1
ec196532f4c93ce76a46e1bf41678aa4f9e6a88a

SHA256
6e72aa3258ac190a406d3b99685164ec1a2b45eb6ff14b580e69f32319da1bcc

SHA512
f347428aae103b974513e25fd81f0c9e253bca51ffc40d6aea8e631425149a659eb48571277eb4eb76168f4a02f06f8ee796007a95923bb78e421b5d3a1ab641

Download Submit
C:\Windows\{9B8F0CFC-AD29-4f2b-B042-B61C4AC2B0C0}.exe

Filesize
408KB

MD5
84d546dc0a5bc6d0fc0eb63e34bf7a67

SHA1
a7962e8ebc59b5a1d9b1a4101e94d5f2f29ed9cf

SHA256
9857678601ce014158c06f46ab8b9a363de3c5f8ed7f437606588a58b02d7db6

SHA512
0fa27a6783bd91cb67e2a3181639ca6cc8f059006e43063c5823738e06677c28038b129813948368831333cb9c0f553246c3e5cde2320ef8642327fa3d843f5e

Download Submit
C:\Windows\{A8931D19-07A5-483a-9267-14C1F748D90E}.exe

Filesize
408KB

MD5
7ebe49761485748b9091d713e6719254

SHA1
caeff55bc52a726a6c210fbfb8b44f0404f05516

SHA256
700219391b9aa5a10fc08cc066dbcb472d823d7903f764ba3129861fc0a4008d

SHA512
1557225d1e9478c9e69f024143f771c1d1ca0271b98a615efe0b58628b410d793d910e631dac1115e2b9e57165f7726559dd0585f01a438979d359fc57cf4bbc

Download Submit
C:\Windows\{B85CDBBC-57B0-4ea3-8692-CC5A3EE8AE0C}.exe

Filesize
408KB

MD5
72700b74823e052a4d6a7842df1ea904

SHA1
3ace9490fe01de0aba8413cd7a769f961b57a53f

SHA256
5e68198f3a6b68be68ddbd1c7da55febb6c9f2cec5cf44559b6f1d3d81802241

SHA512
b5dd5023672c045c5c6010a7a9ec5377898bfb1dbae3fa2f4fd299d309840a2f4ab215312b2ed728660dc4412dfc7f5e2d365983f59d21bcc0ee6d2e2dda6ab4

Download Submit
C:\Windows\{CEBB433F-509C-408e-B1BC-CCABB8D8699C}.exe

Filesize
408KB

MD5
5ffeab7535391955c0131fd36cd34951

SHA1
2f6191ea0e3e992960ea11c1c190cc154ba5fb8d

SHA256
6261bb7e235a3ffeeeafe9514047680c37616e7f0f69d927f7a3ac58da15bc83

SHA512
76938d5a87dad7a0429d8ea395ffa0ea9df5c8526bb2e13a7e69c99370551e4d7a7e2e7bb6990228633edb042848c690227e045eb9b0f835825719ebeaacc22c

Download Submit
C:\Windows\{DE49D894-6005-4fa8-8C6A-201F1CE35777}.exe

Filesize
408KB

MD5
ed24447132d75cdb34604c45e6455648

SHA1
a23100b797c9021aa074901ff2f27e26ad0049c2

SHA256
5e6ba758d0cb33bbcbba568606572242b97c1c21e922b908d85e379e77da4bcc

SHA512
566e91d5e46eb8a303d476dadd0ac0145657c8926d25cc2ef46396744242ec594f0373ea3589981a93ca660854fa80e621905205da4de5d8fb673bf2843941af

Download Submit
C:\Windows\{DE9AB4CD-387D-40bf-B9E5-90AA8586632A}.exe

Filesize
408KB

MD5
d089b5ae3779d640d71a75469e18df1e

SHA1
0117a35b8d706dcac3353e7d07174d71a50d8471

SHA256
4cfd5943a36c8577b941ed0bcde40e89ac23b0d40ccbf694eae57ed99f7a7cb2

SHA512
f8708c64980efe46579aa4f6d79b2e1bc9739eec3ec286b198de42358b3e4b1c4b8a802a9170fcadd823b452498ee10adda1940b52c666188a7806c7397d4888

Download Submit