e5e35e0c4409bc90ba9fdb7f4523d481a539a0d02a0d309879cc0c6ebd05f212

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
Size

180KB
MD5

b747a306e5f7c0d21fe6467984d1d13e
SHA1

4ec9e3f1b797eceb5fbc3b438fde25f9f41f6f05
SHA256

e5e35e0c4409bc90ba9fdb7f4523d481a539a0d02a0d309879cc0c6ebd05f212
SHA512

cb58c3d2309ab437179d16bc04e62e57cd55bc93b8e6a4a07f88167489aba310bf8337682e45ab83cae26eb8f0dfef68db30ce68f3b8dafd3b4234839549fbb1
SSDEEP

3072:jEGh0oNlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG3l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe{A45735AA-343D-4a79-B31F-774F4DA99769}.exe2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}\stubpath = "C:\\Windows\\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe"	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}\stubpath = "C:\\Windows\\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe"	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10AE536-C183-43f1-864C-4EC2832E67B3}\stubpath = "C:\\Windows\\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe"	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C953679-3D34-4ca4-BB72-931456AF9A55}\stubpath = "C:\\Windows\\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe"	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}\stubpath = "C:\\Windows\\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe"	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}\stubpath = "C:\\Windows\\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe"	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}\stubpath = "C:\\Windows\\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe"	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}\stubpath = "C:\\Windows\\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe"	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C953679-3D34-4ca4-BB72-931456AF9A55}	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}\stubpath = "C:\\Windows\\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe"	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}\stubpath = "C:\\Windows\\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe"	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10AE536-C183-43f1-864C-4EC2832E67B3}	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45735AA-343D-4a79-B31F-774F4DA99769}	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45735AA-343D-4a79-B31F-774F4DA99769}\stubpath = "C:\\Windows\\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe"	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}\stubpath = "C:\\Windows\\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe"	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe

Executes dropped EXE 12 IoCs

Processes:

{A45735AA-343D-4a79-B31F-774F4DA99769}.exe{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe

pid	process
3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
2092	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
240	{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe

Drops file in Windows directory 12 IoCs

Processes:

2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe{A45735AA-343D-4a79-B31F-774F4DA99769}.exe{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe

description	ioc	process
File created	C:\Windows\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
File created	C:\Windows\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
File created	C:\Windows\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
File created	C:\Windows\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
File created	C:\Windows\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
File created	C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
File created	C:\Windows\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
File created	C:\Windows\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
File created	C:\Windows\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
File created	C:\Windows\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
File created	C:\Windows\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
File created	C:\Windows\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe{A45735AA-343D-4a79-B31F-774F4DA99769}.exe{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
Token: SeIncBasePriorityPrivilege	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
Token: SeIncBasePriorityPrivilege	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
Token: SeIncBasePriorityPrivilege	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
Token: SeIncBasePriorityPrivilege	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
Token: SeIncBasePriorityPrivilege	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
Token: SeIncBasePriorityPrivilege	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
Token: SeIncBasePriorityPrivilege	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
Token: SeIncBasePriorityPrivilege	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
Token: SeIncBasePriorityPrivilege	3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
Token: SeIncBasePriorityPrivilege	2092	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1584 wrote to memory of 3128	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
PID 1584 wrote to memory of 3128	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
PID 1584 wrote to memory of 3128	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
PID 1584 wrote to memory of 5036	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	cmd.exe
PID 1584 wrote to memory of 5036	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	cmd.exe
PID 1584 wrote to memory of 5036	1584	2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe	cmd.exe
PID 3128 wrote to memory of 4612	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
PID 3128 wrote to memory of 4612	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
PID 3128 wrote to memory of 4612	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
PID 3128 wrote to memory of 2176	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	cmd.exe
PID 3128 wrote to memory of 2176	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	cmd.exe
PID 3128 wrote to memory of 2176	3128	{A45735AA-343D-4a79-B31F-774F4DA99769}.exe	cmd.exe
PID 4612 wrote to memory of 2020	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
PID 4612 wrote to memory of 2020	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
PID 4612 wrote to memory of 2020	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
PID 4612 wrote to memory of 224	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	cmd.exe
PID 4612 wrote to memory of 224	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	cmd.exe
PID 4612 wrote to memory of 224	4612	{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe	cmd.exe
PID 2020 wrote to memory of 4392	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
PID 2020 wrote to memory of 4392	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
PID 2020 wrote to memory of 4392	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
PID 2020 wrote to memory of 3028	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	cmd.exe
PID 2020 wrote to memory of 3028	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	cmd.exe
PID 2020 wrote to memory of 3028	2020	{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe	cmd.exe
PID 4392 wrote to memory of 4288	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
PID 4392 wrote to memory of 4288	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
PID 4392 wrote to memory of 4288	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
PID 4392 wrote to memory of 3484	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	cmd.exe
PID 4392 wrote to memory of 3484	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	cmd.exe
PID 4392 wrote to memory of 3484	4392	{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe	cmd.exe
PID 4288 wrote to memory of 3032	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
PID 4288 wrote to memory of 3032	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
PID 4288 wrote to memory of 3032	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
PID 4288 wrote to memory of 2180	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	cmd.exe
PID 4288 wrote to memory of 2180	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	cmd.exe
PID 4288 wrote to memory of 2180	4288	{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe	cmd.exe
PID 3032 wrote to memory of 656	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
PID 3032 wrote to memory of 656	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
PID 3032 wrote to memory of 656	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
PID 3032 wrote to memory of 4824	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	cmd.exe
PID 3032 wrote to memory of 4824	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	cmd.exe
PID 3032 wrote to memory of 4824	3032	{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe	cmd.exe
PID 656 wrote to memory of 3120	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
PID 656 wrote to memory of 3120	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
PID 656 wrote to memory of 3120	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
PID 656 wrote to memory of 3560	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	cmd.exe
PID 656 wrote to memory of 3560	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	cmd.exe
PID 656 wrote to memory of 3560	656	{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe	cmd.exe
PID 3120 wrote to memory of 1304	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
PID 3120 wrote to memory of 1304	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
PID 3120 wrote to memory of 1304	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
PID 3120 wrote to memory of 5036	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	cmd.exe
PID 3120 wrote to memory of 5036	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	cmd.exe
PID 3120 wrote to memory of 5036	3120	{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe	cmd.exe
PID 1304 wrote to memory of 3968	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
PID 1304 wrote to memory of 3968	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
PID 1304 wrote to memory of 3968	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
PID 1304 wrote to memory of 2264	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	cmd.exe
PID 1304 wrote to memory of 2264	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	cmd.exe
PID 1304 wrote to memory of 2264	1304	{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe	cmd.exe
PID 3968 wrote to memory of 2092	3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
PID 3968 wrote to memory of 2092	3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
PID 3968 wrote to memory of 2092	3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
PID 3968 wrote to memory of 4340	3968	{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_b747a306e5f7c0d21fe6467984d1d13e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
C:\Windows\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
C:\Windows\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A24DD~1.EXE > nul
4⤵
PID:224

C:\Windows\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
C:\Windows\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
C:\Windows\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
C:\Windows\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
C:\Windows\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
C:\Windows\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
C:\Windows\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
C:\Windows\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
C:\Windows\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe
C:\Windows\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe
13⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0500~1.EXE > nul
13⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{681C0~1.EXE > nul
12⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D10AE~1.EXE > nul
11⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2962C~1.EXE > nul
10⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AED0C~1.EXE > nul
9⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCF0~1.EXE > nul
8⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD912~1.EXE > nul
7⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1BF55~1.EXE > nul
6⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C953~1.EXE > nul
5⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4573~1.EXE > nul
3⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BF55549-068A-4a13-8C27-CD9C8A3D4087}.exe

Filesize
180KB

MD5
550366f2695ce6ccb4cf8815615e00d0

SHA1
e9ea85aea8303f2013532b14d75b4527a0708383

SHA256
0d63de363987ec899d2018ce6ddf55e9f4c6e8188b6ad8596cbeedf35277da63

SHA512
7e91e01d0bb1c5367b5316195fa1b33cbc24a823713e94290a090653e09a4ea1618250d30b7235ed27dcbc3814d68cc97107a31338e4f6c0643d73ca3b18d067

Download Submit
C:\Windows\{2962C1E4-3400-4ed7-88D6-D660B60CD75A}.exe

Filesize
180KB

MD5
19adb86aa14e89e618f7b5b782b6cf11

SHA1
5ec10c2991f3ad20100709c17e784bc6ef4a948b

SHA256
e193dda0c012d8519c232533b11aaa4291e3e7f9e6c7a6cc1c009d65bf4e3443

SHA512
e5f0d6e2df10c108b738311b129d173b76fd58a34ed6a2370b7813e8f5622e701d97c195f747125cea3cb030e39059bbe20f7aeb021cec32d2d12d654d6e0816

Download Submit
C:\Windows\{3C953679-3D34-4ca4-BB72-931456AF9A55}.exe

Filesize
180KB

MD5
ece0c0af5a4fad5ae23c64ee9f821e23

SHA1
694686f000a689b5f4f2944815e638d4907ecfa6

SHA256
2a047f38b1e940d80620b2c77e7de4112d89d4f4a94fbf22b1e2aab85ea2bbfa

SHA512
d37b73e5b7cedbba5d4800889c10a158afb2de7b2a83bb158a95a664ab5b3ae8cd434a4d120dc44a994ea2300e8f96779fd0a3e9eececf3c9672abcbfd498e67

Download Submit
C:\Windows\{681C06C7-8EDC-4d74-A321-168B3E07FFEE}.exe

Filesize
180KB

MD5
460f077bd30062eac9fc7cb9eabfb155

SHA1
981e3c8ab0320c56f43e14bd1b62d553ac06b92a

SHA256
19270c862776e041d4ec363a3e2e1d46746aa5564e4cb1e97e55ef3dc97d54cc

SHA512
cf390b09a9dc9c66cc66bb9ec87461db64002790fb22813fc3d9a0562ce0489e96f32474c4ef3bae36b4429d2f666d2ddc979d08dfea9abcf721fc78292339d2

Download Submit
C:\Windows\{A24DDB99-C12D-4705-830E-037D4D5D2ACC}.exe

Filesize
180KB

MD5
f5a6a267479947827edd6445d7893d97

SHA1
587be239dad8eb216c8fca3c1fead8ac134168dc

SHA256
31b95790c6a6064b6ab66dca32dcebf94f209ceca5e972319689fd2d55e10876

SHA512
46c2e6a7e771470db1c130ccd9e3b3b06f07153f1fd6827c36766468896f3b0f9612901a41b9cc315431de56fcb6e9e90b931b49bee70bf63d22665bf8d00dbb

Download Submit
C:\Windows\{A45735AA-343D-4a79-B31F-774F4DA99769}.exe

Filesize
180KB

MD5
d0f248ed02a91490ac55809f93c1d4a6

SHA1
14e4e2c694a1f25b4edd663535a084df80c66864

SHA256
aee8d9167b1150c7f9fe766776b1360714c70e615c970e7d612851495814e14c

SHA512
c007d8c5b07c8ad48bdae6d25feb984d5fa5dc4c4081882c7ccfcdb8dc8577c05e1dfeeda9fdc4d12de42b81afcb7e54aebb1c062e3ea355720f26f53b4ca13a

Download Submit
C:\Windows\{AED0C8AE-8B05-48d3-AFCC-DA82172CA3A7}.exe

Filesize
180KB

MD5
5e93c844a8e4238c5a32239222f6ad1b

SHA1
4829cc3dd73aa206f60669a87d297c0131fd2296

SHA256
2d217401945ce1cb9e2ee6162b5b293e405c91ac9527dcf5b721d0cb15841988

SHA512
0d84027e728bbdb4a70568cdc0d7290ee67d3ddb4f914b1365f73a9d3ba1d8266979ba050d6e7c9564a6967ef439b9c1a4269e64660eee23a8829753ccefacac

Download Submit
C:\Windows\{BDCF08D0-CC4D-46ba-A1BA-28EA177B6E64}.exe

Filesize
180KB

MD5
3f69ae837fecfaa7cee63fae063679dd

SHA1
4fe6b3cd2a39123e3be9a818ecc32fd17926dc68

SHA256
dca8602bfc4cff5cbd15b8513fbb89a87231257ef632691d9c87875c00f10f3c

SHA512
a6642b78e25cdf7eee4db8bcc1e64417b42311e2931311947ab2d39cc61578149fff0c6ae341e41c69dd809f9446f8abe492955e844e70d1797e3570c651b7b9

Download Submit
C:\Windows\{C8E8AD8B-FB53-45c2-9AC0-2AFEBD4A0D13}.exe

Filesize
180KB

MD5
0ce70568e007ecffc616dea9aecb8e23

SHA1
5a373dde182a41c08cea5c70088e964c6fd50a58

SHA256
77d26675990fceb89892a68fb4ff33f375d59caa8cbf1376a0017d385b5f9897

SHA512
72bd9cd087540c385a1a1059a22c4d3c1a9c2b293f2849a72e3ca1bead1cc9afdd3001d7f1e57a807e5aebc2902212311c2174b54eca9077631206790cb2c2c0

Download Submit
C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe

Filesize
150KB

MD5
04c47c9266d1cd44f3fc0e85d992fa89

SHA1
1329add1c544ecb4e0036de9c2b73040da3b2c9b

SHA256
178a4261fe9f1ccc4fbd4d77cdb0d86ac56f343d7578917f70e587df41b9d3a1

SHA512
f776bf919cce00cb2f2447cf54450edbe13d9cf5247dc983d8b99c3d00ef5a30d25c73233411269024dbae5b03dc4634e76efbf3144d51e8a04abe1d45ac2a11

Download Submit
C:\Windows\{D0500DE6-2ADA-4de2-8E5D-E338A39C3CDB}.exe

Filesize
180KB

MD5
74bf8d961113751dc87fc0ce7fe9b251

SHA1
6e4abf09a57e7661c02e91be3478e2456f3e201a

SHA256
463f3873b640d6ceb36666e72ff6e6e156998b17084f9a56c428085f42bb390d

SHA512
570e191617b03d19c9617b307275f7848e639fca8d664e0ddb01a9b03168e3753796f5532f99b9be305e14889c88acbecb2aa28a2847ec1da4f7461bf782f0c2

Download Submit
C:\Windows\{D10AE536-C183-43f1-864C-4EC2832E67B3}.exe

Filesize
180KB

MD5
512858bb7e7f605f50653b2b49ff6968

SHA1
d1119bc803a69a981ede605a527fdb86bb47dcc3

SHA256
a53efb438f35d3c017939b99361f3800273f391b0718733c5fb5b9e049c5dbe7

SHA512
8725ad8ec2f8378ee3d665e799876e63a47c00a3ee6537483e89978cb3fcb6da781cc26d08902ac4db9b5a857f57a2680f2dc9e5d0c053d3cbc8da10510ff04d

Download Submit
C:\Windows\{FD912B5D-63EF-4644-9EA6-ADEAF805DA51}.exe

Filesize
180KB

MD5
b4c6eec9fdbfb62b0e791742966b7424

SHA1
34bbf4ff8f5687daf283dd092b0f00bac4603c2a

SHA256
a7b1876af6e7594e91d8b3c183e77903949a7c2e82d393fdf5ffc04bd746ca66

SHA512
0a0a883077d17970f610d12fc4fd90891400ab3d0fd92a59c131b256f424671e8f7344d9df1fac3d59337d61f11bc9f1f7ed8ad740ea548ff0fd92cb56b14bbc

Download Submit