2fc1b2743122d4c5cc8542c14d7e8b17f1c632e2cd22bd35781233c155916ea3

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Size

372KB
MD5

d0997838fd72074f7ed585691d3f044a
SHA1

3876e1c3a868146add295d5e6a7166237fe00195
SHA256

2fc1b2743122d4c5cc8542c14d7e8b17f1c632e2cd22bd35781233c155916ea3
SHA512

19dc8272ee0abc14459735ce9a0d03302d1f618ab820df9843b2f7f23926ddfeb3c818db2042b0ef6c85061096998e68821472de85e006c86fcc418117d32314
SSDEEP

3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe{417E99AF-9E05-441e-970D-FE4457E6109A}.exe{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E5495C2-D138-4591-9E4C-02818EA8122E}\stubpath = "C:\\Windows\\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe"	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}\stubpath = "C:\\Windows\\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe"	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD12D565-FD8F-44c9-98C1-944F4749344D}\stubpath = "C:\\Windows\\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe"	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}\stubpath = "C:\\Windows\\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe"	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}	{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}	{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E5495C2-D138-4591-9E4C-02818EA8122E}	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD12D565-FD8F-44c9-98C1-944F4749344D}	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}\stubpath = "C:\\Windows\\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe"	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417E99AF-9E05-441e-970D-FE4457E6109A}	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}\stubpath = "C:\\Windows\\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe"	{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417E99AF-9E05-441e-970D-FE4457E6109A}\stubpath = "C:\\Windows\\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe"	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}\stubpath = "C:\\Windows\\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe"	{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCC25552-98B4-4c27-B25F-D43C805E8967}\stubpath = "C:\\Windows\\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe"	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}\stubpath = "C:\\Windows\\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe"	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCC25552-98B4-4c27-B25F-D43C805E8967}	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}\stubpath = "C:\\Windows\\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe"	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2768 cmd.exe

pid	process
2768	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe{417E99AF-9E05-441e-970D-FE4457E6109A}.exe{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe

pid	process
2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
1176	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
1940	{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
792	{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
3012	{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe{417E99AF-9E05-441e-970D-FE4457E6109A}.exe{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe

description	ioc	process
File created	C:\Windows\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe	{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
File created	C:\Windows\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
File created	C:\Windows\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
File created	C:\Windows\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
File created	C:\Windows\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
File created	C:\Windows\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
File created	C:\Windows\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe	{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
File created	C:\Windows\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
File created	C:\Windows\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
File created	C:\Windows\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
File created	C:\Windows\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe{417E99AF-9E05-441e-970D-FE4457E6109A}.exe{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
Token: SeIncBasePriorityPrivilege	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
Token: SeIncBasePriorityPrivilege	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
Token: SeIncBasePriorityPrivilege	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
Token: SeIncBasePriorityPrivilege	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
Token: SeIncBasePriorityPrivilege	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
Token: SeIncBasePriorityPrivilege	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
Token: SeIncBasePriorityPrivilege	1176	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
Token: SeIncBasePriorityPrivilege	1940	{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
Token: SeIncBasePriorityPrivilege	792	{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2808 wrote to memory of 2096	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
PID 2808 wrote to memory of 2096	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
PID 2808 wrote to memory of 2096	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
PID 2808 wrote to memory of 2096	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
PID 2808 wrote to memory of 2768	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 2808 wrote to memory of 2768	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 2808 wrote to memory of 2768	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 2808 wrote to memory of 2768	2808	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 2096 wrote to memory of 2240	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
PID 2096 wrote to memory of 2240	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
PID 2096 wrote to memory of 2240	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
PID 2096 wrote to memory of 2240	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
PID 2096 wrote to memory of 2244	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	cmd.exe
PID 2096 wrote to memory of 2244	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	cmd.exe
PID 2096 wrote to memory of 2244	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	cmd.exe
PID 2096 wrote to memory of 2244	2096	{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe	cmd.exe
PID 2240 wrote to memory of 2612	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
PID 2240 wrote to memory of 2612	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
PID 2240 wrote to memory of 2612	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
PID 2240 wrote to memory of 2612	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
PID 2240 wrote to memory of 2564	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	cmd.exe
PID 2240 wrote to memory of 2564	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	cmd.exe
PID 2240 wrote to memory of 2564	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	cmd.exe
PID 2240 wrote to memory of 2564	2240	{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe	cmd.exe
PID 2612 wrote to memory of 1352	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
PID 2612 wrote to memory of 1352	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
PID 2612 wrote to memory of 1352	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
PID 2612 wrote to memory of 1352	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
PID 2612 wrote to memory of 2844	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	cmd.exe
PID 2612 wrote to memory of 2844	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	cmd.exe
PID 2612 wrote to memory of 2844	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	cmd.exe
PID 2612 wrote to memory of 2844	2612	{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe	cmd.exe
PID 1352 wrote to memory of 3004	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
PID 1352 wrote to memory of 3004	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
PID 1352 wrote to memory of 3004	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
PID 1352 wrote to memory of 3004	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
PID 1352 wrote to memory of 1476	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	cmd.exe
PID 1352 wrote to memory of 1476	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	cmd.exe
PID 1352 wrote to memory of 1476	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	cmd.exe
PID 1352 wrote to memory of 1476	1352	{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe	cmd.exe
PID 3004 wrote to memory of 1492	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
PID 3004 wrote to memory of 1492	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
PID 3004 wrote to memory of 1492	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
PID 3004 wrote to memory of 1492	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
PID 3004 wrote to memory of 1588	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	cmd.exe
PID 3004 wrote to memory of 1588	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	cmd.exe
PID 3004 wrote to memory of 1588	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	cmd.exe
PID 3004 wrote to memory of 1588	3004	{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe	cmd.exe
PID 1492 wrote to memory of 3016	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
PID 1492 wrote to memory of 3016	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
PID 1492 wrote to memory of 3016	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
PID 1492 wrote to memory of 3016	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
PID 1492 wrote to memory of 1364	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	cmd.exe
PID 1492 wrote to memory of 1364	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	cmd.exe
PID 1492 wrote to memory of 1364	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	cmd.exe
PID 1492 wrote to memory of 1364	1492	{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe	cmd.exe
PID 3016 wrote to memory of 1176	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
PID 3016 wrote to memory of 1176	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
PID 3016 wrote to memory of 1176	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
PID 3016 wrote to memory of 1176	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
PID 3016 wrote to memory of 1684	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	cmd.exe
PID 3016 wrote to memory of 1684	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	cmd.exe
PID 3016 wrote to memory of 1684	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	cmd.exe
PID 3016 wrote to memory of 1684	3016	{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
C:\Windows\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
C:\Windows\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
C:\Windows\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
C:\Windows\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC25~1.EXE > nul
6⤵
PID:1476

C:\Windows\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
C:\Windows\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D627~1.EXE > nul
7⤵
PID:1588

C:\Windows\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
C:\Windows\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
C:\Windows\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
C:\Windows\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
C:\Windows\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
C:\Windows\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe
C:\Windows\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe
12⤵
- Executes dropped EXE
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C95B6~1.EXE > nul
12⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49C5F~1.EXE > nul
11⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{417E9~1.EXE > nul
10⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31B3F~1.EXE > nul
9⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD12D~1.EXE > nul
8⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8E549~1.EXE > nul
5⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B52~1.EXE > nul
4⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C9D8~1.EXE > nul
3⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C9D8E17-1E9C-42ad-A772-1AD920406CDA}.exe

Filesize
372KB

MD5
669f608722d2d494bc33a5ca02c0ebc1

SHA1
483ed153b67c34648ce248041af65f13d2b0bab3

SHA256
9d80054bb02d9c2f87bc400e56e0913385656e9c49a509365399d478cc41f69f

SHA512
1fd01ea2b3f8fe22bcb9714919fd0eac18ce468810aa6038781f8bf43e3fc7e48eff45a02125d62adf02be6c3958a64f9366153dd50def2649e6ae923a733c64

Download Submit
C:\Windows\{31B3FC22-F91D-4c04-94F2-AC15CE183AA5}.exe

Filesize
372KB

MD5
beb4f68c25293b9a51bb719c62e5f910

SHA1
714e3e98783778fccec15b665d865f70342d5ed2

SHA256
e8518ee6c3e942397217db22300cf42a15f41936d7c433ca8e2f1b1de2679686

SHA512
b58c071e9be26e700f82ee847678237658dcb8769939333197d2ec950a9b6358710a3d23dd31b016a6991c571f269e381cb85a9533eaa50719aedaa919c8eb22

Download Submit
C:\Windows\{417E99AF-9E05-441e-970D-FE4457E6109A}.exe

Filesize
372KB

MD5
3cc0182a0a948a05ba1952e4bac3af83

SHA1
24d737f4a15b4b311ebc2551f697985b01ad9342

SHA256
f8291b993858fcd25ed630e643342dc008534f9e7e1ecbaddb00c5acd34efe2e

SHA512
fba645257ffbea661286b85bb19fae48d928f2878d4c4005f21417de15681142f6aa409059e690c371a37ccf0c72e0510141000174dfaf6f887833a5fa0462a4

Download Submit
C:\Windows\{49C5F27F-7E8D-4364-B6A9-35D5DDC9596A}.exe

Filesize
372KB

MD5
7743887afc35b532779722dbef1b0bf8

SHA1
8c89c36b602bfbfb94ad0d738cc9e1c76cb322f0

SHA256
880ecb54925a0be370fbfb3ba4fec2f1645eb5b393fd1ae17a3e2404c5d57f99

SHA512
78b42b0baa57796b68218597fc3826930423f339627fe0fa09d65607fb45f63ead8b2596ed76dcea44bffb4fe6724c890e81ae301f0c73a561572a4c43107a5c

Download Submit
C:\Windows\{84A48414-EB7A-4df0-9EEA-8663B17C7D9C}.exe

Filesize
372KB

MD5
4bf7af13b28e309793fd43f744f1a36d

SHA1
44d940bbf9b7f9b3985de4f105d6d93eef38c603

SHA256
ae116fef20b99b37527d547c825993cc99fc06a8fce76c48ee809823d7fcc141

SHA512
8c02fdda0a562bab2b9739b571fd09bb8715d8e448efb006c8b0b3842b2939f5cebbd359b9c164d46909598341a281018b1747212d4d56d322035c70820f32c9

Download Submit
C:\Windows\{8E5495C2-D138-4591-9E4C-02818EA8122E}.exe

Filesize
372KB

MD5
82d82485ea8faa4451d3610e3336dea6

SHA1
17a3d30b16c70a97244bc5eb21581905d58ec5ec

SHA256
d430ef7a1edcb915ee0445113bb59e6574e3645a4c20232a9317154836c414c1

SHA512
f8783693b7bf4a9ba1a93ccd375fc7647e27ead129e8789d59bac6e9785a054a2b8fe63ed2f1e4fbe02feebd73fea769dcba025954b0b53bcd0165ab11e458fd

Download Submit
C:\Windows\{9D6272BC-AD33-4598-B0ED-D3C9143366A3}.exe

Filesize
372KB

MD5
ef0f9c4b2e67b49c289aebf8e788cc32

SHA1
b4601fd38d3aeec9d70462d652ad2a7c5771ff3e

SHA256
889dac9a13c2d9c4882c04a9b1d2ada99aafb6202631513b27760bb2db466ad6

SHA512
d1c5d4d11d7f10058d53a8c2088fdecfe8202fc916706f8c708e55cadfd5bc361c6e54580044bf49b0ca631d829a441cfba16abe5c8c9b1a7d4472c4d37e049b

Download Submit
C:\Windows\{B9B52C5B-61D0-4ae6-BE0E-3E4C7F382786}.exe

Filesize
372KB

MD5
b5dd863b338e9bce4ef4315c07c8593d

SHA1
a2ac3422b2776745aee66b03e3dbe6aa1f42c75c

SHA256
45627b7ae1dd4417797b4675717acfbb0a16c078e1db0c571f84118709412604

SHA512
9e795cc42348e271f755dd27565efcf398a84e6aa46613257df8c84771463255f65d843bddcae5816c01098e8276cf0a90487dd55cdd18c722feee5387e7998a

Download Submit
C:\Windows\{BCC25552-98B4-4c27-B25F-D43C805E8967}.exe

Filesize
372KB

MD5
6c6071ab634f4d71558af9f3d7056462

SHA1
b7c861883c06da50af5da149035b2fa196877caa

SHA256
e6100ba084b9c9e4a2ff9fb8ea94d1c7ccffb5b76bd5a129c37a8741e0956f5c

SHA512
99677823b29f149276afaeb83ae827db3ce3c1a1da9f0230322ba15ef25092e8f40adc070834c79f69198c644eebea12383c396ba37b50ede494a9c6ac59d1ec

Download Submit
C:\Windows\{C95B61BC-C6A4-484a-9C9A-1C30214FD029}.exe

Filesize
372KB

MD5
dd09b23990c03f25a3c14852678e03f7

SHA1
959fb590336c0c36f8312a1fc86f4b2750a99fad

SHA256
93b219168239dfca1227d097a154e45dc0afe663787d9d57d30f293f2d4e419e

SHA512
7a9e6a180ddaca9a71d399fbb70d889ae55e8df9f0d8e2bd0790536e28c6878c9ce43db232526abb133c9a594ebe086e56d06df23376571d713629703b8035ab

Download Submit
C:\Windows\{FD12D565-FD8F-44c9-98C1-944F4749344D}.exe

Filesize
372KB

MD5
3b80b11a9f1de3a0ba05375e578c6317

SHA1
45400af376db272b17028e55973fcbbc00426be0

SHA256
bfb2a2d8367f22ad2b95c6dce19de4e2b59b5147942f1cc4bc0bba4ae23e51d4

SHA512
8061582e60ffb49e2c5b0a4f7649a2bd82be183d3d07d2f61d383b5b088f1e7dea4cf049b019627bbe1ca17b4ecde0a9703ba93dd06bf6b500ca0fdc7c28e92e

Download Submit