2fc1b2743122d4c5cc8542c14d7e8b17f1c632e2cd22bd35781233c155916ea3

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Size

372KB
MD5

d0997838fd72074f7ed585691d3f044a
SHA1

3876e1c3a868146add295d5e6a7166237fe00195
SHA256

2fc1b2743122d4c5cc8542c14d7e8b17f1c632e2cd22bd35781233c155916ea3
SHA512

19dc8272ee0abc14459735ce9a0d03302d1f618ab820df9843b2f7f23926ddfeb3c818db2042b0ef6c85061096998e68821472de85e006c86fcc418117d32314
SSDEEP

3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2838833A-9684-400f-AD76-AC658AE80F55}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}\stubpath = "C:\\Windows\\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe"	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2838833A-9684-400f-AD76-AC658AE80F55}	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2838833A-9684-400f-AD76-AC658AE80F55}\stubpath = "C:\\Windows\\{2838833A-9684-400f-AD76-AC658AE80F55}.exe"	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}\stubpath = "C:\\Windows\\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe"	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}\stubpath = "C:\\Windows\\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe"	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}\stubpath = "C:\\Windows\\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe"	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}\stubpath = "C:\\Windows\\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe"	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}\stubpath = "C:\\Windows\\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe"	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}\stubpath = "C:\\Windows\\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe"	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}\stubpath = "C:\\Windows\\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe"	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}\stubpath = "C:\\Windows\\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe"	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}\stubpath = "C:\\Windows\\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe"	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}\stubpath = "C:\\Windows\\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe"	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe

Executes dropped EXE 12 IoCs

Processes:

{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe{2838833A-9684-400f-AD76-AC658AE80F55}.exe

pid	process
1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
2764	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
1764	{2838833A-9684-400f-AD76-AC658AE80F55}.exe

Drops file in Windows directory 12 IoCs

Processes:

{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe

description	ioc	process
File created	C:\Windows\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
File created	C:\Windows\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
File created	C:\Windows\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
File created	C:\Windows\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
File created	C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
File created	C:\Windows\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
File created	C:\Windows\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
File created	C:\Windows\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
File created	C:\Windows\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
File created	C:\Windows\{2838833A-9684-400f-AD76-AC658AE80F55}.exe	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
File created	C:\Windows\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
File created	C:\Windows\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
Token: SeIncBasePriorityPrivilege	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
Token: SeIncBasePriorityPrivilege	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
Token: SeIncBasePriorityPrivilege	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
Token: SeIncBasePriorityPrivilege	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
Token: SeIncBasePriorityPrivilege	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
Token: SeIncBasePriorityPrivilege	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
Token: SeIncBasePriorityPrivilege	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
Token: SeIncBasePriorityPrivilege	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
Token: SeIncBasePriorityPrivilege	4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
Token: SeIncBasePriorityPrivilege	2764	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4844 wrote to memory of 1156	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
PID 4844 wrote to memory of 1156	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
PID 4844 wrote to memory of 1156	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
PID 4844 wrote to memory of 2876	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 4844 wrote to memory of 2876	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 4844 wrote to memory of 2876	4844	2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe	cmd.exe
PID 1156 wrote to memory of 2552	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
PID 1156 wrote to memory of 2552	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
PID 1156 wrote to memory of 2552	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
PID 1156 wrote to memory of 1580	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	cmd.exe
PID 1156 wrote to memory of 1580	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	cmd.exe
PID 1156 wrote to memory of 1580	1156	{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe	cmd.exe
PID 2552 wrote to memory of 3560	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
PID 2552 wrote to memory of 3560	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
PID 2552 wrote to memory of 3560	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
PID 2552 wrote to memory of 2708	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	cmd.exe
PID 2552 wrote to memory of 2708	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	cmd.exe
PID 2552 wrote to memory of 2708	2552	{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe	cmd.exe
PID 3560 wrote to memory of 4116	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
PID 3560 wrote to memory of 4116	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
PID 3560 wrote to memory of 4116	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
PID 3560 wrote to memory of 4604	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	cmd.exe
PID 3560 wrote to memory of 4604	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	cmd.exe
PID 3560 wrote to memory of 4604	3560	{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe	cmd.exe
PID 4116 wrote to memory of 1544	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
PID 4116 wrote to memory of 1544	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
PID 4116 wrote to memory of 1544	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
PID 4116 wrote to memory of 3556	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	cmd.exe
PID 4116 wrote to memory of 3556	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	cmd.exe
PID 4116 wrote to memory of 3556	4116	{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe	cmd.exe
PID 1544 wrote to memory of 4580	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
PID 1544 wrote to memory of 4580	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
PID 1544 wrote to memory of 4580	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
PID 1544 wrote to memory of 4652	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	cmd.exe
PID 1544 wrote to memory of 4652	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	cmd.exe
PID 1544 wrote to memory of 4652	1544	{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe	cmd.exe
PID 4580 wrote to memory of 1516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
PID 4580 wrote to memory of 1516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
PID 4580 wrote to memory of 1516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
PID 4580 wrote to memory of 516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	cmd.exe
PID 4580 wrote to memory of 516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	cmd.exe
PID 4580 wrote to memory of 516	4580	{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe	cmd.exe
PID 1516 wrote to memory of 4380	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
PID 1516 wrote to memory of 4380	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
PID 1516 wrote to memory of 4380	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
PID 1516 wrote to memory of 4784	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	cmd.exe
PID 1516 wrote to memory of 4784	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	cmd.exe
PID 1516 wrote to memory of 4784	1516	{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe	cmd.exe
PID 4380 wrote to memory of 4352	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
PID 4380 wrote to memory of 4352	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
PID 4380 wrote to memory of 4352	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
PID 4380 wrote to memory of 1508	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	cmd.exe
PID 4380 wrote to memory of 1508	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	cmd.exe
PID 4380 wrote to memory of 1508	4380	{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe	cmd.exe
PID 4352 wrote to memory of 4536	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
PID 4352 wrote to memory of 4536	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
PID 4352 wrote to memory of 4536	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
PID 4352 wrote to memory of 4620	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	cmd.exe
PID 4352 wrote to memory of 4620	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	cmd.exe
PID 4352 wrote to memory of 4620	4352	{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe	cmd.exe
PID 4536 wrote to memory of 2764	4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
PID 4536 wrote to memory of 2764	4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
PID 4536 wrote to memory of 2764	4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
PID 4536 wrote to memory of 4748	4536	{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d0997838fd72074f7ed585691d3f044a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
C:\Windows\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
C:\Windows\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
C:\Windows\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
C:\Windows\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
C:\Windows\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
C:\Windows\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
C:\Windows\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
C:\Windows\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
C:\Windows\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
C:\Windows\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\{2838833A-9684-400f-AD76-AC658AE80F55}.exe
C:\Windows\{2838833A-9684-400f-AD76-AC658AE80F55}.exe
13⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A72CB~1.EXE > nul
13⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDEA~1.EXE > nul
12⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A8F7~1.EXE > nul
11⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02FD0~1.EXE > nul
10⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CCF3F~1.EXE > nul
9⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{235CC~1.EXE > nul
8⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{42FCE~1.EXE > nul
7⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2D7E8~1.EXE > nul
6⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{14CD6~1.EXE > nul
5⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA14E~1.EXE > nul
4⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45BE1~1.EXE > nul
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02FD08EA-F3B9-4897-86EC-860B4F4B6F80}.exe

Filesize
372KB

MD5
89c7b08cb946dc5df5658a85c7c0f9a7

SHA1
5c304d0ad0d18cfec89a289639ce5513232d4dfa

SHA256
d24d703beb6503d429cb076b4a7c41949fe15c88a78dc25ebe5de195e5bf488a

SHA512
ec794286f8159c6a9e1ce62f77211a1511ef8f994b546f1553a616c4d207c61728640bf212d6e484114a36dda030af6f05947d5ac50d63de6b1c8938919225a4

Download Submit
C:\Windows\{0BDEA4F7-FB63-4fff-A7B2-C855A299AF85}.exe

Filesize
372KB

MD5
3089383be8aace52e0cdb836b27f82f7

SHA1
1c904ce6db34cdc83df468ff9df2ad65089b7a03

SHA256
b6f6a877318f1162747afd0a879dfcd9629825b3b8c94f1084a7f9d794f37c8d

SHA512
cf298ddd4d05ad5f514e9963e6ec5eba3df15b190f751a94311fb29dee23b06af050e97a113e55420eaeef00d2e916d557a8d62c289be5f9622f18fb7217a951

Download Submit
C:\Windows\{14CD6959-BCC6-43ad-AFE8-B3D4287B419F}.exe

Filesize
372KB

MD5
6dff744771dd2cee00b2e187a9b5f68c

SHA1
36727d2c316eb8f5290ba0b040c3c5ab34bd1806

SHA256
3e905bede5c44b679c196ac79221aedf22c8467d035afcc0f5dfcae99ce2d098

SHA512
eb96ffe94007586f31b47aae4ecac76cdfcd901cf7f34b61633b4165e8886f3e969176caea7fa0b622eb6aef475204eb587f5790d868d44422b79d89872ab3a2

Download Submit
C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe

Filesize
8KB

MD5
01c08fca73c93e39b0da970f14900346

SHA1
e7c42b67312c392606e292cd31a81f3b69bdbdc4

SHA256
ad95287f7eb68a877b26fa8f288288ddffa51ef2ba6926037b424bee35bdf7b4

SHA512
dc04ba982d592e30ee1c870a34a99e537e7957e301ba37aee99e20bd61e89dbdfded0a9b31ff27f137feb47f29e6304e26e1fefac8b52f9df3829a05e97700f8

Download Submit
C:\Windows\{235CCFA5-5084-4ca8-84FD-1F2AC1120641}.exe

Filesize
372KB

MD5
2af1348efc479a14c2908895576e2db4

SHA1
f7e1e4f9e3f8c211c0c38f009d87ac3718645410

SHA256
30a349c42ccea4c751e94f2d64a742cbdbc3301c81306262f9aa7261b8262d9b

SHA512
a6693814f2157f9c666a6d26cd7e06e67ab0ac2e0b9e5266de7210ae89f2145de9489afb582aa98dcb09c5a94578203ef9755c4cfee02ea6b4647eb41fa6fe70

Download Submit
C:\Windows\{2838833A-9684-400f-AD76-AC658AE80F55}.exe

Filesize
372KB

MD5
553ec6c633b701f38090a0fb6ec8ca38

SHA1
c86e0e7cfade3c40503b283759035b9e01a85078

SHA256
07cddda86181688186b5e0f5aef51df88fe55c109aa489012a45266b3ac46b60

SHA512
ca19e50f2f8f0ff2d70c996cf3dc49f4f43026fc62db723e34ed7a5cf6979d0ac2dd9423c706322e10587d034117a6bd17a55c5d4f7098d103f71d9988481264

Download Submit
C:\Windows\{2D7E8669-98BA-4805-9946-D559F4A8B1E1}.exe

Filesize
372KB

MD5
a20c8e125b28b23e3e4d8542c4dff747

SHA1
5f3ad0bafd37c841d5dacbfc3d7aff19c1e1fdd4

SHA256
19dba02325c186b8d92bcda0e4d6e40a6b9bb52b0d99ebfb955cf3321c78ca34

SHA512
3c290c370b99d2462b31ecaa7cd7d229144294102d5d791302e70dc544d25e60c2d8550e09851ab38d3553d9f0bd859e5d3f827da8bfa261531b70bde993d560

Download Submit
C:\Windows\{42FCE186-B34A-4ab9-AEA5-2E5B2469B32C}.exe

Filesize
372KB

MD5
75b36b62fe7203af5c1902092dec8c6f

SHA1
409f8200bf3a4152462f4a7969ede1e1fda3dd80

SHA256
f05d19aac000456a0f76ac009018d6dde37fcb42e75cfc3585361a5e703f22e5

SHA512
aa5369660844d6515a7b4a725d887d18bb28f47656feb9b59f9d48f351db297e90f61a9694dfbcfd56e9e2779e56e61f67fd7fefb443c7c2121c6ee828b11157

Download Submit
C:\Windows\{45BE1E89-85AB-40ca-AFF4-DB60E9D130CD}.exe

Filesize
372KB

MD5
5c9ea2b74af44f8b59bb0b4bfecd1c43

SHA1
9bd083f6e36250159739e470143819be77d14f16

SHA256
8576a4803be1b32e776ce045ddea8b80414a31c793f9d028990d34ce3036f8e8

SHA512
80564728b2317f41df869c6a830c6fc0843ef577f8d37c491c4e0ea6b3016b3166d4ed210b036ef3c84f3a71cce916dfbe1ffc8e696644492fecf3070fa9ffdc

Download Submit
C:\Windows\{5A8F7DB7-2E32-41c2-B94A-A32BA9B53201}.exe

Filesize
372KB

MD5
19f9a84d77ae0e4389319a0196c1856f

SHA1
e587e44e2852e8a2912916400fed038c02e1dac5

SHA256
90c6b69c835974b7c8230818e81d56975b2dc14606f6288472141184aacf34b7

SHA512
77b96212d7d152e6004e2ba5394e2b380128e806181d3ec5caeac7830cbbe1f454eafde4e248fb6b7a58de1fba01721947e8d1e2f80ffe7460c797d96bcdfaab

Download Submit
C:\Windows\{A72CBBD1-C972-4e3a-A8A0-6450E37C878D}.exe

Filesize
372KB

MD5
ad94d2703033d6ba024cad913d23f920

SHA1
f88feeb426e9f164f9e61bcf6470279b5a3c03c5

SHA256
fb5ff0fb5b26f8370413d8ce540840da2bba20275b98b339f6ad53f4b2114b21

SHA512
b760e5520d6f0314e32ec409cb686a04706b68fc717f1c2c696a86e81eb19db76183a073595a310bf56319f19f4ef536286311be154c15a84cd781c61ed172d4

Download Submit
C:\Windows\{CCF3FBC5-0EF1-4079-A4E7-E9CCBB800C31}.exe

Filesize
372KB

MD5
fc7b901a93f999acf7bfd30895d3ecd5

SHA1
d85e159f6f966be870b4c823740c2f4b2f2dc29e

SHA256
2502623aaccfcd3e48a0be7115f5614b6748a0b5b97db225159c0052d110f70b

SHA512
e0de48f393a4a340cb7a5d03ca97aa3c04d271fbec0994e02d3dfed2e09a2e51d3058ac568c2acf314912bb971d010265dea01d5d97f2cb1217f50f8322a4f7c

Download Submit
C:\Windows\{FA14ECB0-BEA4-4da5-9E0A-5325BACB06CC}.exe

Filesize
372KB

MD5
5238b5aba9147792c099a9785b5b1abc

SHA1
8fbcf60f928bfaa063d16a09a71759522bd41325

SHA256
76ac196978085155b07fb19c3403566e8a3ff5751d52d99120dcddd4a690b119

SHA512
27ed6ecf99758d5359ae62c3f105134874ee922a6830a067579df070672089b12af4ddc485a96ba454b8d5ed1037fa9fcc4affec49a16394769a2346a306c1fe

Download Submit