2ec5bfb79c417c6dba57c887e9432eee36904955dd48aaba2ae21351ebd8b0c1

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Size

180KB
MD5

da2c2cf1142e70c0ce17ffdcae24b2ea
SHA1

5afcfbab71f3e249b232883f144c51f31df1bd0d
SHA256

2ec5bfb79c417c6dba57c887e9432eee36904955dd48aaba2ae21351ebd8b0c1
SHA512

11c5fdedf2091b9464f5ce52caaac6ac53ac3e603e679f84272c492aa898a6666908128684cb9dc3b08cde481668989ca06cb099437106dce521105165c49826
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B879486D-2961-40b3-A73A-E4A858ABA287}.exe{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8B8104-A6B2-4175-B07D-30145684B59E}\stubpath = "C:\\Windows\\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe"	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D6663B-2EA9-41c1-8155-E24E014A9990}\stubpath = "C:\\Windows\\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe"	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}	{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}\stubpath = "C:\\Windows\\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe"	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B879486D-2961-40b3-A73A-E4A858ABA287}\stubpath = "C:\\Windows\\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe"	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8B8104-A6B2-4175-B07D-30145684B59E}	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}\stubpath = "C:\\Windows\\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe"	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}\stubpath = "C:\\Windows\\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe"	{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}	{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764293E3-AD17-48de-A64B-B79C42CFF39F}	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764293E3-AD17-48de-A64B-B79C42CFF39F}\stubpath = "C:\\Windows\\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe"	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B879486D-2961-40b3-A73A-E4A858ABA287}	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}\stubpath = "C:\\Windows\\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe"	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}\stubpath = "C:\\Windows\\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe"	{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}\stubpath = "C:\\Windows\\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe"	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D6663B-2EA9-41c1-8155-E24E014A9990}	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F897508-C214-4789-A0B4-87CAFEB685BC}	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F897508-C214-4789-A0B4-87CAFEB685BC}\stubpath = "C:\\Windows\\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe"	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2060 cmd.exe

pid	process
2060	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe{B879486D-2961-40b3-A73A-E4A858ABA287}.exe{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe

pid	process
2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
2672	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
1992	{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
3028	{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
560	{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe{B879486D-2961-40b3-A73A-E4A858ABA287}.exe{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe

description	ioc	process
File created	C:\Windows\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
File created	C:\Windows\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
File created	C:\Windows\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
File created	C:\Windows\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
File created	C:\Windows\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe	{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
File created	C:\Windows\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe	{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
File created	C:\Windows\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
File created	C:\Windows\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
File created	C:\Windows\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
File created	C:\Windows\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
File created	C:\Windows\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe{B879486D-2961-40b3-A73A-E4A858ABA287}.exe{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
Token: SeIncBasePriorityPrivilege	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
Token: SeIncBasePriorityPrivilege	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
Token: SeIncBasePriorityPrivilege	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
Token: SeIncBasePriorityPrivilege	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
Token: SeIncBasePriorityPrivilege	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
Token: SeIncBasePriorityPrivilege	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
Token: SeIncBasePriorityPrivilege	2672	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
Token: SeIncBasePriorityPrivilege	1992	{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
Token: SeIncBasePriorityPrivilege	3028	{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2232 wrote to memory of 2848	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
PID 2232 wrote to memory of 2848	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
PID 2232 wrote to memory of 2848	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
PID 2232 wrote to memory of 2848	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
PID 2232 wrote to memory of 2060	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 2232 wrote to memory of 2060	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 2232 wrote to memory of 2060	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 2232 wrote to memory of 2060	2232	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 2848 wrote to memory of 2796	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
PID 2848 wrote to memory of 2796	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
PID 2848 wrote to memory of 2796	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
PID 2848 wrote to memory of 2796	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
PID 2848 wrote to memory of 2736	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	cmd.exe
PID 2848 wrote to memory of 2736	2848	{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe	cmd.exe
PID 2796 wrote to memory of 2628	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
PID 2796 wrote to memory of 2628	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
PID 2796 wrote to memory of 2628	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
PID 2796 wrote to memory of 2628	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
PID 2796 wrote to memory of 2740	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	cmd.exe
PID 2796 wrote to memory of 2740	2796	{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe	cmd.exe
PID 2628 wrote to memory of 2100	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
PID 2628 wrote to memory of 2100	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
PID 2628 wrote to memory of 2100	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
PID 2628 wrote to memory of 2100	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
PID 2628 wrote to memory of 1804	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	cmd.exe
PID 2628 wrote to memory of 1804	2628	{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe	cmd.exe
PID 2100 wrote to memory of 2924	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
PID 2100 wrote to memory of 2924	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
PID 2100 wrote to memory of 2924	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
PID 2100 wrote to memory of 2924	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
PID 2100 wrote to memory of 1968	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	cmd.exe
PID 2100 wrote to memory of 1968	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	cmd.exe
PID 2100 wrote to memory of 1968	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	cmd.exe
PID 2100 wrote to memory of 1968	2100	{B879486D-2961-40b3-A73A-E4A858ABA287}.exe	cmd.exe
PID 2924 wrote to memory of 644	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
PID 2924 wrote to memory of 644	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
PID 2924 wrote to memory of 644	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
PID 2924 wrote to memory of 644	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
PID 2924 wrote to memory of 288	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	cmd.exe
PID 2924 wrote to memory of 288	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	cmd.exe
PID 2924 wrote to memory of 288	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	cmd.exe
PID 2924 wrote to memory of 288	2924	{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe	cmd.exe
PID 644 wrote to memory of 2160	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
PID 644 wrote to memory of 2160	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
PID 644 wrote to memory of 2160	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
PID 644 wrote to memory of 2160	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
PID 644 wrote to memory of 1628	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	cmd.exe
PID 644 wrote to memory of 1628	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	cmd.exe
PID 644 wrote to memory of 1628	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	cmd.exe
PID 644 wrote to memory of 1628	644	{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe	cmd.exe
PID 2160 wrote to memory of 2672	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
PID 2160 wrote to memory of 2672	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
PID 2160 wrote to memory of 2672	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
PID 2160 wrote to memory of 2672	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
PID 2160 wrote to memory of 816	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	cmd.exe
PID 2160 wrote to memory of 816	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	cmd.exe
PID 2160 wrote to memory of 816	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	cmd.exe
PID 2160 wrote to memory of 816	2160	{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
C:\Windows\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
C:\Windows\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
C:\Windows\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2D22~1.EXE > nul
5⤵
PID:1804

C:\Windows\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
C:\Windows\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
C:\Windows\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
C:\Windows\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
C:\Windows\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
C:\Windows\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
C:\Windows\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
C:\Windows\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe
C:\Windows\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe
12⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC7D~1.EXE > nul
12⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F897~1.EXE > nul
11⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6128~1.EXE > nul
10⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09D66~1.EXE > nul
9⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8B8~1.EXE > nul
8⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC4D0~1.EXE > nul
7⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8794~1.EXE > nul
6⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{76429~1.EXE > nul
4⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F223~1.EXE > nul
3⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09D6663B-2EA9-41c1-8155-E24E014A9990}.exe

Filesize
180KB

MD5
be270dafced690088a13771a4bf40a48

SHA1
b13b399ba7d877ad54afa26d4b5f0fbf9f311721

SHA256
1e0a8eaf28cc8d2e0c3d1498b0f1df26b8745ec43ff10a2df7be47fac7806213

SHA512
541a4b8965b35e00a0249b53e8692cf67514cc394ac94e77aafe99761eb9c9c5952a1da931928bd48341d2f9dd231afaeba558cb7c8922249e890bb8a6eea80a

Download Submit
C:\Windows\{0E8B8104-A6B2-4175-B07D-30145684B59E}.exe

Filesize
180KB

MD5
83a0d435a26589026b109310101b77d4

SHA1
a016fde8573bb4b481b2ef962b315a04437dfe04

SHA256
d2a94d3dbaad86832fb88afa0a2e9b2270f3f995f2b5a9fe48daacaab9e52ad9

SHA512
a8706c45bbc86696ff5fd672c5040437b62cbe761eda5fe1750e85c19237b5cb6d7fd43865960106ca6641908079d6689896b73da0d2043b94d25f47fa2195b0

Download Submit
C:\Windows\{1EC7DCFE-4410-4d28-AC62-288C47E0880E}.exe

Filesize
180KB

MD5
7a237cd4644c3e1a7acdd6980140088c

SHA1
20f61ac9b0f7d5522a83ce1d32b8c81faff641a8

SHA256
e871d01d22d839ffb9767bf01ba4c7b737a896da618f4af9085432e1dab32657

SHA512
c5fbe14ccab7ab3b04749f4036b94473dfc7952cf4de7ea1b8d23ebc57546cb9cc3527f6c1c57c8160d01dd17608b2f2d348fc37120a356296b43e44b3de83b3

Download Submit
C:\Windows\{2F223A4D-BCC6-4fd5-BDBD-6DE62A46AF18}.exe

Filesize
180KB

MD5
21e029d1af73c12b19be03781f319117

SHA1
a109e1397cbb95c60ca689a1ad92a9b25453c241

SHA256
55ac244023afbe85558ec7a5355b3fc1dc4ac439fc4bbbab0129c6ef6af1a145

SHA512
2fae8da1bbbc4995ae12f5ca8c1313964f70482525b19a05a887a7ff1b153fd312426ce0bf8cd16e3588e36cac4b1c33910e14365496d61dd9e7bc98902e41ad

Download Submit
C:\Windows\{6F897508-C214-4789-A0B4-87CAFEB685BC}.exe

Filesize
180KB

MD5
f0caa74f3eb42483c30065adcc4a0fc1

SHA1
1179ee5c031802e13193f15683ebbcea62e75759

SHA256
9adfb916b9642dcdc47010cf4ff3fd5a84a8bed44512bc5f30100de109972115

SHA512
212cf467bb8b21fe0b6f8528511806f4e84a540183618eb8c23361744ee66596150e2782b145b646b91e762102ed58b1604ded094a42cff1fa444dc9f4a8d6fc

Download Submit
C:\Windows\{764293E3-AD17-48de-A64B-B79C42CFF39F}.exe

Filesize
180KB

MD5
809d0c51c0e24acf2624887d609b5aaf

SHA1
a16fba0ce185ce3f6f7d41e2758ffe5d654665c2

SHA256
bfbcc21e43d2a136e3c8edb1440fc3adc656d9ba11ac211962706ed0f1fa485a

SHA512
5efb22e2a40dc6f6cdaf188db095c6cc09f66789aa78d64b08c1690506589fbf0563fb64661cb07f7ff38e12854c69aff0791480a91ca6adaacc7fe738116094

Download Submit
C:\Windows\{A2D22CFA-E8D1-459b-BF37-532DCE365CC7}.exe

Filesize
180KB

MD5
81a96f8314b1b3b53443e2f049116657

SHA1
a559293d75e3934cc42184865540852525155522

SHA256
f33098d80b74be14666ada7f59182050783b226693a9286a0246f92c9e65edc5

SHA512
fb3558279d97705f77838e07ab6b4e3b01f82d843076173a5e4ecf8cb43606e27db3d0fc732b914b23c2d1f24384f0f8b056433438fef9384b6053c20b6df50d

Download Submit
C:\Windows\{A6128B6B-7D2E-4113-BBBE-4D7EC7BA5796}.exe

Filesize
180KB

MD5
f5a44a45af3415147dc1aad668e0cf70

SHA1
c1bbf684b37b951f2fa0e95e9a6f7f5a604b73c0

SHA256
fc5eb08c3c14ecdfecda580bdfaefcd1fa852ba798a07af46407e679e08fa631

SHA512
0fab5b3c13bfffdb6dc118a73b4b70195544a0dce2594ceb6bf0f4981a3b1d0a318f6c967cdba1af61af94a7a4f4ebfc42b455457c24c7f37de26cd79d68990d

Download Submit
C:\Windows\{A787FBA5-6B04-44ef-9A48-789B4379FEAE}.exe

Filesize
180KB

MD5
d54730a409296d1569b58738eb01b8ca

SHA1
7e68018aa2937fa37f900b273f2c7291f49213d4

SHA256
48789fd03651f59e8eba1fd10ddfa07b6f17858a488160dac0002fea1fb40492

SHA512
a6b34ad11dfc4f1a72d52b9979afbe703e099081764e540fc296ec055768e94b92f6b43e494828d2ae39becb5ec298690c7dc3c96663fff6d46e9a6d882703c3

Download Submit
C:\Windows\{B879486D-2961-40b3-A73A-E4A858ABA287}.exe

Filesize
180KB

MD5
48a9ceb84bc191227cda6e22aabcb5f7

SHA1
027fec1ebf6348a7bdc8001af25413dab33f6d9f

SHA256
d6d537d0c5077bc9a518aa3666132b5a2b2cc93798a95eff53c029d9cc4b4591

SHA512
30626b536ef3769ded5adac7a8ddef9c9474de1d8aa171a1317035c4d6242843f50a8b0c699e36a4256d7755e56555bfa76095ad2b61546e3db141755a4e8551

Download Submit
C:\Windows\{DC4D0DE3-F8AD-4d1c-BFF2-1C5D321588DD}.exe

Filesize
180KB

MD5
9dfbf59eb00442afac40a80017f998a2

SHA1
98e82023103b01fed1e89f85c43e578fbf7d6d3b

SHA256
81003e8c0a7724b79578d3726449b1603404935bd4c50b6a8f032dc479d86bd9

SHA512
faef311e69ab5561aec4ba9aa19fe45cb9a298e56c8da8bad752d30ad7ec4b3d2d16e1d5e4af13c6f3ecc003f711e4358b460f2b254ad860f74d4ae2f223b5ae

Download Submit