2ec5bfb79c417c6dba57c887e9432eee36904955dd48aaba2ae21351ebd8b0c1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Size

180KB
MD5

da2c2cf1142e70c0ce17ffdcae24b2ea
SHA1

5afcfbab71f3e249b232883f144c51f31df1bd0d
SHA256

2ec5bfb79c417c6dba57c887e9432eee36904955dd48aaba2ae21351ebd8b0c1
SHA512

11c5fdedf2091b9464f5ce52caaac6ac53ac3e603e679f84272c492aa898a6666908128684cb9dc3b08cde481668989ca06cb099437106dce521105165c49826
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A2029028-2848-407c-9F50-1B931259DD86}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe{C303DDD8-1C12-4978-A209-D435F9B62244}.exe{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe{A2029028-2848-407c-9F50-1B931259DD86}.exe{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}\stubpath = "C:\\Windows\\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe"	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}\stubpath = "C:\\Windows\\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe"	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}\stubpath = "C:\\Windows\\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe"	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2029028-2848-407c-9F50-1B931259DD86}\stubpath = "C:\\Windows\\{A2029028-2848-407c-9F50-1B931259DD86}.exe"	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EB246A7-FE11-4876-BB99-5E10D23E122B}\stubpath = "C:\\Windows\\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe"	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}\stubpath = "C:\\Windows\\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe"	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}\stubpath = "C:\\Windows\\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe"	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}\stubpath = "C:\\Windows\\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe"	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}\stubpath = "C:\\Windows\\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe"	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}	{A2029028-2848-407c-9F50-1B931259DD86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}\stubpath = "C:\\Windows\\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe"	{A2029028-2848-407c-9F50-1B931259DD86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}\stubpath = "C:\\Windows\\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe"	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C303DDD8-1C12-4978-A209-D435F9B62244}	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C303DDD8-1C12-4978-A209-D435F9B62244}\stubpath = "C:\\Windows\\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe"	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2029028-2848-407c-9F50-1B931259DD86}	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EB246A7-FE11-4876-BB99-5E10D23E122B}	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe

Executes dropped EXE 12 IoCs

Processes:

{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe{C303DDD8-1C12-4978-A209-D435F9B62244}.exe{A2029028-2848-407c-9F50-1B931259DD86}.exe{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe

pid	process
1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe
3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
4904	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
5056	{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe

Drops file in Windows directory 12 IoCs

Processes:

{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe{C303DDD8-1C12-4978-A209-D435F9B62244}.exe{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe{A2029028-2848-407c-9F50-1B931259DD86}.exe

description	ioc	process
File created	C:\Windows\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
File created	C:\Windows\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
File created	C:\Windows\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
File created	C:\Windows\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
File created	C:\Windows\{A2029028-2848-407c-9F50-1B931259DD86}.exe	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
File created	C:\Windows\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
File created	C:\Windows\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
File created	C:\Windows\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
File created	C:\Windows\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
File created	C:\Windows\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
File created	C:\Windows\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
File created	C:\Windows\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	{A2029028-2848-407c-9F50-1B931259DD86}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe{C303DDD8-1C12-4978-A209-D435F9B62244}.exe{A2029028-2848-407c-9F50-1B931259DD86}.exe{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
Token: SeIncBasePriorityPrivilege	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
Token: SeIncBasePriorityPrivilege	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
Token: SeIncBasePriorityPrivilege	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
Token: SeIncBasePriorityPrivilege	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe
Token: SeIncBasePriorityPrivilege	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
Token: SeIncBasePriorityPrivilege	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
Token: SeIncBasePriorityPrivilege	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
Token: SeIncBasePriorityPrivilege	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
Token: SeIncBasePriorityPrivilege	212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
Token: SeIncBasePriorityPrivilege	4904	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 208 wrote to memory of 1676	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
PID 208 wrote to memory of 1676	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
PID 208 wrote to memory of 1676	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
PID 208 wrote to memory of 3560	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 208 wrote to memory of 3560	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 208 wrote to memory of 3560	208	2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe	cmd.exe
PID 1676 wrote to memory of 4216	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
PID 1676 wrote to memory of 4216	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
PID 1676 wrote to memory of 4216	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
PID 1676 wrote to memory of 3644	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	cmd.exe
PID 1676 wrote to memory of 3644	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	cmd.exe
PID 1676 wrote to memory of 3644	1676	{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe	cmd.exe
PID 4216 wrote to memory of 3720	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
PID 4216 wrote to memory of 3720	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
PID 4216 wrote to memory of 3720	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
PID 4216 wrote to memory of 4488	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	cmd.exe
PID 4216 wrote to memory of 4488	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	cmd.exe
PID 4216 wrote to memory of 4488	4216	{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe	cmd.exe
PID 3720 wrote to memory of 2068	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
PID 3720 wrote to memory of 2068	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
PID 3720 wrote to memory of 2068	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
PID 3720 wrote to memory of 3496	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	cmd.exe
PID 3720 wrote to memory of 3496	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	cmd.exe
PID 3720 wrote to memory of 3496	3720	{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe	cmd.exe
PID 2068 wrote to memory of 1628	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	{A2029028-2848-407c-9F50-1B931259DD86}.exe
PID 2068 wrote to memory of 1628	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	{A2029028-2848-407c-9F50-1B931259DD86}.exe
PID 2068 wrote to memory of 1628	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	{A2029028-2848-407c-9F50-1B931259DD86}.exe
PID 2068 wrote to memory of 3008	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	cmd.exe
PID 2068 wrote to memory of 3008	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	cmd.exe
PID 2068 wrote to memory of 3008	2068	{C303DDD8-1C12-4978-A209-D435F9B62244}.exe	cmd.exe
PID 1628 wrote to memory of 3948	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
PID 1628 wrote to memory of 3948	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
PID 1628 wrote to memory of 3948	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
PID 1628 wrote to memory of 2052	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	cmd.exe
PID 1628 wrote to memory of 2052	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	cmd.exe
PID 1628 wrote to memory of 2052	1628	{A2029028-2848-407c-9F50-1B931259DD86}.exe	cmd.exe
PID 3948 wrote to memory of 4888	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
PID 3948 wrote to memory of 4888	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
PID 3948 wrote to memory of 4888	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
PID 3948 wrote to memory of 1968	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	cmd.exe
PID 3948 wrote to memory of 1968	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	cmd.exe
PID 3948 wrote to memory of 1968	3948	{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe	cmd.exe
PID 4888 wrote to memory of 1268	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
PID 4888 wrote to memory of 1268	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
PID 4888 wrote to memory of 1268	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
PID 4888 wrote to memory of 4836	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	cmd.exe
PID 4888 wrote to memory of 4836	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	cmd.exe
PID 4888 wrote to memory of 4836	4888	{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe	cmd.exe
PID 1268 wrote to memory of 4104	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
PID 1268 wrote to memory of 4104	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
PID 1268 wrote to memory of 4104	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
PID 1268 wrote to memory of 4340	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	cmd.exe
PID 1268 wrote to memory of 4340	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	cmd.exe
PID 1268 wrote to memory of 4340	1268	{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe	cmd.exe
PID 4104 wrote to memory of 212	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
PID 4104 wrote to memory of 212	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
PID 4104 wrote to memory of 212	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
PID 4104 wrote to memory of 2308	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	cmd.exe
PID 4104 wrote to memory of 2308	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	cmd.exe
PID 4104 wrote to memory of 2308	4104	{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe	cmd.exe
PID 212 wrote to memory of 4904	212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
PID 212 wrote to memory of 4904	212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
PID 212 wrote to memory of 4904	212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
PID 212 wrote to memory of 4496	212	{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_da2c2cf1142e70c0ce17ffdcae24b2ea_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
C:\Windows\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
C:\Windows\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F0851~1.EXE > nul
4⤵
PID:4488

C:\Windows\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
C:\Windows\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
C:\Windows\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\{A2029028-2848-407c-9F50-1B931259DD86}.exe
C:\Windows\{A2029028-2848-407c-9F50-1B931259DD86}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
C:\Windows\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
C:\Windows\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
C:\Windows\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
C:\Windows\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
C:\Windows\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
C:\Windows\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe
C:\Windows\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe
13⤵
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC73~1.EXE > nul
13⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26A94~1.EXE > nul
12⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A80D7~1.EXE > nul
11⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B686~1.EXE > nul
10⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4EB24~1.EXE > nul
9⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04EF4~1.EXE > nul
8⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2029~1.EXE > nul
7⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C303D~1.EXE > nul
6⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{73FC9~1.EXE > nul
5⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E46C2~1.EXE > nul
3⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04EF46FB-E5A4-4269-9412-7DA6A9E253DF}.exe

Filesize
180KB

MD5
3ee4810d179fc27f6504a89dd6feeb7b

SHA1
a88264e97fe38737faf4e3b537d83eae6a83f490

SHA256
2d220ed909c6ee426fda9fe886beab888c8c7861bb7aad454812a51b7dc89f38

SHA512
c586412aa23834bc78fac77d03ab079611c43a23420f609ab8a809828552c51db2925d66b38c6ff0945ab4ea37f6d6e36dc28a5d07c2c54c7052c6d2dd6a6e6a

Download Submit
C:\Windows\{0B686D3A-2210-4b1e-B5FC-6C31704274E2}.exe

Filesize
180KB

MD5
13d54cbae35092f2011648cef5341474

SHA1
5d31c65c2b198c835a9fc8deaaebbdb1bbb7853d

SHA256
043de33b4e11059f9643e000cf03b64ecd96fbdab3422fde119b2ba1dfdf19a9

SHA512
0157e15fb5e21625d65197aeeaa8d20192ebf007c06e2364845ae46a6f5596e6f4743209ddced2cb2666f118ffa0661d5709bb501bcd795d4a84b14c78f059f4

Download Submit
C:\Windows\{1AC734B1-8FF8-4514-B6BE-E0E64FCF238E}.exe

Filesize
180KB

MD5
24094246e7142ccc2214e8defe5cfd10

SHA1
4ba9cea4b08251f1a59e345f4c2eafa5b20b2bbb

SHA256
22ef51c611d919251c5a3637ff6caa8a213bc64a53ebbf5f025a03b2d76511f3

SHA512
b18b3c5b71898c986b55d7e26673ff65b5df42b3303cc74c144f0a0215624d12362d5a3bda7d2fe6b50d3fc5950572c3d055b47686d8d2a28cf8f57e24c33397

Download Submit
C:\Windows\{26A94554-6A2B-42f5-9BC1-C4F3FFB95D3E}.exe

Filesize
180KB

MD5
cf5423f6bd1f354727d4b53dfbe5c771

SHA1
5e5be81b78e28007f1392b756c909fa4d171bd9c

SHA256
3409638c0bd3b9ae4e7d685a19ea4f00d368011f427a3c7447bd01f93e9dcdea

SHA512
bc5bffd17a3053a0d79c4895ad15ac71f418ffa7e832bd82383f8ac85c23b0f7ced085581c93a5f73e86cb58521ac60d3c0e8fe14b563d41f178136cf5ccb8be

Download Submit
C:\Windows\{4EB246A7-FE11-4876-BB99-5E10D23E122B}.exe

Filesize
180KB

MD5
58fa315cf77dde5e9b9ea4dfe287d4ac

SHA1
f9c34aaa86e00de21d61ebe21f617e0bf463d77b

SHA256
fc9bf58bd6474b4f93572a8995c28fa88e7342c921cd56f298ae61a66a68fd3b

SHA512
59d9e11d6d8506bd8bdab8ba38382b5361b18550a3138099ad6894d13179b162868df8e89681a58d4fb9c85fa2dfefd13db588e87cfd55540b3c3a1c17e63ca2

Download Submit
C:\Windows\{73FC9167-2B33-4bd7-BEB3-33154EE82F0B}.exe

Filesize
180KB

MD5
49354d37d5ada96994666a094ddeb2d9

SHA1
270e1e325803bf242482f33f68c6b1fc868d9429

SHA256
30277bd2f2e7ed45233c5f312a8a246f1cab854be752f43a6e4f87d66b2f5320

SHA512
6b9dfb490acaa11d679c6a7ba8ee1a6155e5ed60d3cebe4fd672723edca4de43010ab06fce72c1aa9322cf9bb382270f5578d14820cf9f637b99dc81753f4c07

Download Submit
C:\Windows\{A2029028-2848-407c-9F50-1B931259DD86}.exe

Filesize
180KB

MD5
aefdb10a96bfd816f1b8eadee9afcb0d

SHA1
cce49350837b7a7afca7b80a3845195891a718f5

SHA256
68fbc783f322b322c6b0fc32f9bfeb8f11ba837ca885c88e8e1fbf6c7f6d0df5

SHA512
ae9d061076de48be65bec1a0f04476e10ad92d82c03d195a24e7fa22a0706058ea085b3213737a979b52e89e1f0a600e646e270aaf45f185173850e8eaefdb68

Download Submit
C:\Windows\{A80D7920-08F6-4216-99A1-F2E8FBEE05D9}.exe

Filesize
180KB

MD5
f1453c16a135e525fa1f79c44322e9e1

SHA1
8fa1686a60d28d9570155d5ba00ef46cf6da022e

SHA256
2a6dfcdb19b5d72961ad0d0f62b45ba14fca87e6d312aea79ab80dd857f07a37

SHA512
9293142b75b4e06d86d519ee5b12dd5f919e988637734e487ff93c8b914d211dab591d7aa6d62989f99de7b6fceb68de40948a289b2ff83cb4ae3f2438858c84

Download Submit
C:\Windows\{B685E7B5-CD6F-4e36-A11B-67704A60CA89}.exe

Filesize
180KB

MD5
6766d62b1c10590ef9598da7a2f8b527

SHA1
d9a87f843d3e2da5542d95357a5ac718154d14a0

SHA256
fc8976371ca072b1c212317ec34285641d8855f6f03df25a72990c78f86dcf63

SHA512
7b715d85fd4042ddf6f0f2e8e4eaf3df1eda868ff33a276f8fd4887cb620f9e681061f95ae17c11f935349e2700c03b8c66661e3f53902af63a0472e19bc5153

Download Submit
C:\Windows\{C303DDD8-1C12-4978-A209-D435F9B62244}.exe

Filesize
180KB

MD5
5b31080673df693dd4b5db707bcca507

SHA1
d2b99c59b290008b42cbb2904bf34a96f7be854e

SHA256
6af8f48b17d9278bff3c512589099968e3df86a5482fbdc0ef4de7d538960c5d

SHA512
e75bef508ee33eba0fe251874c73f3c35d9163106958f5e98f9d78d1ad03b5dba6e3d9a4545fcac78531be8c8b0070a260e2b3e5aa508cdd088b6050a5aabd21

Download Submit
C:\Windows\{E46C2F6B-5D47-4d2e-BC2E-F1F4EA0760D6}.exe

Filesize
180KB

MD5
90e49210845d709fcacb97c553f19975

SHA1
787a4e6927f9bc55494b8a808b4165edb511acb8

SHA256
3ad016667a36a8453e3e0f354d77f29b153a983cf1f8ebc816aa88de92389f46

SHA512
77eb1cf50baad44239446e7a5473b45e52202f25e75cb7d96d243e9914afac26859b04fa165f8c6dc76b20b5b99df7a2c086066408634797a4da13689d9d6727

Download Submit
C:\Windows\{F0851E72-EA7F-4683-A049-C2BDFEE8ED63}.exe

Filesize
180KB

MD5
bdf4e26ac6f47559bb762043a816c187

SHA1
9c9d0574cc1d8952417894ae64d1dd688f1b6101

SHA256
76f4fb02d8f35939d0aa33e49cb7b114b82e5ecdcc7d99faa6506c1be36be7f1

SHA512
e059f45aeae3c905caf47ca3c514a89eaa49cbc78dbaea8a69e610a2d2209942804f6012bb5a82287c71a6cd27b1663e1901ee4b8023c1f0bb71ff7830339284

Download Submit