6e692d6eab37f23c74ee44f194cadabf00b0f68e0b4f190127115e92bb31bac4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Size

408KB
MD5

e7c152293bc1412d0d44ac4e0e252dbf
SHA1

efd0633ff3c453f8d530496ed539b2dc82401099
SHA256

6e692d6eab37f23c74ee44f194cadabf00b0f68e0b4f190127115e92bb31bac4
SHA512

28a9b03613f066b122b2232013fc6314f85526692b7731a54d3249f94ddf588927baa5a577033a100b69c19dc63a72faea82074365e1591f9ad94343d67c6964
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{487D5B2E-3768-4318-800C-998237699D58}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe{487D5B2E-3768-4318-800C-998237699D58}.exe{6DF17821-9B9C-463c-B504-715B963B56E1}.exe{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}\stubpath = "C:\\Windows\\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe"	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}\stubpath = "C:\\Windows\\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe"	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACC9AA9-5420-4e42-BF3E-1959081076C6}	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACC9AA9-5420-4e42-BF3E-1959081076C6}\stubpath = "C:\\Windows\\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe"	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454588A0-3E85-4632-85A6-34D04CB06EC7}	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454588A0-3E85-4632-85A6-34D04CB06EC7}\stubpath = "C:\\Windows\\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe"	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}\stubpath = "C:\\Windows\\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe"	{487D5B2E-3768-4318-800C-998237699D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}	{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}\stubpath = "C:\\Windows\\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe"	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}\stubpath = "C:\\Windows\\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe"	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{487D5B2E-3768-4318-800C-998237699D58}\stubpath = "C:\\Windows\\{487D5B2E-3768-4318-800C-998237699D58}.exe"	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}	{487D5B2E-3768-4318-800C-998237699D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DF17821-9B9C-463c-B504-715B963B56E1}	{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}\stubpath = "C:\\Windows\\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe"	{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}\stubpath = "C:\\Windows\\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe"	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{487D5B2E-3768-4318-800C-998237699D58}	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DF17821-9B9C-463c-B504-715B963B56E1}\stubpath = "C:\\Windows\\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe"	{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe

pid	process
2712	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe{487D5B2E-3768-4318-800C-998237699D58}.exe{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe{6DF17821-9B9C-463c-B504-715B963B56E1}.exe{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe

pid	process
2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
2524	{487D5B2E-3768-4318-800C-998237699D58}.exe
1504	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
2972	{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
1400	{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
584	{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe

Drops file in Windows directory 11 IoCs

Processes:

{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe{487D5B2E-3768-4318-800C-998237699D58}.exe{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe{6DF17821-9B9C-463c-B504-715B963B56E1}.exe2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe

description	ioc	process
File created	C:\Windows\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
File created	C:\Windows\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe	{487D5B2E-3768-4318-800C-998237699D58}.exe
File created	C:\Windows\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
File created	C:\Windows\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe	{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
File created	C:\Windows\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
File created	C:\Windows\{487D5B2E-3768-4318-800C-998237699D58}.exe	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
File created	C:\Windows\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe	{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
File created	C:\Windows\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
File created	C:\Windows\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
File created	C:\Windows\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
File created	C:\Windows\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe{487D5B2E-3768-4318-800C-998237699D58}.exe{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe{6DF17821-9B9C-463c-B504-715B963B56E1}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
Token: SeIncBasePriorityPrivilege	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
Token: SeIncBasePriorityPrivilege	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
Token: SeIncBasePriorityPrivilege	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
Token: SeIncBasePriorityPrivilege	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
Token: SeIncBasePriorityPrivilege	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
Token: SeIncBasePriorityPrivilege	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe
Token: SeIncBasePriorityPrivilege	1504	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
Token: SeIncBasePriorityPrivilege	2972	{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
Token: SeIncBasePriorityPrivilege	1400	{6DF17821-9B9C-463c-B504-715B963B56E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3012 wrote to memory of 2380	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
PID 3012 wrote to memory of 2380	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
PID 3012 wrote to memory of 2380	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
PID 3012 wrote to memory of 2380	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
PID 3012 wrote to memory of 2712	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 3012 wrote to memory of 2712	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 3012 wrote to memory of 2712	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 3012 wrote to memory of 2712	3012	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 2380 wrote to memory of 2876	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
PID 2380 wrote to memory of 2876	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
PID 2380 wrote to memory of 2876	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
PID 2380 wrote to memory of 2876	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
PID 2380 wrote to memory of 2944	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	cmd.exe
PID 2380 wrote to memory of 2944	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	cmd.exe
PID 2380 wrote to memory of 2944	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	cmd.exe
PID 2380 wrote to memory of 2944	2380	{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe	cmd.exe
PID 2876 wrote to memory of 3060	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
PID 2876 wrote to memory of 3060	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
PID 2876 wrote to memory of 3060	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
PID 2876 wrote to memory of 3060	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
PID 2876 wrote to memory of 2772	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	cmd.exe
PID 2876 wrote to memory of 2772	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	cmd.exe
PID 2876 wrote to memory of 2772	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	cmd.exe
PID 2876 wrote to memory of 2772	2876	{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe	cmd.exe
PID 3060 wrote to memory of 768	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
PID 3060 wrote to memory of 768	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
PID 3060 wrote to memory of 768	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
PID 3060 wrote to memory of 768	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
PID 3060 wrote to memory of 1660	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	cmd.exe
PID 3060 wrote to memory of 1660	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	cmd.exe
PID 3060 wrote to memory of 1660	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	cmd.exe
PID 3060 wrote to memory of 1660	3060	{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe	cmd.exe
PID 768 wrote to memory of 2888	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
PID 768 wrote to memory of 2888	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
PID 768 wrote to memory of 2888	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
PID 768 wrote to memory of 2888	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
PID 768 wrote to memory of 3004	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	cmd.exe
PID 768 wrote to memory of 3004	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	cmd.exe
PID 768 wrote to memory of 3004	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	cmd.exe
PID 768 wrote to memory of 3004	768	{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe	cmd.exe
PID 2888 wrote to memory of 804	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
PID 2888 wrote to memory of 804	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
PID 2888 wrote to memory of 804	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
PID 2888 wrote to memory of 804	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
PID 2888 wrote to memory of 1032	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	cmd.exe
PID 2888 wrote to memory of 1032	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	cmd.exe
PID 2888 wrote to memory of 1032	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	cmd.exe
PID 2888 wrote to memory of 1032	2888	{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe	cmd.exe
PID 804 wrote to memory of 2524	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	{487D5B2E-3768-4318-800C-998237699D58}.exe
PID 804 wrote to memory of 2524	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	{487D5B2E-3768-4318-800C-998237699D58}.exe
PID 804 wrote to memory of 2524	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	{487D5B2E-3768-4318-800C-998237699D58}.exe
PID 804 wrote to memory of 2524	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	{487D5B2E-3768-4318-800C-998237699D58}.exe
PID 804 wrote to memory of 2488	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	cmd.exe
PID 804 wrote to memory of 2488	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	cmd.exe
PID 804 wrote to memory of 2488	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	cmd.exe
PID 804 wrote to memory of 2488	804	{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe	cmd.exe
PID 2524 wrote to memory of 1504	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
PID 2524 wrote to memory of 1504	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
PID 2524 wrote to memory of 1504	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
PID 2524 wrote to memory of 1504	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
PID 2524 wrote to memory of 1384	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	cmd.exe
PID 2524 wrote to memory of 1384	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	cmd.exe
PID 2524 wrote to memory of 1384	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	cmd.exe
PID 2524 wrote to memory of 1384	2524	{487D5B2E-3768-4318-800C-998237699D58}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
C:\Windows\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
C:\Windows\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
C:\Windows\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
C:\Windows\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
C:\Windows\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
C:\Windows\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\{487D5B2E-3768-4318-800C-998237699D58}.exe
C:\Windows\{487D5B2E-3768-4318-800C-998237699D58}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
C:\Windows\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
C:\Windows\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
C:\Windows\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe
C:\Windows\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe
12⤵
- Executes dropped EXE
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6DF17~1.EXE > nul
12⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45458~1.EXE > nul
11⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F8CA0~1.EXE > nul
10⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{487D5~1.EXE > nul
9⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CACC9~1.EXE > nul
8⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4DAE0~1.EXE > nul
7⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52CC2~1.EXE > nul
6⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{285B1~1.EXE > nul
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{585BD~1.EXE > nul
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD69E~1.EXE > nul
3⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{285B126C-BC6D-4520-859E-EADD9BCDA2F1}.exe

Filesize
408KB

MD5
58ec776d4751e33fd72d3bf0f13432b9

SHA1
3816043d5e27ea39df7d364d1f302518a313595e

SHA256
8c2e7df5d31d49f9eadecb1b31c0b75e7d6ed62def203b1e37d3f3a35b18fe83

SHA512
3b6990f4af32da9cb1277ee77d8095739967239b14a36fdb6000984f08773dfa2fac81d71169fea4027c03fc0f09fa227ab63199c1f324887976784810a77946

Download Submit
C:\Windows\{454588A0-3E85-4632-85A6-34D04CB06EC7}.exe

Filesize
408KB

MD5
5b904c60138407036e5672399e7de3f0

SHA1
d99289345b614bf37930b08e3965db67dd2dbd16

SHA256
916339ae00db7f09cba66ae7b017515ef8323b41b9fddf49b120e9ea8cea60ef

SHA512
aef348f75be12d69808c4a64fade78bc868922a4b3d79c79c9d46829ac3918b823fa1b2619d5cb052cb5f4bd1af9983b837eaa100d57c1139d6c7a501ec0763c

Download Submit
C:\Windows\{487D5B2E-3768-4318-800C-998237699D58}.exe

Filesize
408KB

MD5
d3da573e35bfba542b06bddc9d9f4637

SHA1
47d0d6ef200d34464fd837d7fcc40dc1ca2f8fba

SHA256
d201dcff4eacdf7c49d763701c6e9d217f52346e2b6348c73fb537396a01b681

SHA512
cc72a233f7463f0295c64d151009dc80f086f29da955abb23ec873cccaa0177b04ca928ffaf9a6f8be33443dab16d4c67ee871b0f36c8e9a336064df458741e6

Download Submit
C:\Windows\{4DAE00AC-0CD0-4368-ACB4-5898742D544E}.exe

Filesize
408KB

MD5
ea0ca9ba25eee71ec6e57b7dd7f08740

SHA1
b423dca7097760daa3b1d82d65c969355ea19dd5

SHA256
524c1c00c5efb0daf25e984a746a24d80b18985e32ee8bfe857ebc8235065a01

SHA512
2b279556af52a8aa5505bd2ea57552a393468d2e8b2cfd59a5227c6c0cad639291d47d50c7c6f3687bdde58c5657fd73046263e0dfcd0ffb4af44773d94b6e60

Download Submit
C:\Windows\{52CC2EB4-7A6F-4c0e-8DA0-DF7D2646B102}.exe

Filesize
408KB

MD5
2a4a31a5eb7510b26a74a24d85442733

SHA1
4b1558ec9e458c0e7b008f30c23c6a0d99e5b68c

SHA256
c007a08ed225e0e4623ff1241d784d55397916136cb03473340f04f4cd3631d5

SHA512
53bb86241a999c0b6d588fea2f142adb8e9af5fc4d06cbc6154f7513457e62fdb046378faf0e8a93e75f09257297f68a782a4fd6dee5168cba71d79c58ca6d32

Download Submit
C:\Windows\{585BD939-6C6B-4f0e-BB7E-3CAF31FC017C}.exe

Filesize
408KB

MD5
f66e96b8701ea2a4aadf39f19fbecd86

SHA1
7141f4e8a764a7f5e4683dded9cdcf14dac728bc

SHA256
b38d345b18dd8d5dbdd7f0b16b173657c205a4364ba1296aedec0e2d1e2b92fb

SHA512
22e9efc98207486bb54cf6581dd94c755c40f49f0adc584aecc6d03277c2063329e6f4455fbee7279c3c35659f118e81ba075f5c2fd3812a02b2b85273558347

Download Submit
C:\Windows\{6DF17821-9B9C-463c-B504-715B963B56E1}.exe

Filesize
408KB

MD5
62ca1d90829d72e51c712f92df26987f

SHA1
21a9166c1815590b04d297db7e2edaebfff556eb

SHA256
21bdfaa00a4d7903c9ddcbc83c12409be19f2e90e5d8382aa85a51fddae2b1e4

SHA512
783b5fe40bbcee2a905821d845a59fb3dda15bf8b7abb2f098a9b74ebe98919c9f0dfae3e93be0078f128bd97cf10c9404aec2299fe25c872155b9f2e5db5e65

Download Submit
C:\Windows\{AB7A18AC-C7E2-4610-BF9E-8F858721367D}.exe

Filesize
408KB

MD5
a3f85019ceda5da6cdb13d09e44a3da3

SHA1
9c53919ffd1321d3a7a117790d6284dee4b6fabe

SHA256
1342f5f24315ffcbee6c6b9b9aefd9e8ea33de13d00836aa99e166365f45db47

SHA512
a531fa3248ac629fe97a8c787bd5b8a96599a0a681fd4d9151ad29cf5e85635bc90096eb4b04cf3940494cad0e329c791e3df1464b54a9527d5e6d4cc99bcc71

Download Submit
C:\Windows\{BD69E31E-9854-44dd-9DF8-431A8AFF7EB2}.exe

Filesize
408KB

MD5
2a5359e4f5495a291a4c47366acd408c

SHA1
de44fb2797d9a63b8c1454e92b488e1af2c30a83

SHA256
c15f0889d55541ef8c0dc88f1b963ab1b10d3ccc282e769b00bfa5b984ce6eca

SHA512
02fbe8e416f10f738a5de91e25c9613acabf062c4181cd86f4aa1902ea296eae1db2aad87da8f308f32ba647780e1474c50abc5c159c6e2a7c395fc80681baa1

Download Submit
C:\Windows\{CACC9AA9-5420-4e42-BF3E-1959081076C6}.exe

Filesize
408KB

MD5
91d4ff667753d6461e8e3fc1380cef2a

SHA1
84cab45b8e931945dad265c77c696e679930c272

SHA256
73febd97142628dd603133324cdae2b56d5a897259c9cd10820a2442f4a69773

SHA512
e835e59c5b80ca46dc21c0f915a851bad2f0ee14674ab9d912a610f82787e1d642a26d03c0364ba0a8e599aac1efbf32ed70aa92d3a610e4696ebc1afddbb5bf

Download Submit
C:\Windows\{F8CA0B39-5181-40bb-9BEF-0ED0D815703B}.exe

Filesize
408KB

MD5
d8dabe637aa5a95eb9860c6b367d2516

SHA1
da372cb6fee1e4dc339d8fd10af25998b86acefe

SHA256
0c125dca8c3809288793873f08cbd3cf5456ec96cab61ecfefa1a12f44f18f0a

SHA512
456671683b485e65eb3dd023c7b8d4a9935ebca3af7aa33e23ee88f538af02c878b2e3000555eeba472a3b268e7cec891b677d3ee829688eb6b538f8d0c53de6

Download Submit