6e692d6eab37f23c74ee44f194cadabf00b0f68e0b4f190127115e92bb31bac4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Size

408KB
MD5

e7c152293bc1412d0d44ac4e0e252dbf
SHA1

efd0633ff3c453f8d530496ed539b2dc82401099
SHA256

6e692d6eab37f23c74ee44f194cadabf00b0f68e0b4f190127115e92bb31bac4
SHA512

28a9b03613f066b122b2232013fc6314f85526692b7731a54d3249f94ddf588927baa5a577033a100b69c19dc63a72faea82074365e1591f9ad94343d67c6964
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

Processes:

resource	yara_rule
C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe{E8531596-2F3A-405e-84FC-61041A4145DE}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}\stubpath = "C:\\Windows\\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe"	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8531596-2F3A-405e-84FC-61041A4145DE}	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}\stubpath = "C:\\Windows\\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe"	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}\stubpath = "C:\\Windows\\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe"	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4007B88-5AF3-472c-836B-79F2F60010C6}	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}\stubpath = "C:\\Windows\\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe"	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69CC9655-8AA3-4ce0-B607-40913C920B62}\stubpath = "C:\\Windows\\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe"	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EA7EAD-F984-4555-BC67-A72ED237D745}	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF846BF1-4808-4b40-8EC7-452C43BD5303}	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}\stubpath = "C:\\Windows\\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe"	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4007B88-5AF3-472c-836B-79F2F60010C6}\stubpath = "C:\\Windows\\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe"	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}\stubpath = "C:\\Windows\\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe"	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF846BF1-4808-4b40-8EC7-452C43BD5303}\stubpath = "C:\\Windows\\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe"	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8531596-2F3A-405e-84FC-61041A4145DE}\stubpath = "C:\\Windows\\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe"	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}\stubpath = "C:\\Windows\\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe"	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69CC9655-8AA3-4ce0-B607-40913C920B62}	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EA7EAD-F984-4555-BC67-A72ED237D745}\stubpath = "C:\\Windows\\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe"	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe

Executes dropped EXE 12 IoCs

Processes:

{E8531596-2F3A-405e-84FC-61041A4145DE}.exe{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe

pid	process
3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
4844	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
3224	{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe

Drops file in Windows directory 12 IoCs

Processes:

{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{E8531596-2F3A-405e-84FC-61041A4145DE}.exe{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe

description	ioc	process
File created	C:\Windows\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
File created	C:\Windows\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
File created	C:\Windows\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
File created	C:\Windows\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
File created	C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
File created	C:\Windows\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
File created	C:\Windows\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
File created	C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
File created	C:\Windows\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
File created	C:\Windows\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
File created	C:\Windows\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
File created	C:\Windows\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe{E8531596-2F3A-405e-84FC-61041A4145DE}.exe{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
Token: SeIncBasePriorityPrivilege	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
Token: SeIncBasePriorityPrivilege	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
Token: SeIncBasePriorityPrivilege	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
Token: SeIncBasePriorityPrivilege	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
Token: SeIncBasePriorityPrivilege	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
Token: SeIncBasePriorityPrivilege	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
Token: SeIncBasePriorityPrivilege	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
Token: SeIncBasePriorityPrivilege	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
Token: SeIncBasePriorityPrivilege	4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
Token: SeIncBasePriorityPrivilege	4844	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1440 wrote to memory of 3844	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
PID 1440 wrote to memory of 3844	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
PID 1440 wrote to memory of 3844	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
PID 1440 wrote to memory of 1640	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 1440 wrote to memory of 1640	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 1440 wrote to memory of 1640	1440	2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe	cmd.exe
PID 3844 wrote to memory of 2728	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
PID 3844 wrote to memory of 2728	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
PID 3844 wrote to memory of 2728	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
PID 3844 wrote to memory of 3040	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	cmd.exe
PID 3844 wrote to memory of 3040	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	cmd.exe
PID 3844 wrote to memory of 3040	3844	{E8531596-2F3A-405e-84FC-61041A4145DE}.exe	cmd.exe
PID 2728 wrote to memory of 868	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
PID 2728 wrote to memory of 868	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
PID 2728 wrote to memory of 868	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
PID 2728 wrote to memory of 4948	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	cmd.exe
PID 2728 wrote to memory of 4948	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	cmd.exe
PID 2728 wrote to memory of 4948	2728	{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe	cmd.exe
PID 868 wrote to memory of 2936	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
PID 868 wrote to memory of 2936	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
PID 868 wrote to memory of 2936	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
PID 868 wrote to memory of 1296	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	cmd.exe
PID 868 wrote to memory of 1296	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	cmd.exe
PID 868 wrote to memory of 1296	868	{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe	cmd.exe
PID 2936 wrote to memory of 1836	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
PID 2936 wrote to memory of 1836	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
PID 2936 wrote to memory of 1836	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
PID 2936 wrote to memory of 1940	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	cmd.exe
PID 2936 wrote to memory of 1940	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	cmd.exe
PID 2936 wrote to memory of 1940	2936	{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe	cmd.exe
PID 1836 wrote to memory of 856	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
PID 1836 wrote to memory of 856	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
PID 1836 wrote to memory of 856	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
PID 1836 wrote to memory of 2892	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	cmd.exe
PID 1836 wrote to memory of 2892	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	cmd.exe
PID 1836 wrote to memory of 2892	1836	{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe	cmd.exe
PID 856 wrote to memory of 516	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
PID 856 wrote to memory of 516	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
PID 856 wrote to memory of 516	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
PID 856 wrote to memory of 1324	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	cmd.exe
PID 856 wrote to memory of 1324	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	cmd.exe
PID 856 wrote to memory of 1324	856	{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe	cmd.exe
PID 516 wrote to memory of 2404	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
PID 516 wrote to memory of 2404	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
PID 516 wrote to memory of 2404	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
PID 516 wrote to memory of 3384	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	cmd.exe
PID 516 wrote to memory of 3384	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	cmd.exe
PID 516 wrote to memory of 3384	516	{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe	cmd.exe
PID 2404 wrote to memory of 2816	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
PID 2404 wrote to memory of 2816	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
PID 2404 wrote to memory of 2816	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
PID 2404 wrote to memory of 3336	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	cmd.exe
PID 2404 wrote to memory of 3336	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	cmd.exe
PID 2404 wrote to memory of 3336	2404	{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe	cmd.exe
PID 2816 wrote to memory of 4504	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
PID 2816 wrote to memory of 4504	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
PID 2816 wrote to memory of 4504	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
PID 2816 wrote to memory of 3572	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	cmd.exe
PID 2816 wrote to memory of 3572	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	cmd.exe
PID 2816 wrote to memory of 3572	2816	{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe	cmd.exe
PID 4504 wrote to memory of 4844	4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
PID 4504 wrote to memory of 4844	4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
PID 4504 wrote to memory of 4844	4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
PID 4504 wrote to memory of 1312	4504	{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e7c152293bc1412d0d44ac4e0e252dbf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
C:\Windows\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC56B~1.EXE > nul
4⤵
PID:4948

C:\Windows\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
C:\Windows\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
C:\Windows\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
C:\Windows\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
C:\Windows\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
C:\Windows\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
C:\Windows\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
C:\Windows\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
C:\Windows\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe
C:\Windows\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe
13⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C75E8~1.EXE > nul
13⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B50~1.EXE > nul
12⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CCF8F~1.EXE > nul
11⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF846~1.EXE > nul
10⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4007~1.EXE > nul
9⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC62~1.EXE > nul
8⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EA7~1.EXE > nul
7⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A70D8~1.EXE > nul
6⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{69CC9~1.EXE > nul
5⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8531~1.EXE > nul
3⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B583FB7-CDE8-4f8a-BE30-9783B82BEF1A}.exe

Filesize
408KB

MD5
66a28901fdc0eb5d60b6c99f74b15eae

SHA1
be4a18dacc12f291786f83ca646eddd286e4603c

SHA256
0d7bce4c0e5e81ffc8fea4049a86cd12e4f47dd694b6c4fa3c549e00362f8d84

SHA512
343544ba23fc1157eaf8b8da38da0e79a35b5e39f01bb95263110c1f840da675db9ec5f105b39a18592f80f1fbceb9f9aa1c60386397e580573d3fffa3ff31d1

Download Submit
C:\Windows\{69CC9655-8AA3-4ce0-B607-40913C920B62}.exe

Filesize
408KB

MD5
e0dc01c12932d0f82cc022360fcbfcb7

SHA1
3ed5aa4a174ca8c935d3646cbdc1ea23fecb44a6

SHA256
df606d885a7f17647fa5ca5e5a9a8e70b0391e5a33e51c1e5762dee6fa27b332

SHA512
f2f5e05595aa87ff922052bcd93fc3057d6ef35c237002c5df38e8a80ef7426498ead6fa50921724b5525d077eafda07fbc8c6e32870105e91f22044c11e9aae

Download Submit
C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe

Filesize
192KB

MD5
627cb7c3f6d5a4c53fcbc96431b77089

SHA1
ce0d6f66edb52cfad377df925b6f48304036b50b

SHA256
939205dfe917a304430c9ed73f87b4a01f50b1bc81e7ec542d8f866a311448b2

SHA512
4d3bbfda136727d29c7621ea1ab6ae06e9b4b990da5e92b71dfb39778ed216b7e27925a9368dc1276216ef07eff1c4ce0506a17a470f0bdb07f09116cc98b78d

Download Submit
C:\Windows\{7DC62176-3DAA-4481-9F83-DA990C8DEB9C}.exe

Filesize
162KB

MD5
f3511dbec7282a1c2b29ec993ce809f7

SHA1
dd2f3f6bdf9c78c68891c8b41db4b3dec5725579

SHA256
68f3e540b6d5cd66cedebcef180d00c28f6a411dd1c9eb36e6a1d8d178fb5509

SHA512
b04060af8f44afa16d35dc94f973a6774d16cfd103b77cea69533479a932efabfcfd8220aa155be1d91b93ed9da6b240844c90e60c477e56175d7f2635be272b

Download Submit
C:\Windows\{A4007B88-5AF3-472c-836B-79F2F60010C6}.exe

Filesize
408KB

MD5
f5c74dc02d93f3cae8d10f023078293b

SHA1
5217cc837c162b7fd035e9079bfc0893cef7309b

SHA256
946204aca9f6c84c1a3eb83c3a1895bec7770015f038771b717094b99ba6811b

SHA512
b07d24d8d5a15290eedce43b801a02af497174680ec2d987604dcf7d70e8abc52642c497b9484f2ed20106f51a85103433d6e71b838323f50d0bc9a1911913b4

Download Submit
C:\Windows\{A70D8C64-89AA-4944-B7CF-B8BE374BC508}.exe

Filesize
408KB

MD5
a53eb85695f7101fd817bc5dbdbb6a35

SHA1
018b170d8421282a61ae52395514d2b26b05c7d3

SHA256
0b87d69b62b62042fa67a0670d2c5aefe0984856e1aef9a0c9926f9a1f8f074d

SHA512
4fd336bd97a05612db97257c6008deb7a097c364e014184865fba98e69caf46e6979516117b341f664dd9314e2a68e67a15d78e91b1387ae075e90596fc020b5

Download Submit
C:\Windows\{A7B50A7B-44E6-42f3-8E18-3B57A617ACF5}.exe

Filesize
408KB

MD5
1c8af5bdc7b67b5237c82f08ae3c3383

SHA1
b081c5c94a68d8fcbce10cddaf6423a854347fb9

SHA256
35753b9986a15a84a9d40722d09e0fab6decd7f0514dfe9a7025c85d83a0efb0

SHA512
81b33cbe4a74cda4089ec8009bab5bb14063a187b336f823966503b5db8b14c9e75b24cbdf358b38e0f0cbb9332d1efb2777e717ab90308ebc10c87362b70c81

Download Submit
C:\Windows\{AF846BF1-4808-4b40-8EC7-452C43BD5303}.exe

Filesize
408KB

MD5
a9e83ed8fec74907bac925ef6afe10ee

SHA1
5944387fe1649c888d5f7b220ef3dbe58c98c3da

SHA256
44fc5e3922af03a502cf6225a21db7080eaa2faedba083a06cb7f8e3e3ba8402

SHA512
04d338a1ef68b7735cd2a1c96bac538ec1fccbea628cf1be4e016e6485deb968235945ddea2ede2469dbbf847eaf428baf9608090afc9652963ada7342a03dbd

Download Submit
C:\Windows\{C75E8FB2-95DD-4aa4-ABF0-A12DEA0F0D7E}.exe

Filesize
408KB

MD5
aa8e5b309586a9039839e5e9e5ad17cf

SHA1
03b56ca5743d354fa0cd94b0b755668d1a162062

SHA256
37a864e34fa87a52afe6deab31abe83c0eea2fb972fa759a8bc5a68d7d7f67db

SHA512
4aab77a6f86527fb797a505a53fd7fa4ffbec80d6ee2fc4f8e21e1e2cf70b8785637146f44fb5021ffb04cb765dbd7baf5311ea0ba775d6b4ad5fb906838a099

Download Submit
C:\Windows\{C7EA7EAD-F984-4555-BC67-A72ED237D745}.exe

Filesize
408KB

MD5
22cc946ad408eae37dfe88c666126a1f

SHA1
1ec1e7b9c1080585df5c57080f28f4244eef14bf

SHA256
ce804cb008adffb72475cbc5aa0220bbf59e4e1c81af0320bf1a041e6fd13120

SHA512
9d60a57af9880d5c1bef1e33b8c648dc7bbd98630c6201a8659e54bf197a3d28b5b34e49d2c443217772dbe7b73e4f5691c856e10c06a59b61e4afc627bbc492

Download Submit
C:\Windows\{CCF8F896-0EAA-4e01-8034-2CE3BC317013}.exe

Filesize
408KB

MD5
7d7382e4120baf252d95953dcde7d67c

SHA1
a0bb4d769f181e663fe19b97e9e68d5016a68367

SHA256
d87350ecfd8f8d360c47dc7c5adbe3c6f80775a60bedb605725539653f9a1a62

SHA512
810040749028e54a76a39119b7b9151493c69bcb0f7017291b3260ed220ad4b2df9412ee4aeb62d4aaea0470dcaae726b46348aa724632d741d97057dc5474f5

Download Submit
C:\Windows\{DC56B0AE-B4D9-44d4-9D2C-3DF0071E11FF}.exe

Filesize
408KB

MD5
2d9c79ef4fcea0d4f98ed59cd2de20bb

SHA1
46725c51c28cc1a6f244990265aa198464dd0006

SHA256
41184865ba953596722432d985e20d092d909ff8d152ecc05c238f4d10068142

SHA512
965d5c05ef9335cd0121ffa564b4f39ffcc5c8b81264433f1f12051ebf4fd1f775985895b647c13fe0ab862a44819b0e82a9b2d7f74fa181d9d8d41ab6459490

Download Submit
C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe

Filesize
408KB

MD5
c5b9a5dfe949aa141d69f7e89ea48b85

SHA1
6c89fe7aaee1c2c59ebdf5f04adb10de06aa9550

SHA256
d38de91b39b06a09e501f34da84a9ef5958de1e9304e371cf62a214ef25dc6c6

SHA512
7cdc9ac24bda453ca7eac720973cb22e03fc039938db13217316c78181f73422e3b292d3300ffe4ae84417ed192db74fa6a4863905ece167a02fa2cdeb15fa4a

Download Submit
C:\Windows\{E8531596-2F3A-405e-84FC-61041A4145DE}.exe

Filesize
335KB

MD5
8a5538d17c1cb85ce940044cff22ac0d

SHA1
11220459ebd30935d1d7ce609c70d07cb46e4929

SHA256
ffc3195860852374ff7b796d02f2ab36192f412f546fc453fe277bfbbe3f27e9

SHA512
cfaf310268a8c0d6062c65a48ad47d6c8afbfd298a196875b051d5e7aa217c91b4a84cad6f1e756892f7797db14dd8e9623acfb0b7f08172a78af176577f15ad

Download Submit