9f934c1199d2d4575c805b189e5b875c9c735daa6da909d4ae596fa78307ba46

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
Size

180KB
MD5

15f977738b53211c934abbb34676df42
SHA1

1baf8df446b4ac9bc884c18dffd7cc84414602ba
SHA256

9f934c1199d2d4575c805b189e5b875c9c735daa6da909d4ae596fa78307ba46
SHA512

16ea8b7dd5f0910609ad7a4b19f60744e658b543d9a1b5e499d8990ef559d42fa3044b9707e36f9704d2463e3d6b12091e798b4658de191f4d23f4cbb01ba88e
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGal5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2416B499-10B6-4452-BF87-1857E38AEA22}.exe{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24C0900-607D-44e2-9E86-75D20E2F2306}	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}\stubpath = "C:\\Windows\\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe"	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}\stubpath = "C:\\Windows\\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe"	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD4AA8B-4677-4916-A7FD-463105C90C00}\stubpath = "C:\\Windows\\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe"	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40D68BFD-CB37-447b-83CE-DD70A78528BB}\stubpath = "C:\\Windows\\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe"	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24C0900-607D-44e2-9E86-75D20E2F2306}\stubpath = "C:\\Windows\\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe"	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2416B499-10B6-4452-BF87-1857E38AEA22}\stubpath = "C:\\Windows\\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe"	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}\stubpath = "C:\\Windows\\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe"	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40D68BFD-CB37-447b-83CE-DD70A78528BB}	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}\stubpath = "C:\\Windows\\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe"	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54EFBDB-23AB-426d-9D4D-372315C42785}	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE2D77C4-C536-44fb-B371-071765B3E72B}	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5785640C-F8EC-4102-A0F7-8367134D8FB4}	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}\stubpath = "C:\\Windows\\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe"	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD4AA8B-4677-4916-A7FD-463105C90C00}	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54EFBDB-23AB-426d-9D4D-372315C42785}\stubpath = "C:\\Windows\\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe"	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE2D77C4-C536-44fb-B371-071765B3E72B}\stubpath = "C:\\Windows\\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe"	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2416B499-10B6-4452-BF87-1857E38AEA22}	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5785640C-F8EC-4102-A0F7-8367134D8FB4}\stubpath = "C:\\Windows\\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe"	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe

Executes dropped EXE 12 IoCs

Processes:

{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe{2416B499-10B6-4452-BF87-1857E38AEA22}.exe{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe

pid	process
4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
4396	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
4896	{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe

Drops file in Windows directory 12 IoCs

Processes:

{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe{2416B499-10B6-4452-BF87-1857E38AEA22}.exe{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe

description	ioc	process
File created	C:\Windows\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
File created	C:\Windows\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
File created	C:\Windows\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
File created	C:\Windows\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
File created	C:\Windows\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
File created	C:\Windows\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
File created	C:\Windows\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
File created	C:\Windows\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
File created	C:\Windows\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
File created	C:\Windows\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
File created	C:\Windows\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
File created	C:\Windows\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe{2416B499-10B6-4452-BF87-1857E38AEA22}.exe{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
Token: SeIncBasePriorityPrivilege	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
Token: SeIncBasePriorityPrivilege	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
Token: SeIncBasePriorityPrivilege	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
Token: SeIncBasePriorityPrivilege	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
Token: SeIncBasePriorityPrivilege	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
Token: SeIncBasePriorityPrivilege	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
Token: SeIncBasePriorityPrivilege	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
Token: SeIncBasePriorityPrivilege	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
Token: SeIncBasePriorityPrivilege	3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
Token: SeIncBasePriorityPrivilege	4396	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3888 wrote to memory of 4360	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
PID 3888 wrote to memory of 4360	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
PID 3888 wrote to memory of 4360	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
PID 3888 wrote to memory of 3236	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	cmd.exe
PID 3888 wrote to memory of 3236	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	cmd.exe
PID 3888 wrote to memory of 3236	3888	2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe	cmd.exe
PID 4360 wrote to memory of 3180	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
PID 4360 wrote to memory of 3180	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
PID 4360 wrote to memory of 3180	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
PID 4360 wrote to memory of 2620	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	cmd.exe
PID 4360 wrote to memory of 2620	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	cmd.exe
PID 4360 wrote to memory of 2620	4360	{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe	cmd.exe
PID 3180 wrote to memory of 2648	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
PID 3180 wrote to memory of 2648	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
PID 3180 wrote to memory of 2648	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
PID 3180 wrote to memory of 816	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	cmd.exe
PID 3180 wrote to memory of 816	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	cmd.exe
PID 3180 wrote to memory of 816	3180	{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe	cmd.exe
PID 2648 wrote to memory of 4236	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
PID 2648 wrote to memory of 4236	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
PID 2648 wrote to memory of 4236	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
PID 2648 wrote to memory of 4816	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	cmd.exe
PID 2648 wrote to memory of 4816	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	cmd.exe
PID 2648 wrote to memory of 4816	2648	{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe	cmd.exe
PID 4236 wrote to memory of 3256	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
PID 4236 wrote to memory of 3256	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
PID 4236 wrote to memory of 3256	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
PID 4236 wrote to memory of 1740	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	cmd.exe
PID 4236 wrote to memory of 1740	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	cmd.exe
PID 4236 wrote to memory of 1740	4236	{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe	cmd.exe
PID 3256 wrote to memory of 1072	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
PID 3256 wrote to memory of 1072	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
PID 3256 wrote to memory of 1072	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
PID 3256 wrote to memory of 2160	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	cmd.exe
PID 3256 wrote to memory of 2160	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	cmd.exe
PID 3256 wrote to memory of 2160	3256	{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe	cmd.exe
PID 1072 wrote to memory of 1008	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
PID 1072 wrote to memory of 1008	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
PID 1072 wrote to memory of 1008	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
PID 1072 wrote to memory of 2316	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	cmd.exe
PID 1072 wrote to memory of 2316	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	cmd.exe
PID 1072 wrote to memory of 2316	1072	{2416B499-10B6-4452-BF87-1857E38AEA22}.exe	cmd.exe
PID 1008 wrote to memory of 2548	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
PID 1008 wrote to memory of 2548	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
PID 1008 wrote to memory of 2548	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
PID 1008 wrote to memory of 2636	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	cmd.exe
PID 1008 wrote to memory of 2636	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	cmd.exe
PID 1008 wrote to memory of 2636	1008	{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe	cmd.exe
PID 2548 wrote to memory of 4868	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
PID 2548 wrote to memory of 4868	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
PID 2548 wrote to memory of 4868	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
PID 2548 wrote to memory of 3212	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	cmd.exe
PID 2548 wrote to memory of 3212	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	cmd.exe
PID 2548 wrote to memory of 3212	2548	{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe	cmd.exe
PID 4868 wrote to memory of 3588	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
PID 4868 wrote to memory of 3588	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
PID 4868 wrote to memory of 3588	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
PID 4868 wrote to memory of 1496	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	cmd.exe
PID 4868 wrote to memory of 1496	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	cmd.exe
PID 4868 wrote to memory of 1496	4868	{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe	cmd.exe
PID 3588 wrote to memory of 4396	3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
PID 3588 wrote to memory of 4396	3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
PID 3588 wrote to memory of 4396	3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
PID 3588 wrote to memory of 4524	3588	{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_15f977738b53211c934abbb34676df42_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
C:\Windows\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
C:\Windows\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40D68~1.EXE > nul
4⤵
PID:816

C:\Windows\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
C:\Windows\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
C:\Windows\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
C:\Windows\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
C:\Windows\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
C:\Windows\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
C:\Windows\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
C:\Windows\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
C:\Windows\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
C:\Windows\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe
C:\Windows\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe
13⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D6E8~1.EXE > nul
13⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E82D1~1.EXE > nul
12⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B9F7~1.EXE > nul
11⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{57856~1.EXE > nul
10⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B24C0~1.EXE > nul
9⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2416B~1.EXE > nul
8⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FE2D7~1.EXE > nul
7⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E54EF~1.EXE > nul
6⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08B04~1.EXE > nul
5⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32FBD~1.EXE > nul
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B04805-065C-4ee9-B7B4-067BBBD3F97C}.exe

Filesize
180KB

MD5
72f40f50e697abe38f00a6b4a39b2656

SHA1
ac5540a06727269df86b3b36f08aced6a1c42f3f

SHA256
5603e80f2c57ec2db76fa93c3b2fde09307c937f48b5c0439038f1bae8ea80b9

SHA512
97208edc7438b60c5bf0ac4c058b640cf0a631b29bb94f21f54fb0e0abbeea9cea50e1721c2d1f05c09e34022782fcdc59618b6a1a79660593e1b701f43080ab

Download Submit
C:\Windows\{2416B499-10B6-4452-BF87-1857E38AEA22}.exe

Filesize
180KB

MD5
cb380698646bb5daebcf0b338334bb53

SHA1
8401783d2715fe9bcd4eba255a23c9aa1b057cbc

SHA256
d873bc7b9b6e8df014158cccb6f43521c2f5a2e34830dfcb371e2d671587a92b

SHA512
fbc15ecab32dc3dc5b6f85941f7188c9d83712931bf8b85d81d51876c07ad3801af1ce9ea0c46a671c51fc9fc16d3d41927d6a7466843362bbf3f209be83b497

Download Submit
C:\Windows\{32FBD9E9-A634-4c2b-883E-BD66C52AE9C3}.exe

Filesize
180KB

MD5
a342b19f7eb0e9907e237b478c287340

SHA1
7660dd112fd8501654e6edd8faf4cf1884b8a627

SHA256
e6df068c248d1168b13f370263036f5d1211659c5e4c7e50f44a6fe3a08b7a58

SHA512
3ee0d64f8be5cf3ced96675da19ed2c15a11a45e6c7e991f339c7791e3d4f6c2918379a464ef03f3b83a8596ec5f95e00a3dd124225e7cb3545c016457d39983

Download Submit
C:\Windows\{3CD4AA8B-4677-4916-A7FD-463105C90C00}.exe

Filesize
180KB

MD5
a7750723d966b9f4fb4fd6376a15eb99

SHA1
e56f7d6e207bebec75e35c2a1c14cc80d97e5b3c

SHA256
12112bc3588b4ae891380f0852cef51c677c6264629d7503a2e05448507d1373

SHA512
6990aceb33f6ca0ffc2c09a9fc480d481f397d67700217e90585d117d3bf5c5725209ac4fb5bd2a6ae7097b6d7960edbd55da98cd409bdf02258adf3ab548454

Download Submit
C:\Windows\{40D68BFD-CB37-447b-83CE-DD70A78528BB}.exe

Filesize
180KB

MD5
893b939daea43f3893fe0a26089929d9

SHA1
9c12e6f368ee128111e880818acaf3204df9ee43

SHA256
4f2aefed22bd3c98735bc4fc32fa4cf7237765fc1b6a130adc9cb1009143fba2

SHA512
5a880945c3dbd764be0b4b081b7cf8033eb6fefdf3d1eb783080be857cb1c7aaeb68cb02ed4b3c880aac626fbd69e9ac5630bfe59cda7c0290f2f14bed321455

Download Submit
C:\Windows\{5785640C-F8EC-4102-A0F7-8367134D8FB4}.exe

Filesize
180KB

MD5
fd64e6f793cbaa4f42cebfaa060be0d0

SHA1
670cc3047fc179a6a0e4fd593d568a7c699225a2

SHA256
c105a9ab57577280f014269d715d17119ebf53879b15cd62ad3d5ade07686bbd

SHA512
7432793c3f368b7200c403b1b2d2724da6775be364afbee7ee0ae591dcecee4c95370cca4604487dbcc2013c24a346832340a134b1849bcaef9a5240202dcab8

Download Submit
C:\Windows\{8B9F7D5C-3251-47eb-9564-B3EA393E1D93}.exe

Filesize
180KB

MD5
97d492c115fc3bf1f09366200e1b6c73

SHA1
1c2bc62fd32493cb3e27d9bde249822c11628df5

SHA256
2108d503fb02d9c4a10c778a5e6cd718cb7ff9ff6ab0ce2fb6aae4dffce56baa

SHA512
b3b2c93fd4ea5e4b19fd92d9580d07ae73b020ec2daf89a4310589d12075f95b650799fc06293a90e3351d85b5bee7582c7eb9518fcc9dc2cdc89ed20ed1e5c6

Download Submit
C:\Windows\{9D6E8BC6-4A1A-4bbe-AC11-8ABAE3F39845}.exe

Filesize
180KB

MD5
d083e80401931e45f9ec9b3126c0d3ca

SHA1
1423fbdd5d0d064bc23c8c097fd992de51e542f5

SHA256
cfa1cd85a2fb2dbab77503d7b1e223b1aad7b63cd88b300468ba6d083f49603e

SHA512
3176d492c71249a5a9b9f6cc6465a678d1e9d484cf42132bdbddc6d382b68d471ec1ec8aba74b640407a58a94ca7dabb22cc70900edb7ae498112ab0d485acff

Download Submit
C:\Windows\{B24C0900-607D-44e2-9E86-75D20E2F2306}.exe

Filesize
180KB

MD5
a6ea84cd0947b528e6df773a99ae0bdd

SHA1
b0e0e2beef9d0a93c384fd06ed27444a9988e34b

SHA256
549c205e1f9ed78e9f912aa622a140658c672fe8b937d3645e4ded5b67ecf719

SHA512
fcf620b3294661d718a5136ec2028d709506edb16efb163599f175cd2453f38dd07dd460ea3dfa98234659100d1dbfff4356fb7c620135bf0bbbebe59339dcb9

Download Submit
C:\Windows\{E54EFBDB-23AB-426d-9D4D-372315C42785}.exe

Filesize
180KB

MD5
4373958371aebb9d937b6625712f6a25

SHA1
2402b1433200e8926c77407e196b562e3e81807e

SHA256
ef845541db2ebc53a4a6cb47bc5600277520129cb123276c06c433c1d0b3bee9

SHA512
1e5691845d188fecb226138a63ad5f2499f63548f120dcdeca6c8ed2aa72f3f752f7edd989abb91f571ff4568b4d4c252200bffb74d32a7b34fae72b230aa7bb

Download Submit
C:\Windows\{E82D1422-AD31-4bb7-8873-04ABD111ECA4}.exe

Filesize
180KB

MD5
5f18415dfa4c9b96ccfb25091e44a01d

SHA1
ae734fa2506f3119b8341b236d9146b2aabb1f51

SHA256
0aab9555b8b0e907db35bd2d4301a3cfb568d033b388f060a03a5d4d2ff045c5

SHA512
fa642ad3934e7b33ebf7147a2422e5df5c880e3693484cc4a2b5f749a9ebb920bbbbc77e8d2250e1efc22753f530c6470443bf141bfbe1879c8fcd0dd99f7263

Download Submit
C:\Windows\{FE2D77C4-C536-44fb-B371-071765B3E72B}.exe

Filesize
180KB

MD5
d2128dbd268314c29c0d58f5f550cf3f

SHA1
49ca984a1a72cd7d9bc57c34c9680066757ed5e5

SHA256
bb961d929d07e2e1a51f0e33a3aa9d0e325a87a66065c6a71518348a89142bba

SHA512
2309ddd4854ad3988cec4f06aed975867529d4d969189e220ef63acebd2799e601a088d9709afbb2029c63d4e697d3d1cd70f70e900c66c9aa76cffa47a8365d

Download Submit