0c4457ce496935159ba5a3beff84db4ffb48e8c3d1f0750a4772243d88d22643

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Size

380KB
MD5

bcfc3df16adba25b9b2f9c723704dc7e
SHA1

89a494db31a590fd40782a09cb889101204a6259
SHA256

0c4457ce496935159ba5a3beff84db4ffb48e8c3d1f0750a4772243d88d22643
SHA512

1b5749c8a7211104a57a4e86d64d7469bd380ad84d4f9ae72b525c27c10e66e2089b787bef7c2d9dfca5fa2286bbed62a769213d173840dfea6d6433a3421f53
SSDEEP

3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGXl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B8424E18-8976-4965-B658-B494671CD70F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{29365171-1B47-44a9-958A-D7745171BA83}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{29365171-1B47-44a9-958A-D7745171BA83}.exe{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe{B8424E18-8976-4965-B658-B494671CD70F}.exe{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}	{29365171-1B47-44a9-958A-D7745171BA83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}\stubpath = "C:\\Windows\\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe"	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}\stubpath = "C:\\Windows\\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe"	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBCEB609-19EB-446a-91C4-340A0D0016CD}\stubpath = "C:\\Windows\\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe"	{B8424E18-8976-4965-B658-B494671CD70F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29365171-1B47-44a9-958A-D7745171BA83}\stubpath = "C:\\Windows\\{29365171-1B47-44a9-958A-D7745171BA83}.exe"	{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}\stubpath = "C:\\Windows\\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe"	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE10B80-B346-4335-9232-B28A4165BFC5}	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE10B80-B346-4335-9232-B28A4165BFC5}\stubpath = "C:\\Windows\\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe"	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8424E18-8976-4965-B658-B494671CD70F}\stubpath = "C:\\Windows\\{B8424E18-8976-4965-B658-B494671CD70F}.exe"	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}\stubpath = "C:\\Windows\\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe"	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29365171-1B47-44a9-958A-D7745171BA83}	{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8236E2DB-81F3-4227-827D-55EE35FE01A9}	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8236E2DB-81F3-4227-827D-55EE35FE01A9}\stubpath = "C:\\Windows\\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe"	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8424E18-8976-4965-B658-B494671CD70F}	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBCEB609-19EB-446a-91C4-340A0D0016CD}	{B8424E18-8976-4965-B658-B494671CD70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}\stubpath = "C:\\Windows\\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe"	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}\stubpath = "C:\\Windows\\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe"	{29365171-1B47-44a9-958A-D7745171BA83}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2948 cmd.exe

pid	process
2948	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe{B8424E18-8976-4965-B658-B494671CD70F}.exe{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe{29365171-1B47-44a9-958A-D7745171BA83}.exe{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe

pid	process
3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
960	{B8424E18-8976-4965-B658-B494671CD70F}.exe
968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
1612	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
1192	{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
680	{29365171-1B47-44a9-958A-D7745171BA83}.exe
1492	{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe

Drops file in Windows directory 11 IoCs

Processes:

{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe{29365171-1B47-44a9-958A-D7745171BA83}.exe{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe{B8424E18-8976-4965-B658-B494671CD70F}.exe{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe

description	ioc	process
File created	C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
File created	C:\Windows\{29365171-1B47-44a9-958A-D7745171BA83}.exe	{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
File created	C:\Windows\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
File created	C:\Windows\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
File created	C:\Windows\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
File created	C:\Windows\{B8424E18-8976-4965-B658-B494671CD70F}.exe	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
File created	C:\Windows\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe	{29365171-1B47-44a9-958A-D7745171BA83}.exe
File created	C:\Windows\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
File created	C:\Windows\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
File created	C:\Windows\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	{B8424E18-8976-4965-B658-B494671CD70F}.exe
File created	C:\Windows\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe{B8424E18-8976-4965-B658-B494671CD70F}.exe{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe{29365171-1B47-44a9-958A-D7745171BA83}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
Token: SeIncBasePriorityPrivilege	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
Token: SeIncBasePriorityPrivilege	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
Token: SeIncBasePriorityPrivilege	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
Token: SeIncBasePriorityPrivilege	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
Token: SeIncBasePriorityPrivilege	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe
Token: SeIncBasePriorityPrivilege	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
Token: SeIncBasePriorityPrivilege	1612	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
Token: SeIncBasePriorityPrivilege	1192	{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
Token: SeIncBasePriorityPrivilege	680	{29365171-1B47-44a9-958A-D7745171BA83}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2872 wrote to memory of 3028	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
PID 2872 wrote to memory of 3028	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
PID 2872 wrote to memory of 3028	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
PID 2872 wrote to memory of 3028	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
PID 2872 wrote to memory of 2948	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 2872 wrote to memory of 2948	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 2872 wrote to memory of 2948	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 2872 wrote to memory of 2948	2872	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 3028 wrote to memory of 2708	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
PID 3028 wrote to memory of 2708	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
PID 3028 wrote to memory of 2708	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
PID 3028 wrote to memory of 2708	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
PID 3028 wrote to memory of 2716	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	cmd.exe
PID 3028 wrote to memory of 2716	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	cmd.exe
PID 3028 wrote to memory of 2716	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	cmd.exe
PID 3028 wrote to memory of 2716	3028	{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe	cmd.exe
PID 2708 wrote to memory of 2712	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
PID 2708 wrote to memory of 2712	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
PID 2708 wrote to memory of 2712	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
PID 2708 wrote to memory of 2712	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
PID 2708 wrote to memory of 2764	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	cmd.exe
PID 2708 wrote to memory of 2764	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	cmd.exe
PID 2708 wrote to memory of 2764	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	cmd.exe
PID 2708 wrote to memory of 2764	2708	{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe	cmd.exe
PID 2712 wrote to memory of 2884	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
PID 2712 wrote to memory of 2884	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
PID 2712 wrote to memory of 2884	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
PID 2712 wrote to memory of 2884	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
PID 2712 wrote to memory of 1648	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	cmd.exe
PID 2712 wrote to memory of 1648	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	cmd.exe
PID 2712 wrote to memory of 1648	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	cmd.exe
PID 2712 wrote to memory of 1648	2712	{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe	cmd.exe
PID 2884 wrote to memory of 1348	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
PID 2884 wrote to memory of 1348	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
PID 2884 wrote to memory of 1348	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
PID 2884 wrote to memory of 1348	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
PID 2884 wrote to memory of 1800	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	cmd.exe
PID 2884 wrote to memory of 1800	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	cmd.exe
PID 2884 wrote to memory of 1800	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	cmd.exe
PID 2884 wrote to memory of 1800	2884	{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe	cmd.exe
PID 1348 wrote to memory of 960	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	{B8424E18-8976-4965-B658-B494671CD70F}.exe
PID 1348 wrote to memory of 960	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	{B8424E18-8976-4965-B658-B494671CD70F}.exe
PID 1348 wrote to memory of 960	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	{B8424E18-8976-4965-B658-B494671CD70F}.exe
PID 1348 wrote to memory of 960	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	{B8424E18-8976-4965-B658-B494671CD70F}.exe
PID 1348 wrote to memory of 852	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	cmd.exe
PID 1348 wrote to memory of 852	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	cmd.exe
PID 1348 wrote to memory of 852	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	cmd.exe
PID 1348 wrote to memory of 852	1348	{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe	cmd.exe
PID 960 wrote to memory of 968	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
PID 960 wrote to memory of 968	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
PID 960 wrote to memory of 968	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
PID 960 wrote to memory of 968	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
PID 960 wrote to memory of 1272	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	cmd.exe
PID 960 wrote to memory of 1272	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	cmd.exe
PID 960 wrote to memory of 1272	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	cmd.exe
PID 960 wrote to memory of 1272	960	{B8424E18-8976-4965-B658-B494671CD70F}.exe	cmd.exe
PID 968 wrote to memory of 1612	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
PID 968 wrote to memory of 1612	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
PID 968 wrote to memory of 1612	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
PID 968 wrote to memory of 1612	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
PID 968 wrote to memory of 2264	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	cmd.exe
PID 968 wrote to memory of 2264	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	cmd.exe
PID 968 wrote to memory of 2264	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	cmd.exe
PID 968 wrote to memory of 2264	968	{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
C:\Windows\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
C:\Windows\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
C:\Windows\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1C2~1.EXE > nul
5⤵
PID:1648

C:\Windows\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
C:\Windows\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
C:\Windows\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\{B8424E18-8976-4965-B658-B494671CD70F}.exe
C:\Windows\{B8424E18-8976-4965-B658-B494671CD70F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
C:\Windows\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
C:\Windows\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\{29365171-1B47-44a9-958A-D7745171BA83}.exe
C:\Windows\{29365171-1B47-44a9-958A-D7745171BA83}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29365~1.EXE > nul
12⤵
PID:1536

C:\Windows\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe
C:\Windows\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe
12⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2882A~1.EXE > nul
11⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3731B~1.EXE > nul
10⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DBCEB~1.EXE > nul
9⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8424~1.EXE > nul
8⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DEE10~1.EXE > nul
7⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A680F~1.EXE > nul
6⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8236E~1.EXE > nul
4⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56CCE~1.EXE > nul
3⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe

Filesize
380KB

MD5
3019cff3b4176ba11879277d951b25e1

SHA1
8f9ba841008433021e443314e0a81087736bfedc

SHA256
caad9e4f7996df9701fa62636a9178ddb6d94d698ae3b6c51a8eddb7f2560b4a

SHA512
7d4769287ab680fe9d19b56d3b51d6e66531524c4f1a0be2c3856ecebc407c55757f2e65b24633f1708cd86b98752e2a9a0894548749f02b1fdddd2dcf5e0e05

Download Submit
C:\Windows\{2882AEB9-522D-40a0-8CBC-8A09A9AE1461}.exe

Filesize
169KB

MD5
fcccbc07893a9deef8ac76477a5f7a1a

SHA1
9c8b1b4e820ba08bb37c5c74275ea8f81b6f03ea

SHA256
6596d133505d64abaebf8d1433632a3cc013dca72f5c848852a4b62243a8b45f

SHA512
22448ca5dc316813e7f77cb8b7ff6de36dd773bc88a2959c823b7b73d08cfcc9956d20d57b967506dcb82f705de79fb3437794f56d2ab522f9deb5180e142829

Download Submit
C:\Windows\{29365171-1B47-44a9-958A-D7745171BA83}.exe

Filesize
380KB

MD5
d2932f73ccded1908aa36a928db77ebc

SHA1
b3f110861657ae8e659dce794f8894979a2632dc

SHA256
0f4e76d93e21bdbaa9704091378833b92dc25bd3f79a3cd03a7e9d67d528f581

SHA512
b542e1c4ee9ae6aeebc32d2f875f2614e27873e9dfeaa4d408882a7fa64007261842fb74a1011db1b6361d2cafa6e44bbb127d202eed4092a24098a81f885eb3

Download Submit
C:\Windows\{3731BC76-D5EB-4e4d-B8CC-86CC16CD5795}.exe

Filesize
380KB

MD5
1ad4fdf20706f230102c3ba21c0024ff

SHA1
8d1c474739ecc354d01929ecb0ac99c2ed70e0f7

SHA256
9c3ab15252201c1fe7116bf4f382d422caa96a354c99b677f8ab29876d712ec0

SHA512
90721da42863c7c67445c6f26266868c853a770192d2f8a7d08f42b3ae0b825c0381de5e1243c6f29b826de9501b35aaf3e76cdfa7e383ae303e1c4034732444

Download Submit
C:\Windows\{56CCEA9F-2302-43dc-AD9B-74AF7EACCF98}.exe

Filesize
380KB

MD5
db8fcb6d557654ccf1874466d5fcda55

SHA1
1b2662704076e541745ef40c66e6f17169f7c1bd

SHA256
3d8ea0ea5c6f6bf17058258b04e2a2e63bf45cbfdffc52603ce8af138d9350a8

SHA512
356e13a36e49329b4c018db9b267eb56df8da38bc9574ff284a890579cc96e3b3e1e4546e93011fae1a0d5c2f3968e20f25253838f7213da2ed76c473fc83b4c

Download Submit
C:\Windows\{8236E2DB-81F3-4227-827D-55EE35FE01A9}.exe

Filesize
380KB

MD5
47449495dc2cd220d2d924262a7ba554

SHA1
a221a3e699f62dd8689ccd0707d55d533340031a

SHA256
ed5f775610eb25121cbe8898b95a53ce432d994b132cb1c3a6c487eacb0d9a27

SHA512
8e79c2a4172c8fbc3b44121caeccc9bd322dc4aa2cc1ec88bc81c54712cc5b3cb4329e5490fd9c621df07591d53b05dee667ead9430330304b5a39033f6d5bf2

Download Submit
C:\Windows\{A680FE3D-8564-4848-94D5-AF7F6DCAAA13}.exe

Filesize
380KB

MD5
33db4b97260795ae991bf58931205b6d

SHA1
a0f115c5d30df28eda0df81881340c188978dc4c

SHA256
d727a7acab1831ceefd15e69d22d1d10366f37bbb3a91ab1572a685efdc06214

SHA512
b92c83dc6ba06e2a75b5d623d4f6d0ce31b8e3b0cfc1ae12cef7da5bfe390baf4a8397b25929a503e0c0d75d76545570fcd36b84a64cb2d77a4b97f93327f9cd

Download Submit
C:\Windows\{B8424E18-8976-4965-B658-B494671CD70F}.exe

Filesize
380KB

MD5
a33e52f71062020a44d2cd3f2bb5efe8

SHA1
ffd411d3631613713a797d5d2e7628a091bc3db6

SHA256
b3a7fbaaedcc0e8ed10e0b4a8edb431ead1b7f9d99bfa6c3d8b28359509e6e83

SHA512
a8ef9fd9b6b47be66b2df0d78d912fd85bb60e949592cbc4c4170e196d769d4d8fe9d140aa886c22b60d8e4aea290e061e172bba30d32c2f41dd982c3c77f84a

Download Submit
C:\Windows\{DBCEB609-19EB-446a-91C4-340A0D0016CD}.exe

Filesize
380KB

MD5
99c4dd356e3c5df9c2c0508784219a92

SHA1
dc22ecdf87c5fdc39f78a203e8248c5649df6623

SHA256
36b587f39eb85ab60fe4d706c8aaddbcfc9df741fb6746f6d33aacb2453c240a

SHA512
ee3e8b5f3254736cd8ba7552aeed305d17e3cedead8433d2ca3db926449000aca460e86b2096a9813049e07c8d86c5eadfb885bf8e6d8eb3c53c4888d96399f5

Download Submit
C:\Windows\{DE1C20B6-8BF0-4c55-8D64-46F028CCAE25}.exe

Filesize
380KB

MD5
ae54c2cec65a7abeecc289faa07ff8a3

SHA1
79d7fb44d219e149110cd75ede426b3c056185cd

SHA256
9a3ea53cec0374d3184b40110d2a185b5f6245ef2e97a86b4f83dac36da5344f

SHA512
a24820876e5b6102d7605a6b9fee197c76b6b68ba6d2a6591193daf43cedc0addde32e6660d46246415be0be9f6ba55305dfc085d4aacc10cb9f9737e046766f

Download Submit
C:\Windows\{DEE10B80-B346-4335-9232-B28A4165BFC5}.exe

Filesize
380KB

MD5
3a5041fa8b5f098ec8338915300d06b7

SHA1
e913c065a8575928d7cbfd7e7b2d85526cde9a54

SHA256
8890f9963d1db49e4a400cc88dc634734884c0bc2f12ad628688dde347703861

SHA512
71c5f52441830792b2c2a6472f27e93272a6d3c0497921ba9197753a61be3c846c007ca3e1fc43db06c210355ea2b77d4f5a664a289ff2807e305f82b76702d5

Download Submit
C:\Windows\{F0BB87BF-9E5B-49dc-8773-1632638ADD8B}.exe

Filesize
380KB

MD5
28b0d1f634ede1ef31698baa203a3dc5

SHA1
65cecaa1dc172d478b726dc7fd927e5194edd547

SHA256
592997d5ec0413bfee3b80b0dbea626c9d1e326bc437a21d96c8400000c988d2

SHA512
d323faa3ed349767c7fd49050573e64b20db7858cb8af3dcf93c09947b6e97e92a040f3e3f4b03950a2e0657dd030ab26f2ff2b40e61ee21f0a5a6bbb8b4a1ce

Download Submit