0c4457ce496935159ba5a3beff84db4ffb48e8c3d1f0750a4772243d88d22643

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Size

380KB
MD5

bcfc3df16adba25b9b2f9c723704dc7e
SHA1

89a494db31a590fd40782a09cb889101204a6259
SHA256

0c4457ce496935159ba5a3beff84db4ffb48e8c3d1f0750a4772243d88d22643
SHA512

1b5749c8a7211104a57a4e86d64d7469bd380ad84d4f9ae72b525c27c10e66e2089b787bef7c2d9dfca5fa2286bbed62a769213d173840dfea6d6433a3421f53
SSDEEP

3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGXl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78900E03-DCB9-41f8-B174-38C91D6AD768}	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}\stubpath = "C:\\Windows\\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe"	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5820C185-2A83-45b5-8C3F-D0C79B874234}\stubpath = "C:\\Windows\\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe"	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}\stubpath = "C:\\Windows\\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe"	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F479E213-4326-4c19-903E-E2A85244ED2D}\stubpath = "C:\\Windows\\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe"	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82F84ADE-8166-44c0-A54A-BBF94118340B}\stubpath = "C:\\Windows\\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe"	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D2CDC2-66A7-464f-9741-E67446CD1806}	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7EF983-0583-477c-A5C3-B7D7151BB860}	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}\stubpath = "C:\\Windows\\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe"	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5820C185-2A83-45b5-8C3F-D0C79B874234}	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78900E03-DCB9-41f8-B174-38C91D6AD768}\stubpath = "C:\\Windows\\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe"	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}\stubpath = "C:\\Windows\\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe"	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}\stubpath = "C:\\Windows\\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe"	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F479E213-4326-4c19-903E-E2A85244ED2D}	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}\stubpath = "C:\\Windows\\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe"	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82F84ADE-8166-44c0-A54A-BBF94118340B}	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7EF983-0583-477c-A5C3-B7D7151BB860}\stubpath = "C:\\Windows\\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe"	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D2CDC2-66A7-464f-9741-E67446CD1806}\stubpath = "C:\\Windows\\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe"	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe

Executes dropped EXE 12 IoCs

Processes:

{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe{F479E213-4326-4c19-903E-E2A85244ED2D}.exe

pid	process
2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
3636	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
1340	{F479E213-4326-4c19-903E-E2A85244ED2D}.exe

Drops file in Windows directory 12 IoCs

Processes:

{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe

description	ioc	process
File created	C:\Windows\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
File created	C:\Windows\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
File created	C:\Windows\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
File created	C:\Windows\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
File created	C:\Windows\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
File created	C:\Windows\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
File created	C:\Windows\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
File created	C:\Windows\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
File created	C:\Windows\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
File created	C:\Windows\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
File created	C:\Windows\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
File created	C:\Windows\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
Token: SeIncBasePriorityPrivilege	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
Token: SeIncBasePriorityPrivilege	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
Token: SeIncBasePriorityPrivilege	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
Token: SeIncBasePriorityPrivilege	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
Token: SeIncBasePriorityPrivilege	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
Token: SeIncBasePriorityPrivilege	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
Token: SeIncBasePriorityPrivilege	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
Token: SeIncBasePriorityPrivilege	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
Token: SeIncBasePriorityPrivilege	1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
Token: SeIncBasePriorityPrivilege	3636	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 116 wrote to memory of 2124	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
PID 116 wrote to memory of 2124	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
PID 116 wrote to memory of 2124	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
PID 116 wrote to memory of 1564	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 116 wrote to memory of 1564	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 116 wrote to memory of 1564	116	2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe	cmd.exe
PID 2124 wrote to memory of 3860	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
PID 2124 wrote to memory of 3860	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
PID 2124 wrote to memory of 3860	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
PID 2124 wrote to memory of 4824	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	cmd.exe
PID 2124 wrote to memory of 4824	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	cmd.exe
PID 2124 wrote to memory of 4824	2124	{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe	cmd.exe
PID 3860 wrote to memory of 3036	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
PID 3860 wrote to memory of 3036	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
PID 3860 wrote to memory of 3036	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
PID 3860 wrote to memory of 3428	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	cmd.exe
PID 3860 wrote to memory of 3428	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	cmd.exe
PID 3860 wrote to memory of 3428	3860	{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe	cmd.exe
PID 3036 wrote to memory of 4720	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
PID 3036 wrote to memory of 4720	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
PID 3036 wrote to memory of 4720	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
PID 3036 wrote to memory of 3096	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	cmd.exe
PID 3036 wrote to memory of 3096	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	cmd.exe
PID 3036 wrote to memory of 3096	3036	{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe	cmd.exe
PID 4720 wrote to memory of 4948	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
PID 4720 wrote to memory of 4948	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
PID 4720 wrote to memory of 4948	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
PID 4720 wrote to memory of 4208	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	cmd.exe
PID 4720 wrote to memory of 4208	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	cmd.exe
PID 4720 wrote to memory of 4208	4720	{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe	cmd.exe
PID 4948 wrote to memory of 2680	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
PID 4948 wrote to memory of 2680	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
PID 4948 wrote to memory of 2680	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
PID 4948 wrote to memory of 4652	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	cmd.exe
PID 4948 wrote to memory of 4652	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	cmd.exe
PID 4948 wrote to memory of 4652	4948	{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe	cmd.exe
PID 2680 wrote to memory of 888	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
PID 2680 wrote to memory of 888	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
PID 2680 wrote to memory of 888	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
PID 2680 wrote to memory of 1236	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	cmd.exe
PID 2680 wrote to memory of 1236	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	cmd.exe
PID 2680 wrote to memory of 1236	2680	{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe	cmd.exe
PID 888 wrote to memory of 4488	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
PID 888 wrote to memory of 4488	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
PID 888 wrote to memory of 4488	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
PID 888 wrote to memory of 476	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	cmd.exe
PID 888 wrote to memory of 476	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	cmd.exe
PID 888 wrote to memory of 476	888	{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe	cmd.exe
PID 4488 wrote to memory of 4248	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
PID 4488 wrote to memory of 4248	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
PID 4488 wrote to memory of 4248	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
PID 4488 wrote to memory of 548	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	cmd.exe
PID 4488 wrote to memory of 548	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	cmd.exe
PID 4488 wrote to memory of 548	4488	{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe	cmd.exe
PID 4248 wrote to memory of 1216	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
PID 4248 wrote to memory of 1216	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
PID 4248 wrote to memory of 1216	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
PID 4248 wrote to memory of 2372	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	cmd.exe
PID 4248 wrote to memory of 2372	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	cmd.exe
PID 4248 wrote to memory of 2372	4248	{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe	cmd.exe
PID 1216 wrote to memory of 3636	1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
PID 1216 wrote to memory of 3636	1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
PID 1216 wrote to memory of 3636	1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
PID 1216 wrote to memory of 4276	1216	{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_bcfc3df16adba25b9b2f9c723704dc7e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
C:\Windows\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
C:\Windows\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52D2C~1.EXE > nul
4⤵
PID:3428

C:\Windows\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
C:\Windows\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
C:\Windows\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
C:\Windows\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F79~1.EXE > nul
7⤵
PID:4652

C:\Windows\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
C:\Windows\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
C:\Windows\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
C:\Windows\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
C:\Windows\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
C:\Windows\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
C:\Windows\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5F6~1.EXE > nul
13⤵
PID:408

C:\Windows\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe
C:\Windows\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe
13⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{95EF5~1.EXE > nul
12⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5DC~1.EXE > nul
11⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33D2C~1.EXE > nul
10⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{78900~1.EXE > nul
9⤵
PID:476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5820C~1.EXE > nul
8⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3D7EF~1.EXE > nul
6⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{82F84~1.EXE > nul
5⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{10A48~1.EXE > nul
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D5F6597-08D9-47ce-BDB9-E08F09005D86}.exe

Filesize
380KB

MD5
a8d346da9eb2ecb551fd72749749ca20

SHA1
dd10f2d4996741d1d778321fbc8971b8fc8be76d

SHA256
bdf260b20580af12edfb2f346c0baf756f7a6ef0a538c50067933353ef1ff8b7

SHA512
60a7ffedfbeeab906935935772a48b2b6b048d7e82c3e305235aa00a3e13d742b8628cf39b34d0f4349d45e48a66e6ef2e91b8c0b7611ee5e865ae75d529a109

Download Submit
C:\Windows\{0F5DC82C-0C2F-4d3d-BC32-777B343699B1}.exe

Filesize
380KB

MD5
5d39e3b24eb4326cbd6723f68a1c800e

SHA1
c7fd937b797241a4ba8b478c15a1771d78c69585

SHA256
3164e42b5d7d21888618b780f8a115e32fc91eb6041552d50e51bcd5655bf3b0

SHA512
3a7cab84154dc9482fe69869f0a62b8a199da9f49c0f8d87689c8e657fd13fcd2a2e44b1585e3869ab99a72724d5d8c24d5b680abea90e3c9317e7bac5bfc6ed

Download Submit
C:\Windows\{10A48CC5-24E1-45bf-9AB9-29304DBFB76B}.exe

Filesize
380KB

MD5
9f90eebc47f6a50488c782d2922981ec

SHA1
f5bd278306a0057970d6df991ffcc12ce537b468

SHA256
d906d72a807b9163c42e332dea0d8da987dc3bf1262d686cf40d39329f21cc92

SHA512
805d77d466c69c6e0413c73505cf8ee2f7cbfd8b3f2ed321eea066c563867f096b0c5599776131ed511ccb2802721bbfacd4694e0546e645d6c1c1c16e289371

Download Submit
C:\Windows\{33D2CA4C-D99D-4375-BC2C-5DB4131A4B1A}.exe

Filesize
380KB

MD5
a4d830feebe5281e1793c60cec707082

SHA1
b17d441db6a119b3fd7cb4de6816ab58451a80ba

SHA256
330a8fea25f7f6ecac1c6fef13858f16c1a809f3cd984dd6f4acbb2562b06fbe

SHA512
d847e07aadb8277baad97405bc781d552955f39830a5aefe5db9e868c6efff33a6ad8120d96484b32519c2da5af84c5981622bd9150905a25e7d2e0624f88198

Download Submit
C:\Windows\{3D7EF983-0583-477c-A5C3-B7D7151BB860}.exe

Filesize
380KB

MD5
475ee4d2a8699b455240889b68ffbe2d

SHA1
157647856239014ad62188262dd669bffa165cd7

SHA256
f6a32f6626641ad0ffcbf3684efd4a048518ed7073ad8a3cdc0cccbc1e5951f4

SHA512
72a4f1a7c956ddf2050d68477f28e239bece7b147dccdbdcf53aea77d784017a012041b363e326dc060afd9a7cc415119ba5e75a07b25e75797dd510addb4626

Download Submit
C:\Windows\{52D2CDC2-66A7-464f-9741-E67446CD1806}.exe

Filesize
380KB

MD5
80ee7e089b6361ed16e02c60d5035875

SHA1
4b3393ca689952dd0e47e7a28e735ebedd5ffcdf

SHA256
e43f5e133a1ea538cfea0961c18769219036fe10d0f0823c3873ac8330868caf

SHA512
114c4d9ad62a3c32a4a55762c6e3ea31eb885ec2b04f536a502fc3af63882a76f967892a9a5916c599b4631c5e8754eb934d230dfbbab89793a93bbfc18f96d3

Download Submit
C:\Windows\{5820C185-2A83-45b5-8C3F-D0C79B874234}.exe

Filesize
380KB

MD5
bd35f383ba54f96f888e8acca763b60a

SHA1
cf412cf45fe06658d5f48c7722dc59dc53cc1251

SHA256
3307ed73954709bde79b9c43787cfb648406649bf7e999513888377d5ac533fa

SHA512
63186482b033762f4412a9cad2f0a7c3c5b453e462a49de15bff34077eba707f1bc2e3daf5a43997e1232d3cc031c220a26ef0f7f9617bba7f6fff049e9aeae6

Download Submit
C:\Windows\{78900E03-DCB9-41f8-B174-38C91D6AD768}.exe

Filesize
380KB

MD5
57c31d05da2722b213023993d6e10a65

SHA1
fbfa510d1b46673d70ca9a704dea3be2fce083ab

SHA256
e66beff58f9b4aa292e79ead4c29cb1237139775eb309063a406b3a2523cf757

SHA512
78fd1c77cd22a204e16cbf4eb17e324a4237df378d401144dbd205d37fc310725da7930904201d758177d292bac33c1c814c5e321139d1ffff1cf6951930abde

Download Submit
C:\Windows\{82F84ADE-8166-44c0-A54A-BBF94118340B}.exe

Filesize
380KB

MD5
49e2f21f7d1b8223e4c8ab6f3e4dce06

SHA1
3a9256b0ee828539d929cd08c3902402d8c47e76

SHA256
faf9b07e98d1ec9e98ed71d2a5c270f402255d3776d7bb5babf67f7371ad78fe

SHA512
4db572cf435b5de6f97290f31b7157f5dcf8028dd0c959ceed1df5d2d9452da72fb09dbf7d336eea0850687a12ace3bd122c8528f7b849f017c0ff52b7de02f3

Download Submit
C:\Windows\{95EF513C-46CE-4b60-B97D-334EF76B1ADF}.exe

Filesize
380KB

MD5
71bc2581e40316bce948d0297e9b6226

SHA1
8dd0dcf7d2f47b41fa9764d1aac8d8e87755c180

SHA256
8b63b36bf0741350d74dddd26b00f65427642e7ec84155aab9e3fb127d865633

SHA512
3c4727547ecb984ca6c132af20249222e0fea56712ccc6b859b75db6288c4483d5c102e168365f966ecbea2d93632c1f9ba4469b1671fdb51354a8c448d24931

Download Submit
C:\Windows\{C9F792FC-A944-41e5-8D02-A15738FB0E2E}.exe

Filesize
380KB

MD5
37b529955c386493c37641d99171e6c9

SHA1
a6d964a2113a13ea973ff22c55d1bb0494937127

SHA256
b8e4053e6689f69ad4ef22554982c77f3778175d5442cce26742cc2ed51d6736

SHA512
1dff9f5cddb818fd8da11287e26e29069f3013b6190d031ccd3fa16fe396fbdc40adaee676f8339f5cd1d66b094de92c3e997a2b304c6a86af6269704bbdb857

Download Submit
C:\Windows\{F479E213-4326-4c19-903E-E2A85244ED2D}.exe

Filesize
380KB

MD5
a6279a059ddd87b3308153b40d80681d

SHA1
857ffce343cabf7e794a60e5679feb90763e8c43

SHA256
2ca5ba10449ebbbd327dcde574057dba92600adb33be523d7c9bdf8b62b70d9d

SHA512
c7400d20ade6705232c56ee0839e82103204441f2e0e119e888f19fd7975593c5ddc928ec16d5abda90aa3323fad521f63502dfa6e8f2542198835992acb6a76

Download Submit