de71abd34e76657fd1c7b476505216ca6963b2515b133a2bffbf3b2aac4974e0

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Size

408KB
MD5

ba92e7b2a83a4cfa4dbeb849b6efb966
SHA1

21178e52a6e0d4a32a65f0a312c6ec4853d63214
SHA256

de71abd34e76657fd1c7b476505216ca6963b2515b133a2bffbf3b2aac4974e0
SHA512

1f6afa488d467aa2620a2126910aab9fc6f79c09494f3ce16db16acf32df1b5f454f568cd2557e75fc590b2e7c64476c99cd6d2b9ce7790c8a2f5c043d25474b
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGTldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{097CC998-D770-458c-A6BA-638D1B405C28}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe{7D949A50-F484-4707-9941-0E39D8EB378F}.exe{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe{097CC998-D770-458c-A6BA-638D1B405C28}.exe{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}\stubpath = "C:\\Windows\\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe"	{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}\stubpath = "C:\\Windows\\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe"	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{097CC998-D770-458c-A6BA-638D1B405C28}	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA17355-0F57-498b-8FD2-E2C152B24034}	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC31F50-C718-4349-ABB8-3D2FDA592627}\stubpath = "C:\\Windows\\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe"	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}\stubpath = "C:\\Windows\\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe"	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}\stubpath = "C:\\Windows\\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe"	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}	{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}\stubpath = "C:\\Windows\\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe"	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA17355-0F57-498b-8FD2-E2C152B24034}\stubpath = "C:\\Windows\\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe"	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}\stubpath = "C:\\Windows\\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe"	{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D949A50-F484-4707-9941-0E39D8EB378F}	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D949A50-F484-4707-9941-0E39D8EB378F}\stubpath = "C:\\Windows\\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe"	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{097CC998-D770-458c-A6BA-638D1B405C28}\stubpath = "C:\\Windows\\{097CC998-D770-458c-A6BA-638D1B405C28}.exe"	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC31F50-C718-4349-ABB8-3D2FDA592627}	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}\stubpath = "C:\\Windows\\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe"	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}	{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2532 cmd.exe

pid	process
2532	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe{7D949A50-F484-4707-9941-0E39D8EB378F}.exe{097CC998-D770-458c-A6BA-638D1B405C28}.exe{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe

pid	process
2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
1516	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
2232	{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
2224	{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe
2436	{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe{7D949A50-F484-4707-9941-0E39D8EB378F}.exe{097CC998-D770-458c-A6BA-638D1B405C28}.exe{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe

description	ioc	process
File created	C:\Windows\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
File created	C:\Windows\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
File created	C:\Windows\{097CC998-D770-458c-A6BA-638D1B405C28}.exe	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
File created	C:\Windows\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
File created	C:\Windows\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
File created	C:\Windows\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
File created	C:\Windows\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
File created	C:\Windows\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
File created	C:\Windows\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
File created	C:\Windows\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe	{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
File created	C:\Windows\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe	{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe{7D949A50-F484-4707-9941-0E39D8EB378F}.exe{097CC998-D770-458c-A6BA-638D1B405C28}.exe{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
Token: SeIncBasePriorityPrivilege	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
Token: SeIncBasePriorityPrivilege	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
Token: SeIncBasePriorityPrivilege	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
Token: SeIncBasePriorityPrivilege	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
Token: SeIncBasePriorityPrivilege	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
Token: SeIncBasePriorityPrivilege	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
Token: SeIncBasePriorityPrivilege	1516	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
Token: SeIncBasePriorityPrivilege	2232	{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
Token: SeIncBasePriorityPrivilege	2224	{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 948 wrote to memory of 2336	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
PID 948 wrote to memory of 2336	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
PID 948 wrote to memory of 2336	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
PID 948 wrote to memory of 2336	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
PID 948 wrote to memory of 2532	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 948 wrote to memory of 2532	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 948 wrote to memory of 2532	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 948 wrote to memory of 2532	948	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 2336 wrote to memory of 2640	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
PID 2336 wrote to memory of 2640	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
PID 2336 wrote to memory of 2640	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
PID 2336 wrote to memory of 2640	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
PID 2336 wrote to memory of 2676	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	cmd.exe
PID 2336 wrote to memory of 2676	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	cmd.exe
PID 2336 wrote to memory of 2676	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	cmd.exe
PID 2336 wrote to memory of 2676	2336	{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe	cmd.exe
PID 2640 wrote to memory of 2692	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
PID 2640 wrote to memory of 2692	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
PID 2640 wrote to memory of 2692	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
PID 2640 wrote to memory of 2692	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
PID 2640 wrote to memory of 2568	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	cmd.exe
PID 2640 wrote to memory of 2568	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	cmd.exe
PID 2640 wrote to memory of 2568	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	cmd.exe
PID 2640 wrote to memory of 2568	2640	{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe	cmd.exe
PID 2692 wrote to memory of 2528	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
PID 2692 wrote to memory of 2528	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
PID 2692 wrote to memory of 2528	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
PID 2692 wrote to memory of 2528	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	{097CC998-D770-458c-A6BA-638D1B405C28}.exe
PID 2692 wrote to memory of 2996	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	cmd.exe
PID 2692 wrote to memory of 2996	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	cmd.exe
PID 2692 wrote to memory of 2996	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	cmd.exe
PID 2692 wrote to memory of 2996	2692	{7D949A50-F484-4707-9941-0E39D8EB378F}.exe	cmd.exe
PID 2528 wrote to memory of 1640	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
PID 2528 wrote to memory of 1640	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
PID 2528 wrote to memory of 1640	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
PID 2528 wrote to memory of 1640	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
PID 2528 wrote to memory of 2980	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	cmd.exe
PID 2528 wrote to memory of 2980	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	cmd.exe
PID 2528 wrote to memory of 2980	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	cmd.exe
PID 2528 wrote to memory of 2980	2528	{097CC998-D770-458c-A6BA-638D1B405C28}.exe	cmd.exe
PID 1640 wrote to memory of 1972	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
PID 1640 wrote to memory of 1972	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
PID 1640 wrote to memory of 1972	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
PID 1640 wrote to memory of 1972	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
PID 1640 wrote to memory of 2852	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	cmd.exe
PID 1640 wrote to memory of 2852	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	cmd.exe
PID 1640 wrote to memory of 2852	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	cmd.exe
PID 1640 wrote to memory of 2852	1640	{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe	cmd.exe
PID 1972 wrote to memory of 2760	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
PID 1972 wrote to memory of 2760	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
PID 1972 wrote to memory of 2760	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
PID 1972 wrote to memory of 2760	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
PID 1972 wrote to memory of 2772	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	cmd.exe
PID 1972 wrote to memory of 2772	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	cmd.exe
PID 1972 wrote to memory of 2772	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	cmd.exe
PID 1972 wrote to memory of 2772	1972	{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe	cmd.exe
PID 2760 wrote to memory of 1516	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
PID 2760 wrote to memory of 1516	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
PID 2760 wrote to memory of 1516	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
PID 2760 wrote to memory of 1516	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
PID 2760 wrote to memory of 2984	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	cmd.exe
PID 2760 wrote to memory of 2984	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	cmd.exe
PID 2760 wrote to memory of 2984	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	cmd.exe
PID 2760 wrote to memory of 2984	2760	{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
C:\Windows\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
C:\Windows\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
C:\Windows\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\{097CC998-D770-458c-A6BA-638D1B405C28}.exe
C:\Windows\{097CC998-D770-458c-A6BA-638D1B405C28}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
C:\Windows\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
C:\Windows\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
C:\Windows\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
C:\Windows\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
C:\Windows\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe
C:\Windows\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe
C:\Windows\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe
12⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA32~1.EXE > nul
12⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4B7F~1.EXE > nul
11⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C58~1.EXE > nul
10⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC31~1.EXE > nul
9⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA17~1.EXE > nul
8⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F6C~1.EXE > nul
7⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{097CC~1.EXE > nul
6⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D949~1.EXE > nul
5⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D1D3~1.EXE > nul
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EA8~1.EXE > nul
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{097CC998-D770-458c-A6BA-638D1B405C28}.exe

Filesize
408KB

MD5
c35c2a97b3115c32779cd2d32224bff1

SHA1
8ad8572b44dd444dc863c5f64dbba22694d3f025

SHA256
c3b3100ed27d08b267fe97cf8b4f97f37ecb3c06b59ab8fc1f49ac8dcca8898d

SHA512
25915f957b04edcb1a9622c8f920d84f6c78b65b9d4ff68ccd16ca99d2fc80039082637ac540a54e971005da134a4a6de56ff4c50a32c1d161c2173b5853f822

Download Submit
C:\Windows\{1D1D3DC2-74F5-4286-91EC-C17DCD82ED3C}.exe

Filesize
408KB

MD5
39983ffcbd890d3c3dbcc8f9604b1743

SHA1
9a534b22a95ce65fdcb8698c3412bd104f9a01df

SHA256
5e14832c2bc5eb3dfd613e74ea50dcadb99f536a8c1fd97f14d185f6192d1ad7

SHA512
362b6501c0e5bf5d4fded92d0173d96fef929c6912cfd63bb1ff4e17f5238fff3bcc4cc1f29e5f2816b477691eb2b17a708f1bbbfcb46cd0b21f0101d1b8a10e

Download Submit
C:\Windows\{5BC31F50-C718-4349-ABB8-3D2FDA592627}.exe

Filesize
408KB

MD5
7287213c042bcd8f4ee8076194338799

SHA1
af4fb224eb30f8336fbadb43c35ca77a307d1d82

SHA256
ec92f3d07c576346e8a4c83f4bab81dde8bf1f0234d93ccdc338cb54dcbb0b80

SHA512
6afa3ab8bec722682901f827fe7ff2fbc8469393b13114bac616f2f806346b6b5de855e0f82d82da0d3e0288a5b155a6f143f2b254d4ac86f050bc2913e434da

Download Submit
C:\Windows\{7D949A50-F484-4707-9941-0E39D8EB378F}.exe

Filesize
408KB

MD5
06b0d493172de56faf5799a43d9d2ac1

SHA1
1dd4676d8d7b83fe83944c33b703aa41e4cc0f4c

SHA256
0deed1a3d5e7637ab81ea592741c0b169fce35c202948107d4cf16dbfee5c459

SHA512
f4e0849ed052db7038bc447fee1a3c224cd4920f421ed424a18cdc4cf62bf277ba134b5d4ba1cf5c1652684b840427fbd91b9f7d546d92f62fd7b5a5495073cf

Download Submit
C:\Windows\{8AA17355-0F57-498b-8FD2-E2C152B24034}.exe

Filesize
408KB

MD5
5da56069b5a6467ce74adec66956424d

SHA1
19bebb6bd6f093607261fc2c7d51f7b33954c0f3

SHA256
4c9f12dbce0eb58419d373028c697646727e982c2b612e665db634972edb61ae

SHA512
a50322ca85914287d8a1f44d2e75c5471ecac09406c9274efe006120c1a564647b40076ece94fdfe5901f7743ebf7853331a905b1fb5104ccac31a6b7c4d06a1

Download Submit
C:\Windows\{A4B7FB58-0936-4de1-A5CF-ABC6E09D484F}.exe

Filesize
408KB

MD5
57b80feea79d614de27bb55d4e9a6c19

SHA1
3b106698a169b5464e369bd76d6c08eb193696f1

SHA256
f7bf24e035faa047545ab3df33cba26dcead26ce7d9995d07f7771e76c500082

SHA512
c858ed8b2c3830fe0d48f7a9237ee3dcfabbed6118ef560bc54dabde2aa3706dc3079c390deca963608b2e16d675cb1a773b36d7e426d4112864027df0e3fbd1

Download Submit
C:\Windows\{AAA32E06-3AD7-4fcb-899A-2B92B4E420B6}.exe

Filesize
408KB

MD5
9638ee58813a4913816c83951131ec3d

SHA1
131fc170f608ad50e07b7992366880193658aa7e

SHA256
ec17c150fb2aef4353f2a9fc1dd1df9bb4d387f1889aacf1afafdbb1464c58cf

SHA512
ed134e777cd68fd11469d0d22e234f417ad66e0b0181e9bdb2e8fdbd5bc790803266bd151dfa50bb696c0b04b3615604ba29e0c0a0caf28b26f269ca49e407a9

Download Submit
C:\Windows\{C206D2FF-0758-44f7-AD97-A8FB8A57D61C}.exe

Filesize
408KB

MD5
063c43ada845dee387c067c0282974a9

SHA1
030afbd0282c6e71884583d1b455ba0212cdcafb

SHA256
45e1d0f89e15745e251a65b0d3b3d3d1e26e6fb7682b2046f69e2a6d17ce7758

SHA512
edb2d858ed6980dcd2af168dec2e961301cf8de6fb430335b4dab949419bb7baf75de6daeb195b583df008ff23b6776bff35c653a08b106c7b9ca80b8857292c

Download Submit
C:\Windows\{C2EA8151-E5E4-4241-BD9B-3E47C17F3614}.exe

Filesize
408KB

MD5
3d2e74f26d73c0ac7530970ab94d9f7d

SHA1
42369611128831620568f6bb0aa0c6f7189a58d3

SHA256
24ba53cd70d65aabcffddf2d1a70755672efa4b08b1b648333984d72737e6f7e

SHA512
33f7aa8058e0325f4feee141258c8fd70e82fe030fef6959eb7609f78f50db409c2aa4c36d1bfd913b2ab6ab5ae9696b50ac82bbaf70ac9f6b10ce81a8e96111

Download Submit
C:\Windows\{C6F6C81A-5484-4c0d-AC49-D4ABEF202321}.exe

Filesize
408KB

MD5
195c3e350c43a5c2ec1516b4774fa665

SHA1
3ff46f7dd35b3d2ec8bb932a5c5db1762497955c

SHA256
ab26b052c370c1e1da2cf2d70c202ea9e255bc48e2c8f6b9f72fdd58a80f559b

SHA512
f6ad7d7edefd755038be5b45242c65a67aab1a78a7b6bd3016f06de2b846a1e23b00518815b6d45435b12d56fceed8e87ec37e6d57cfb338e43736549d142e23

Download Submit
C:\Windows\{C9C58B53-1423-45c1-9A62-BF36A7DC3EE8}.exe

Filesize
408KB

MD5
6a4a3bf387570907eb7d549394ef6d6b

SHA1
0da0d887c1f9117af4296e7f25eff0fc92d4572f

SHA256
6785d99b4e6d62b7d1d82c8ce484f733556ae081272b7f966bcbe0f8be55e439

SHA512
2ef53ca8f5d89f17f71e7cd08d94b27ad088f4de1759959eef05da307d63744c8525cba11fbc955c52002bd5cd5f817152c379193ecbf4e3c8ddb05b1f125170

Download Submit