de71abd34e76657fd1c7b476505216ca6963b2515b133a2bffbf3b2aac4974e0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Size

408KB
MD5

ba92e7b2a83a4cfa4dbeb849b6efb966
SHA1

21178e52a6e0d4a32a65f0a312c6ec4853d63214
SHA256

de71abd34e76657fd1c7b476505216ca6963b2515b133a2bffbf3b2aac4974e0
SHA512

1f6afa488d467aa2620a2126910aab9fc6f79c09494f3ce16db16acf32df1b5f454f568cd2557e75fc590b2e7c64476c99cd6d2b9ce7790c8a2f5c043d25474b
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGTldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe{304DFE50-441B-41b9-8E24-481667E4C93E}.exe{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe{477DC949-DB89-4288-89E0-8A03984DA88D}.exe{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597A966-5A5B-444c-9EA3-0A93736333D3}	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304DFE50-441B-41b9-8E24-481667E4C93E}	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304DFE50-441B-41b9-8E24-481667E4C93E}\stubpath = "C:\\Windows\\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe"	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}\stubpath = "C:\\Windows\\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe"	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}\stubpath = "C:\\Windows\\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe"	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477DC949-DB89-4288-89E0-8A03984DA88D}\stubpath = "C:\\Windows\\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe"	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477DC949-DB89-4288-89E0-8A03984DA88D}	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F83AF1E5-3F92-4c87-805F-A6455D290487}	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}\stubpath = "C:\\Windows\\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe"	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}\stubpath = "C:\\Windows\\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe"	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C267B27-17EB-4744-8211-FEB3AFE025D6}\stubpath = "C:\\Windows\\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe"	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597A966-5A5B-444c-9EA3-0A93736333D3}\stubpath = "C:\\Windows\\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe"	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5319B8D-52C7-42f8-B612-347E6585DAB6}\stubpath = "C:\\Windows\\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe"	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C267B27-17EB-4744-8211-FEB3AFE025D6}	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F83AF1E5-3F92-4c87-805F-A6455D290487}\stubpath = "C:\\Windows\\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe"	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5319B8D-52C7-42f8-B612-347E6585DAB6}	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}\stubpath = "C:\\Windows\\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe"	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}\stubpath = "C:\\Windows\\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe"	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe

Executes dropped EXE 12 IoCs

Processes:

{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe{477DC949-DB89-4288-89E0-8A03984DA88D}.exe{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe{304DFE50-441B-41b9-8E24-481667E4C93E}.exe{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe

pid	process
1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
3016	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
2528	{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe

Drops file in Windows directory 12 IoCs

Processes:

{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe{477DC949-DB89-4288-89E0-8A03984DA88D}.exe{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe{304DFE50-441B-41b9-8E24-481667E4C93E}.exe{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe

description	ioc	process
File created	C:\Windows\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
File created	C:\Windows\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
File created	C:\Windows\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
File created	C:\Windows\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
File created	C:\Windows\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
File created	C:\Windows\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
File created	C:\Windows\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
File created	C:\Windows\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
File created	C:\Windows\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
File created	C:\Windows\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
File created	C:\Windows\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
File created	C:\Windows\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe{477DC949-DB89-4288-89E0-8A03984DA88D}.exe{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe{304DFE50-441B-41b9-8E24-481667E4C93E}.exe{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
Token: SeIncBasePriorityPrivilege	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
Token: SeIncBasePriorityPrivilege	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
Token: SeIncBasePriorityPrivilege	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
Token: SeIncBasePriorityPrivilege	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
Token: SeIncBasePriorityPrivilege	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
Token: SeIncBasePriorityPrivilege	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
Token: SeIncBasePriorityPrivilege	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
Token: SeIncBasePriorityPrivilege	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
Token: SeIncBasePriorityPrivilege	3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
Token: SeIncBasePriorityPrivilege	3016	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4160 wrote to memory of 1512	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
PID 4160 wrote to memory of 1512	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
PID 4160 wrote to memory of 1512	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
PID 4160 wrote to memory of 3824	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 4160 wrote to memory of 3824	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 4160 wrote to memory of 3824	4160	2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe	cmd.exe
PID 1512 wrote to memory of 2932	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
PID 1512 wrote to memory of 2932	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
PID 1512 wrote to memory of 2932	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
PID 1512 wrote to memory of 4524	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	cmd.exe
PID 1512 wrote to memory of 4524	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	cmd.exe
PID 1512 wrote to memory of 4524	1512	{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe	cmd.exe
PID 2932 wrote to memory of 436	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
PID 2932 wrote to memory of 436	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
PID 2932 wrote to memory of 436	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
PID 2932 wrote to memory of 3704	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	cmd.exe
PID 2932 wrote to memory of 3704	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	cmd.exe
PID 2932 wrote to memory of 3704	2932	{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe	cmd.exe
PID 436 wrote to memory of 4984	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
PID 436 wrote to memory of 4984	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
PID 436 wrote to memory of 4984	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
PID 436 wrote to memory of 4908	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	cmd.exe
PID 436 wrote to memory of 4908	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	cmd.exe
PID 436 wrote to memory of 4908	436	{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe	cmd.exe
PID 4984 wrote to memory of 3364	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
PID 4984 wrote to memory of 3364	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
PID 4984 wrote to memory of 3364	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
PID 4984 wrote to memory of 1520	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	cmd.exe
PID 4984 wrote to memory of 1520	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	cmd.exe
PID 4984 wrote to memory of 1520	4984	{477DC949-DB89-4288-89E0-8A03984DA88D}.exe	cmd.exe
PID 3364 wrote to memory of 456	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
PID 3364 wrote to memory of 456	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
PID 3364 wrote to memory of 456	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
PID 3364 wrote to memory of 5044	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	cmd.exe
PID 3364 wrote to memory of 5044	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	cmd.exe
PID 3364 wrote to memory of 5044	3364	{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe	cmd.exe
PID 456 wrote to memory of 1328	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
PID 456 wrote to memory of 1328	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
PID 456 wrote to memory of 1328	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
PID 456 wrote to memory of 812	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	cmd.exe
PID 456 wrote to memory of 812	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	cmd.exe
PID 456 wrote to memory of 812	456	{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe	cmd.exe
PID 1328 wrote to memory of 2604	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
PID 1328 wrote to memory of 2604	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
PID 1328 wrote to memory of 2604	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
PID 1328 wrote to memory of 3228	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	cmd.exe
PID 1328 wrote to memory of 3228	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	cmd.exe
PID 1328 wrote to memory of 3228	1328	{304DFE50-441B-41b9-8E24-481667E4C93E}.exe	cmd.exe
PID 2604 wrote to memory of 4628	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
PID 2604 wrote to memory of 4628	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
PID 2604 wrote to memory of 4628	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
PID 2604 wrote to memory of 2440	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	cmd.exe
PID 2604 wrote to memory of 2440	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	cmd.exe
PID 2604 wrote to memory of 2440	2604	{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe	cmd.exe
PID 4628 wrote to memory of 3508	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
PID 4628 wrote to memory of 3508	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
PID 4628 wrote to memory of 3508	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
PID 4628 wrote to memory of 2248	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	cmd.exe
PID 4628 wrote to memory of 2248	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	cmd.exe
PID 4628 wrote to memory of 2248	4628	{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe	cmd.exe
PID 3508 wrote to memory of 3016	3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
PID 3508 wrote to memory of 3016	3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
PID 3508 wrote to memory of 3016	3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
PID 3508 wrote to memory of 5076	3508	{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ba92e7b2a83a4cfa4dbeb849b6efb966_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
C:\Windows\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
C:\Windows\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
C:\Windows\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
C:\Windows\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
C:\Windows\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
C:\Windows\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
C:\Windows\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
C:\Windows\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
C:\Windows\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
C:\Windows\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
C:\Windows\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe
C:\Windows\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe
13⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD860~1.EXE > nul
13⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F5319~1.EXE > nul
12⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AEF8F~1.EXE > nul
11⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F83AF~1.EXE > nul
10⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{304DF~1.EXE > nul
9⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8597A~1.EXE > nul
8⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C267~1.EXE > nul
7⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{477DC~1.EXE > nul
6⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A78BA~1.EXE > nul
5⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5B471~1.EXE > nul
4⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BEA~1.EXE > nul
3⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{304DFE50-441B-41b9-8E24-481667E4C93E}.exe

Filesize
408KB

MD5
1e4b03792d530c7d519ae4fecbf465f6

SHA1
c71b10ca7f80b431658684ff7832d75682bb0d69

SHA256
b5795a4c494c870118f2759dcb02e33f02412cc509e3eba6e83467ff52d5dabd

SHA512
740b0872c4b59bea26d91cf2bb4c05c34786883a20252c303f21f3852c7c0a160318f5420943b9cfcb9cbf954499a6ad37acb576ad477fd5cbc8a80a6b36c5e6

Download Submit
C:\Windows\{3C267B27-17EB-4744-8211-FEB3AFE025D6}.exe

Filesize
408KB

MD5
037281ba1fe0be97a4f7325e20d8586c

SHA1
0f010d2c9b9cae5475e986f408e7e884089deea6

SHA256
edf3ef250fc878abe9371ef09fdbfc00b4b4470e805dc786f94d18777586954c

SHA512
9bb036ec1db0ff6d441d260c9ac25f89cdb2377d177ee4b1af683ec81d316e05320c07f5ff7063e841508e4c406533d385c277ac7a012404cba5e8315d92e0cb

Download Submit
C:\Windows\{477DC949-DB89-4288-89E0-8A03984DA88D}.exe

Filesize
408KB

MD5
e7a574eb57652fa0f38ae064d63c00e1

SHA1
809ee3c2161521aa2b4b34510149f2cf18202a96

SHA256
404534f31b7f5ec09f7a034a002b0fe4b9fb36ed69fef592630f8c08ed3aaf5d

SHA512
586ef0e2d632e3e9cbd8781fad2eea8df66eb057eb0ace1c8105e858de815be27609c89866685ef2cbe53c74b7eb438a1b51f859a656b8ea548ca0ffe1383742

Download Submit
C:\Windows\{5B4716E7-9551-43e1-A544-CE7C2970A7DC}.exe

Filesize
408KB

MD5
4920f4ac16f4f9560470550fe8ff5de6

SHA1
1e6fd28aa5a844ee604f3875f91610901e6723a5

SHA256
9b14034d7b657d308b65e819a8b4ab4b08308d2d07555429226d73dc4221c2d1

SHA512
fe12883e83897b95e5785067bb7ecae45ec56e2e1d462bb6d605273ced7dfc35192fb56b8b91d5be1e00d5e1ee1c08f52289245f860adae406647502c94e5849

Download Submit
C:\Windows\{8597A966-5A5B-444c-9EA3-0A93736333D3}.exe

Filesize
408KB

MD5
fea9e91f374579cd36827a6368b67307

SHA1
a707e1590985fac5393b604c89fe08734fdf7728

SHA256
15706a05e5950421a57d75972075d0ed10f7f6ef772a9b053d54108c3695175d

SHA512
4e9dbf9401e88e7b85a949a203c6b8ed78bfe4155c8f4f0fcd494ed3ea36af81f8368e2220032e0df1bf9eae3c19b80baa443d903968b295f4a643835540ebd0

Download Submit
C:\Windows\{A78BA963-3DD1-43bb-BD10-D4F1CB3B131D}.exe

Filesize
408KB

MD5
4f898812fe1b84b92c4c98cb9df3e6a5

SHA1
2acec01d81d492a71709352bd95e0025f5284c41

SHA256
892847c7e22c8340b1b5725ec93c0d0f86b0d53f71bbb116953822063983635b

SHA512
834601e895f5676e4c6ea79038307beec6f9660871b64a87b51c03e182ea7fcb7d2500a45e37015cd666d18a39f620bf014f8aa3a79a684d525beabe517cba4b

Download Submit
C:\Windows\{AEF8FAC0-58DE-461b-AD0B-EE8319FE6DAE}.exe

Filesize
408KB

MD5
e9670001b80995a06a5b0b68a31896f5

SHA1
842e770d09b74f9ac91319fcce78d14960f1c11e

SHA256
375f5b5ceb447800c16bec216589b1dad770b4bc8dcdab3666ddd5854ddd5950

SHA512
84fce45193cbc5ac980120187600943cf7ed0ec13d8b179041a973e8325197e3f301dcf78fb9edd0ea444b63b7d8d17d214e915b82f8d120a459c7504ccec3fb

Download Submit
C:\Windows\{C5BEA580-E6B7-459d-8F8E-647988AA76A4}.exe

Filesize
408KB

MD5
d923e404874aebe487254193243c7e6d

SHA1
523681b3a57ee6acd2eca6fd202c95c6e1bff817

SHA256
5f096ddddba25bb9f58ad47b09313b8b1e6ecf3d4be7d32495270a006f8203ab

SHA512
2a2f600099c0aaec71f876bd175c169474b68eac961f25d5b5b228a4ff757e68a8725ef94084bb742b36a0f7e8fe6c88f56622209e100a130f7239999942ae91

Download Submit
C:\Windows\{CD860F5B-108E-4c46-AEC6-B02F36CD1C67}.exe

Filesize
408KB

MD5
1b28e68220bb488864a7c4ebd13e8406

SHA1
d1c4915eda808be270a85a1603e0b422c751bbb6

SHA256
2c7003240eefd92573943a14dc2dde833b9765caef99980c62e241d5c27fbdda

SHA512
9f406a58cf015ed63e1eac0e40afd57c450474d6028aa8df174e53cac27c6620c7ef6b30442b99ffea7828f059a4da9e5a4e0abb802142f428103eaff3f4ca41

Download Submit
C:\Windows\{D2CEB802-6ECC-43eb-9C01-41D0ABBC11E3}.exe

Filesize
408KB

MD5
d2bfd07ef1d383fbb4d3a8da0059359b

SHA1
257a71210bc07ca5f39c387b800bc1473122499a

SHA256
157608b0d2315ae87d268288cc4f3ba59a70b799a86039e205d2fbf19d6e9d69

SHA512
7b85132482703497fa12ed00b6bd73bdb5ac7ff0c6f76d990526fef3d4a3981bfa17aaf248883db6e6263bf32ac0c74e49961ac43dc979c19bdcd098389ac708

Download Submit
C:\Windows\{F5319B8D-52C7-42f8-B612-347E6585DAB6}.exe

Filesize
408KB

MD5
b90daf7279efcfd2cf9ff26b9b9ca66e

SHA1
7aff369dd2a38bf9135dbd40f061f8d92e7a38c2

SHA256
f91350d908a039e88bd375befa52f83b39949144c4448c4d9f22ea1493fb6813

SHA512
5288353f5445a8127b04caf5a5651dca81e36efa4256e7711afd0d9064e23a593466a9a3eac68fe76dcd915fb437dca2b24e2788e539f298800854f2371e8ea6

Download Submit
C:\Windows\{F83AF1E5-3F92-4c87-805F-A6455D290487}.exe

Filesize
408KB

MD5
b14b3db0db293cdbc1b34cde2767245d

SHA1
6ae1dd83d9a143cbc05051e483af5b255807b1a8

SHA256
4b74ab4a5ce497276f68b6797a9ca2c26a1e63f1b08f07fe9df73c95982d5339

SHA512
0158e7cb49f09de4e349a3d83fd1c3d6814cc3a7051d96209ee151268c359d82ad3323a84580c10ad8b08ba3d7a37f1d4e05b3d8733d0d68a6a1ace53733a943

Download Submit