affd6ffb8eb7c03feadbdd7c555ce18175e4583cdc3a6422a9a41d019ec17ca3

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Size

344KB
MD5

bc0408b213fdeb332d4b7b317f137703
SHA1

58a586ea6d7446f01f034d1d24bf836df71e37e6
SHA256

affd6ffb8eb7c03feadbdd7c555ce18175e4583cdc3a6422a9a41d019ec17ca3
SHA512

07d93ff1ecade03971ace9cf56d31449a80f375d1efda2eabd2479a947b7cc4a07c8d5f17f96e5682d0aaaf21824b380d0f894674b0235f5b63f84b8b4470edb
SSDEEP

3072:mEGh0owlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{91104075-B892-43e4-997D-D1555250DFBA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe{91104075-B892-43e4-997D-D1555250DFBA}.exe{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}\stubpath = "C:\\Windows\\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe"	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153144BE-C5BE-4595-8287-BFE765B9D11F}\stubpath = "C:\\Windows\\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe"	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552A803A-6EE8-4daf-8E80-CEE9750058E4}	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552A803A-6EE8-4daf-8E80-CEE9750058E4}\stubpath = "C:\\Windows\\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe"	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6188EFE8-6E47-4126-AC00-E4534B36E76A}	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91104075-B892-43e4-997D-D1555250DFBA}	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}	{91104075-B892-43e4-997D-D1555250DFBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}\stubpath = "C:\\Windows\\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe"	{91104075-B892-43e4-997D-D1555250DFBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}\stubpath = "C:\\Windows\\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe"	{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}\stubpath = "C:\\Windows\\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe"	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6188EFE8-6E47-4126-AC00-E4534B36E76A}\stubpath = "C:\\Windows\\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe"	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}\stubpath = "C:\\Windows\\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe"	{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91104075-B892-43e4-997D-D1555250DFBA}\stubpath = "C:\\Windows\\{91104075-B892-43e4-997D-D1555250DFBA}.exe"	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EC7179-FF40-41ad-9524-A0A9331648FD}	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EC7179-FF40-41ad-9524-A0A9331648FD}\stubpath = "C:\\Windows\\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe"	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}	{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}\stubpath = "C:\\Windows\\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe"	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153144BE-C5BE-4595-8287-BFE765B9D11F}	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}	{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2716 cmd.exe

pid	process
2716	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe{91104075-B892-43e4-997D-D1555250DFBA}.exe{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe

pid	process
2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe
2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
1120	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
2376	{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
2252	{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe
2032	{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe

Drops file in Windows directory 11 IoCs

Processes:

{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe{91104075-B892-43e4-997D-D1555250DFBA}.exe{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe

description	ioc	process
File created	C:\Windows\{91104075-B892-43e4-997D-D1555250DFBA}.exe	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
File created	C:\Windows\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	{91104075-B892-43e4-997D-D1555250DFBA}.exe
File created	C:\Windows\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
File created	C:\Windows\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
File created	C:\Windows\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
File created	C:\Windows\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
File created	C:\Windows\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
File created	C:\Windows\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
File created	C:\Windows\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
File created	C:\Windows\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe	{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
File created	C:\Windows\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe	{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe{91104075-B892-43e4-997D-D1555250DFBA}.exe{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
Token: SeIncBasePriorityPrivilege	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe
Token: SeIncBasePriorityPrivilege	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
Token: SeIncBasePriorityPrivilege	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
Token: SeIncBasePriorityPrivilege	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
Token: SeIncBasePriorityPrivilege	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
Token: SeIncBasePriorityPrivilege	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
Token: SeIncBasePriorityPrivilege	1120	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
Token: SeIncBasePriorityPrivilege	2376	{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
Token: SeIncBasePriorityPrivilege	2252	{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2092 wrote to memory of 2136	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
PID 2092 wrote to memory of 2136	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
PID 2092 wrote to memory of 2136	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
PID 2092 wrote to memory of 2136	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
PID 2092 wrote to memory of 2716	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 2092 wrote to memory of 2716	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 2092 wrote to memory of 2716	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 2092 wrote to memory of 2716	2092	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 2136 wrote to memory of 2828	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	{91104075-B892-43e4-997D-D1555250DFBA}.exe
PID 2136 wrote to memory of 2828	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	{91104075-B892-43e4-997D-D1555250DFBA}.exe
PID 2136 wrote to memory of 2828	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	{91104075-B892-43e4-997D-D1555250DFBA}.exe
PID 2136 wrote to memory of 2828	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	{91104075-B892-43e4-997D-D1555250DFBA}.exe
PID 2136 wrote to memory of 2820	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	cmd.exe
PID 2136 wrote to memory of 2820	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	cmd.exe
PID 2136 wrote to memory of 2820	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	cmd.exe
PID 2136 wrote to memory of 2820	2136	{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe	cmd.exe
PID 2828 wrote to memory of 2600	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
PID 2828 wrote to memory of 2600	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
PID 2828 wrote to memory of 2600	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
PID 2828 wrote to memory of 2600	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
PID 2828 wrote to memory of 3008	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	cmd.exe
PID 2828 wrote to memory of 3008	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	cmd.exe
PID 2828 wrote to memory of 3008	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	cmd.exe
PID 2828 wrote to memory of 3008	2828	{91104075-B892-43e4-997D-D1555250DFBA}.exe	cmd.exe
PID 2600 wrote to memory of 2016	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
PID 2600 wrote to memory of 2016	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
PID 2600 wrote to memory of 2016	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
PID 2600 wrote to memory of 2016	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
PID 2600 wrote to memory of 2880	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	cmd.exe
PID 2600 wrote to memory of 2880	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	cmd.exe
PID 2600 wrote to memory of 2880	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	cmd.exe
PID 2600 wrote to memory of 2880	2600	{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe	cmd.exe
PID 2016 wrote to memory of 2364	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
PID 2016 wrote to memory of 2364	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
PID 2016 wrote to memory of 2364	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
PID 2016 wrote to memory of 2364	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
PID 2016 wrote to memory of 340	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	cmd.exe
PID 2016 wrote to memory of 340	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	cmd.exe
PID 2016 wrote to memory of 340	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	cmd.exe
PID 2016 wrote to memory of 340	2016	{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe	cmd.exe
PID 2364 wrote to memory of 1148	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
PID 2364 wrote to memory of 1148	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
PID 2364 wrote to memory of 1148	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
PID 2364 wrote to memory of 1148	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
PID 2364 wrote to memory of 1224	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	cmd.exe
PID 2364 wrote to memory of 1224	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	cmd.exe
PID 2364 wrote to memory of 1224	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	cmd.exe
PID 2364 wrote to memory of 1224	2364	{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe	cmd.exe
PID 1148 wrote to memory of 1864	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
PID 1148 wrote to memory of 1864	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
PID 1148 wrote to memory of 1864	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
PID 1148 wrote to memory of 1864	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
PID 1148 wrote to memory of 380	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	cmd.exe
PID 1148 wrote to memory of 380	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	cmd.exe
PID 1148 wrote to memory of 380	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	cmd.exe
PID 1148 wrote to memory of 380	1148	{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe	cmd.exe
PID 1864 wrote to memory of 1120	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
PID 1864 wrote to memory of 1120	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
PID 1864 wrote to memory of 1120	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
PID 1864 wrote to memory of 1120	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
PID 1864 wrote to memory of 2748	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	cmd.exe
PID 1864 wrote to memory of 2748	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	cmd.exe
PID 1864 wrote to memory of 2748	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	cmd.exe
PID 1864 wrote to memory of 2748	1864	{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
C:\Windows\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\{91104075-B892-43e4-997D-D1555250DFBA}.exe
C:\Windows\{91104075-B892-43e4-997D-D1555250DFBA}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
C:\Windows\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
C:\Windows\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
C:\Windows\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15314~1.EXE > nul
7⤵
PID:1224

C:\Windows\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
C:\Windows\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B903~1.EXE > nul
8⤵
PID:380

C:\Windows\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
C:\Windows\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
C:\Windows\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EC7~1.EXE > nul
10⤵
PID:628

C:\Windows\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
C:\Windows\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6188E~1.EXE > nul
11⤵
PID:2956

C:\Windows\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe
C:\Windows\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6EBAA~1.EXE > nul
12⤵
PID:2260

C:\Windows\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe
C:\Windows\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe
12⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{552A8~1.EXE > nul
9⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7CBDC~1.EXE > nul
6⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA6B~1.EXE > nul
5⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91104~1.EXE > nul
4⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6BFDD~1.EXE > nul
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B9032D7-8CC4-4197-AFF3-B678492DC34F}.exe

Filesize
344KB

MD5
fd71a2de4a879c283b1e1b257dacd4bc

SHA1
cfaac46d21228af774f13f830f6d5f07f5a710ae

SHA256
27ef35f9406366fb4269dde40b055c010e0d501c067e31f8548b548d3cd672be

SHA512
42292480019a96f078192be3b0f4b7600f0f2a64281a6ec92dfc2309ec43b43ff3ed1874ee3f7723f86549630e4562ec7713259fa55d42d920eaacbdf406b299

Download Submit
C:\Windows\{153144BE-C5BE-4595-8287-BFE765B9D11F}.exe

Filesize
344KB

MD5
94f190f6fa6d4756de56cdc962e9fe62

SHA1
6d003ce5ba608a27b441c370729d4a7416cfc89e

SHA256
6bf951d0decef3aa5b79526dda5db1c0a3f7bd07670cee9c3c3c1765f100ad3b

SHA512
56fde22cac9a951e3fd3c0e82acfa21e94c0dc5efef534706ffad3581530032cfb6c0b3bc71a30c79fbc1dc6411d4b093c86441229bf3ccc24ed0285b8710a99

Download Submit
C:\Windows\{552A803A-6EE8-4daf-8E80-CEE9750058E4}.exe

Filesize
344KB

MD5
299e77b3472f7a4adc8088974d2153ac

SHA1
cd3b0f12fc9fb81ff2eacea985a9da392553001c

SHA256
fe06c794cdb557e648e9f142dcbff76692bd826bebbb00fa26ed9804b5ceecdc

SHA512
fd9a21255123076e1fbcbc463f9feab3eef502d4ca5316e43b84b360c9ae7fefea583f388a8a5f25ad9b03a6882a276375281fcc3d2b98dddb42d19290a35b72

Download Submit
C:\Windows\{6188EFE8-6E47-4126-AC00-E4534B36E76A}.exe

Filesize
344KB

MD5
c8601a03958fa3301c065e1ca8198146

SHA1
6563d744a1f5c2a2092f227b065978e434f7c383

SHA256
b4dc5e61cc4c7465566b9a7957fa493386fd4c6e97f2642e0a4270e0844b3842

SHA512
97795ac39a7ee5edb6bb1286afb1d3b69ece54ab6e3f104b4a55c38fdba0ea42c54ca68ccf2167719f0dfb53e3509e43f00fc06f103e1b34e24799f2a88a8698

Download Submit
C:\Windows\{6BFDD1FB-A033-4b93-B099-DDC9DB1AD596}.exe

Filesize
344KB

MD5
24b67da351b51fc62bb644052a0c1c47

SHA1
08ea947a43247ed0bc1cc07a71df76e0c02e8ac1

SHA256
dbd9d29498c0d446287aba846d6abba61e9662b81f40e4cc9c084cbe17a7904a

SHA512
bcb6a761f8c286ae37bba3639c5684340e160e560ededa85dc7625e929734ca5dc50f239a20ad84b525604ccc24b40f8f684b6d267411184b60be64dbaaf9d53

Download Submit
C:\Windows\{6EBAA7B2-B632-4e43-AEFC-AF320014C822}.exe

Filesize
344KB

MD5
85ee6d0a530ca3a79c022acddbefd2e1

SHA1
d2888bfbe1d4fb20348784c65dc3a3abf230c7cc

SHA256
2a7af408009963a6d8a37bfdee5cf9de5d51b787cd9b49c62b32deee73030c73

SHA512
609f8098f444f77592041263dcc97ca08d6a965652b801ca571893fe2c7f234dac1cc35620c96b50dc7d2b0a1d59c0f2808621618ea145d3964439d0000adc46

Download Submit
C:\Windows\{7CBDCA28-2D8A-4ac4-9EF2-B671B76F5F1A}.exe

Filesize
344KB

MD5
57dd1a6a451f882c7beb02221bd03376

SHA1
81027e02b02045f7ec47d478f540f06cc67ec5a2

SHA256
836b0f520de079a9919abd3251dd428c2b62162c5bee59d9d9a555dc8d9023b8

SHA512
11097eb892d68dd8f495d14307e39187cae18242d5837d70fbe41906a74550865416a6741b993354c4bfd041826acbcbcc19a3da0a607cf4ef6aff1e6d79f03a

Download Submit
C:\Windows\{91104075-B892-43e4-997D-D1555250DFBA}.exe

Filesize
344KB

MD5
0ee8720fbb88079afc615dea134c0d5f

SHA1
211fd46c283eeea4eeef9af78eec8e6e326a0bf1

SHA256
c163d5f05728adc9557f4c0385dc29747070a3f0d185dd819f1033b4f316a495

SHA512
b52b6d887dced9500626a7e32ec35dbdd621c3d27ab71a6287e0408e1e6ee935bbe24b57f6c42402616931eeb31b4b1c8f6073265375e03978f3f9e67a15324b

Download Submit
C:\Windows\{C7B3F7B6-C230-41ab-BB3E-CA7C6E9C8AD0}.exe

Filesize
344KB

MD5
0e2303a287206bfce57dcd392496851b

SHA1
7fd29310a6fa8b45142a324afb0c1582a6441009

SHA256
0d8d28cdb6108f5d87406b15299418aff5eb0249227256ac0e1b3ad36e1a4432

SHA512
02e1e679d6db4a3a20f3a1f22ace225fd9c1a17a8ce636c408a0c2aeba7efea01ee588a5eb628c9d84917621ecfcbf364869860ec03d75195662e2007a85cf29

Download Submit
C:\Windows\{C7EC7179-FF40-41ad-9524-A0A9331648FD}.exe

Filesize
344KB

MD5
6bc193188873f9bc67d8c16a5f81a17a

SHA1
060d015f8dad222cd8d1d6cc8d1049bbc926d16a

SHA256
1a4a09101e4912386069aa196b6c440a7b8cfbbb80ef7dabb601edecaca47462

SHA512
68ffe71854d02e69080cf50b308c3e15218d0a703be5784d8247b87a9bddb69ea9cfaa5fdeeed4caf05d0bdd280e17206dddbc14827d5e2ef760d2068a39816f

Download Submit
C:\Windows\{EDA6BA8F-3AB2-44fb-B608-1C74EAD4E99A}.exe

Filesize
344KB

MD5
48fa0d6ae291565bf0ab69375af60b56

SHA1
921f27775e87cd7f15f50c9c988959c90d85af15

SHA256
411f5f93202d0672650f00584f55fcc55840604849efb7f6a4f76fda905a8549

SHA512
c2437de40196008e03afbfaf1015f1d58c20e12f03198e9d46380f0c80abdcebd53de50b9fc1580133f3c10d08ebb56cb035dca8be907f3425410418db17c226

Download Submit