affd6ffb8eb7c03feadbdd7c555ce18175e4583cdc3a6422a9a41d019ec17ca3

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Size

344KB
MD5

bc0408b213fdeb332d4b7b317f137703
SHA1

58a586ea6d7446f01f034d1d24bf836df71e37e6
SHA256

affd6ffb8eb7c03feadbdd7c555ce18175e4583cdc3a6422a9a41d019ec17ca3
SHA512

07d93ff1ecade03971ace9cf56d31449a80f375d1efda2eabd2479a947b7cc4a07c8d5f17f96e5682d0aaaf21824b380d0f894674b0235f5b63f84b8b4470edb
SSDEEP

3072:mEGh0owlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{45124306-6726-49bb-9920-7676623F3C02}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1EE36A15-F127-4e72-977E-B6743744A584}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{07884154-92A7-42f1-A40E-032DC894189B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E034985A-1A46-4e43-B918-31BED1B65808}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{1EE36A15-F127-4e72-977E-B6743744A584}.exe{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe{E034985A-1A46-4e43-B918-31BED1B65808}.exe{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe{07884154-92A7-42f1-A40E-032DC894189B}.exe{45124306-6726-49bb-9920-7676623F3C02}.exe{6A77DC26-9316-42f7-96A9-B9E439930175}.exe{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}\stubpath = "C:\\Windows\\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe"	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A77DC26-9316-42f7-96A9-B9E439930175}\stubpath = "C:\\Windows\\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe"	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}\stubpath = "C:\\Windows\\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe"	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E034985A-1A46-4e43-B918-31BED1B65808}\stubpath = "C:\\Windows\\{E034985A-1A46-4e43-B918-31BED1B65808}.exe"	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E54598-78AC-440d-9251-9CC515FEE6A4}	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}\stubpath = "C:\\Windows\\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe"	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45124306-6726-49bb-9920-7676623F3C02}	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45124306-6726-49bb-9920-7676623F3C02}\stubpath = "C:\\Windows\\{45124306-6726-49bb-9920-7676623F3C02}.exe"	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A283733E-B0DF-4005-96E4-9B2BC27CC197}	{07884154-92A7-42f1-A40E-032DC894189B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E034985A-1A46-4e43-B918-31BED1B65808}	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE36A15-F127-4e72-977E-B6743744A584}\stubpath = "C:\\Windows\\{1EE36A15-F127-4e72-977E-B6743744A584}.exe"	{45124306-6726-49bb-9920-7676623F3C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07884154-92A7-42f1-A40E-032DC894189B}	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07884154-92A7-42f1-A40E-032DC894189B}\stubpath = "C:\\Windows\\{07884154-92A7-42f1-A40E-032DC894189B}.exe"	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A283733E-B0DF-4005-96E4-9B2BC27CC197}\stubpath = "C:\\Windows\\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe"	{07884154-92A7-42f1-A40E-032DC894189B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}\stubpath = "C:\\Windows\\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe"	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E54598-78AC-440d-9251-9CC515FEE6A4}\stubpath = "C:\\Windows\\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe"	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE36A15-F127-4e72-977E-B6743744A584}	{45124306-6726-49bb-9920-7676623F3C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A77DC26-9316-42f7-96A9-B9E439930175}	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}\stubpath = "C:\\Windows\\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe"	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe

Executes dropped EXE 12 IoCs

Processes:

{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe{45124306-6726-49bb-9920-7676623F3C02}.exe{1EE36A15-F127-4e72-977E-B6743744A584}.exe{6A77DC26-9316-42f7-96A9-B9E439930175}.exe{07884154-92A7-42f1-A40E-032DC894189B}.exe{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe{E034985A-1A46-4e43-B918-31BED1B65808}.exe{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe

pid	process
1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
5072	{45124306-6726-49bb-9920-7676623F3C02}.exe
2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe
4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
912	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
1132	{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe

Drops file in Windows directory 12 IoCs

Processes:

{E034985A-1A46-4e43-B918-31BED1B65808}.exe{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe{6A77DC26-9316-42f7-96A9-B9E439930175}.exe{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe{45124306-6726-49bb-9920-7676623F3C02}.exe{1EE36A15-F127-4e72-977E-B6743744A584}.exe{07884154-92A7-42f1-A40E-032DC894189B}.exe{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe

description	ioc	process
File created	C:\Windows\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
File created	C:\Windows\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
File created	C:\Windows\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
File created	C:\Windows\{45124306-6726-49bb-9920-7676623F3C02}.exe	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
File created	C:\Windows\{07884154-92A7-42f1-A40E-032DC894189B}.exe	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
File created	C:\Windows\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
File created	C:\Windows\{E034985A-1A46-4e43-B918-31BED1B65808}.exe	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
File created	C:\Windows\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
File created	C:\Windows\{1EE36A15-F127-4e72-977E-B6743744A584}.exe	{45124306-6726-49bb-9920-7676623F3C02}.exe
File created	C:\Windows\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
File created	C:\Windows\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	{07884154-92A7-42f1-A40E-032DC894189B}.exe
File created	C:\Windows\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe{45124306-6726-49bb-9920-7676623F3C02}.exe{1EE36A15-F127-4e72-977E-B6743744A584}.exe{6A77DC26-9316-42f7-96A9-B9E439930175}.exe{07884154-92A7-42f1-A40E-032DC894189B}.exe{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe{E034985A-1A46-4e43-B918-31BED1B65808}.exe{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
Token: SeIncBasePriorityPrivilege	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe
Token: SeIncBasePriorityPrivilege	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
Token: SeIncBasePriorityPrivilege	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
Token: SeIncBasePriorityPrivilege	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe
Token: SeIncBasePriorityPrivilege	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
Token: SeIncBasePriorityPrivilege	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
Token: SeIncBasePriorityPrivilege	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
Token: SeIncBasePriorityPrivilege	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
Token: SeIncBasePriorityPrivilege	4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
Token: SeIncBasePriorityPrivilege	912	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3696 wrote to memory of 1824	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
PID 3696 wrote to memory of 1824	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
PID 3696 wrote to memory of 1824	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
PID 3696 wrote to memory of 4148	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 3696 wrote to memory of 4148	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 3696 wrote to memory of 4148	3696	2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe	cmd.exe
PID 1824 wrote to memory of 5072	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	{45124306-6726-49bb-9920-7676623F3C02}.exe
PID 1824 wrote to memory of 5072	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	{45124306-6726-49bb-9920-7676623F3C02}.exe
PID 1824 wrote to memory of 5072	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	{45124306-6726-49bb-9920-7676623F3C02}.exe
PID 1824 wrote to memory of 4036	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	cmd.exe
PID 1824 wrote to memory of 4036	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	cmd.exe
PID 1824 wrote to memory of 4036	1824	{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe	cmd.exe
PID 5072 wrote to memory of 2776	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
PID 5072 wrote to memory of 2776	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
PID 5072 wrote to memory of 2776	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	{1EE36A15-F127-4e72-977E-B6743744A584}.exe
PID 5072 wrote to memory of 400	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	cmd.exe
PID 5072 wrote to memory of 400	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	cmd.exe
PID 5072 wrote to memory of 400	5072	{45124306-6726-49bb-9920-7676623F3C02}.exe	cmd.exe
PID 2776 wrote to memory of 3432	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
PID 2776 wrote to memory of 3432	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
PID 2776 wrote to memory of 3432	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
PID 2776 wrote to memory of 4484	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	cmd.exe
PID 2776 wrote to memory of 4484	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	cmd.exe
PID 2776 wrote to memory of 4484	2776	{1EE36A15-F127-4e72-977E-B6743744A584}.exe	cmd.exe
PID 3432 wrote to memory of 4700	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	{07884154-92A7-42f1-A40E-032DC894189B}.exe
PID 3432 wrote to memory of 4700	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	{07884154-92A7-42f1-A40E-032DC894189B}.exe
PID 3432 wrote to memory of 4700	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	{07884154-92A7-42f1-A40E-032DC894189B}.exe
PID 3432 wrote to memory of 4812	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	cmd.exe
PID 3432 wrote to memory of 4812	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	cmd.exe
PID 3432 wrote to memory of 4812	3432	{6A77DC26-9316-42f7-96A9-B9E439930175}.exe	cmd.exe
PID 4700 wrote to memory of 4460	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
PID 4700 wrote to memory of 4460	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
PID 4700 wrote to memory of 4460	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
PID 4700 wrote to memory of 4456	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	cmd.exe
PID 4700 wrote to memory of 4456	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	cmd.exe
PID 4700 wrote to memory of 4456	4700	{07884154-92A7-42f1-A40E-032DC894189B}.exe	cmd.exe
PID 4460 wrote to memory of 4508	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
PID 4460 wrote to memory of 4508	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
PID 4460 wrote to memory of 4508	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
PID 4460 wrote to memory of 4984	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	cmd.exe
PID 4460 wrote to memory of 4984	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	cmd.exe
PID 4460 wrote to memory of 4984	4460	{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe	cmd.exe
PID 4508 wrote to memory of 1520	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
PID 4508 wrote to memory of 1520	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
PID 4508 wrote to memory of 1520	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
PID 4508 wrote to memory of 4728	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	cmd.exe
PID 4508 wrote to memory of 4728	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	cmd.exe
PID 4508 wrote to memory of 4728	4508	{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe	cmd.exe
PID 1520 wrote to memory of 5080	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
PID 1520 wrote to memory of 5080	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
PID 1520 wrote to memory of 5080	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	{E034985A-1A46-4e43-B918-31BED1B65808}.exe
PID 1520 wrote to memory of 1228	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	cmd.exe
PID 1520 wrote to memory of 1228	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	cmd.exe
PID 1520 wrote to memory of 1228	1520	{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe	cmd.exe
PID 5080 wrote to memory of 4140	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
PID 5080 wrote to memory of 4140	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
PID 5080 wrote to memory of 4140	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
PID 5080 wrote to memory of 2388	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	cmd.exe
PID 5080 wrote to memory of 2388	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	cmd.exe
PID 5080 wrote to memory of 2388	5080	{E034985A-1A46-4e43-B918-31BED1B65808}.exe	cmd.exe
PID 4140 wrote to memory of 912	4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
PID 4140 wrote to memory of 912	4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
PID 4140 wrote to memory of 912	4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
PID 4140 wrote to memory of 2600	4140	{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_bc0408b213fdeb332d4b7b317f137703_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
C:\Windows\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\{45124306-6726-49bb-9920-7676623F3C02}.exe
C:\Windows\{45124306-6726-49bb-9920-7676623F3C02}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45124~1.EXE > nul
4⤵
PID:400

C:\Windows\{1EE36A15-F127-4e72-977E-B6743744A584}.exe
C:\Windows\{1EE36A15-F127-4e72-977E-B6743744A584}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
C:\Windows\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\{07884154-92A7-42f1-A40E-032DC894189B}.exe
C:\Windows\{07884154-92A7-42f1-A40E-032DC894189B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
C:\Windows\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
C:\Windows\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
C:\Windows\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\{E034985A-1A46-4e43-B918-31BED1B65808}.exe
C:\Windows\{E034985A-1A46-4e43-B918-31BED1B65808}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
C:\Windows\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
C:\Windows\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe
C:\Windows\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe
13⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3AF0~1.EXE > nul
13⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E54~1.EXE > nul
12⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E0349~1.EXE > nul
11⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E78~1.EXE > nul
10⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD02~1.EXE > nul
9⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2837~1.EXE > nul
8⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{07884~1.EXE > nul
7⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6A77D~1.EXE > nul
6⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE36~1.EXE > nul
5⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B29~1.EXE > nul
3⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07884154-92A7-42f1-A40E-032DC894189B}.exe

Filesize
344KB

MD5
100e183b11fb7a0bef50169186886034

SHA1
1f79854039b417929b222040a9e8cc1762263faf

SHA256
77df66085938715d2dfa9da03c89e1b09529199cc3926298a52434910c436a7f

SHA512
fe51c9722a17d040763c90a221cea739741613c53a26e5f8aa5d2f37d86c49598ee2dd8f8193639b9f65f2f8eeda0a38b9d4520619898e9fcbdb64ec083ad616

Download Submit
C:\Windows\{1EE36A15-F127-4e72-977E-B6743744A584}.exe

Filesize
344KB

MD5
f78ec5458c9290a760018765eb609b3e

SHA1
995fd4a8869f7cba41959a163b86647efdbc2c79

SHA256
60c7f344a6f008ea2ee3acb2d7d65d68a5ad0040233af40a882f982a0cb6458f

SHA512
dedd7d655b649b27e8a30e4b0abf3ddb955222ccc1169d68a1fef7cb27307339449cce265e2a1a78d17518acddb7eafd211b10e419ed6b44037a9954d751c477

Download Submit
C:\Windows\{45124306-6726-49bb-9920-7676623F3C02}.exe

Filesize
344KB

MD5
e514c24b5df0bd402dc43f4f877b25b1

SHA1
004ebf7606109238a8918c7d277a0579c5dc7608

SHA256
370c6a9a2613990db70d4ddd5909d5b3ee512e771c7576c54979404d62796a7b

SHA512
9008e6e3d9eb6af913d02a845e49eb6b5a6f61911b9d103486639a6b23a266516a6e3a61ece054c6493f75a2d331d488545b5d97cdc1cc8e8d08891960f2753d

Download Submit
C:\Windows\{6A77DC26-9316-42f7-96A9-B9E439930175}.exe

Filesize
344KB

MD5
c3b03ee515d80295cacd7ce16c46a9d4

SHA1
775f42aea5b12d417c1628b02113785f517c295b

SHA256
8d47fbb3d95737a75002ee48f176d3466abc3258efa8cd09fbf0c38e639c9a07

SHA512
5ea416879230560893751e7e5fb9048eaa731b401641cb5ef43f87517b12f68c2be18fbea7a2d8a59f8fc6875a3b10c1661bf826dc3024bfcf8c60f04f478568

Download Submit
C:\Windows\{919CA1F9-13A8-4f40-9D22-7B1DCD19CD2A}.exe

Filesize
344KB

MD5
67f37c698380f0ce5c36f28e0aab5ce1

SHA1
e30939a293bc4bd329f550136371d2fc65d133b8

SHA256
0be85ac0d46757ae37ddb4b51203f8fdb81ba7549888ede5b6b89c7dca3e8c3b

SHA512
3c62d244edb1082ff8f4831818e7677e70eb08ec713c064e478b08bca8e737f7cc49ee15e8203347899f93ab8a36a16e4f4b1eedb3b485ca35b88a577b46f147

Download Submit
C:\Windows\{A283733E-B0DF-4005-96E4-9B2BC27CC197}.exe

Filesize
344KB

MD5
d85e8faa36532d6764cbe5b41c00dfad

SHA1
baba6c864d374dd1c058382e8cd1ac53a3fb184b

SHA256
cfb29222b83f8f068d97be9817d926923d516c544e319f4c865ac92edcb1fad1

SHA512
e39a03e47d476a316d69126fbdd9aac2d2648063599fedc1d544f2a45403341eedc2f2f61cbcfc1b8d64073e5227d6903078ebd03e4b8d76c137269af554bcc5

Download Submit
C:\Windows\{C3AF02FC-1B04-4dd3-9957-7D5A32924E51}.exe

Filesize
344KB

MD5
80a3470caddefb71518d20dbc86d46e7

SHA1
8a191bd0a0b7b20da7edffabdf1351414f7a6355

SHA256
69af547a47ad02006bb6c8347daae4a2323f3b599601fc8df867a77113eedb74

SHA512
994470b9ce078905f27dced2c36a058ea668a44f8b827916060b81654e49767e3bc42f5f5d9d5e8b63587e166b23a8bf729e40174c5c26604ad27a197ab63c21

Download Submit
C:\Windows\{D3B29669-CF97-4b59-87C7-7EBEF1694AC6}.exe

Filesize
344KB

MD5
43f24fd8a1d2f50bee6206dabbd281b3

SHA1
b5a08e34f7b1f0b06fdd80d63e01de74ac427caa

SHA256
d087f641ff3934f23332de66f1dde2d3653fc17867f2d224a6c6b27726a31df8

SHA512
9b1f610bc59614b594920a238b6303ab544f5ee5dd74644e5eabb5379a648deed776f6e49d42d311f0b2a7642b254c035df886dfc2e7eaaefb5e0b7c1fb80fb9

Download Submit
C:\Windows\{DCD02FEC-3A73-48b4-8E15-2AD9C3F06BB9}.exe

Filesize
344KB

MD5
7fa5a5a94ea36072506f9c7a18e6fd04

SHA1
a5a3fe1c93798aa445d1eec5b9696e43b1971563

SHA256
db7daf2c80a5d2c8f73b9d2bde138223e863dffe67a893a6bebf9a3a0c42712c

SHA512
b5c7fa2e8aebd2061f0fc9909a96cc2fce309923b35ec6babb8e9c0d0315f01c611c1a64a6628b0c25f5f7a1d9afab1f85cd2d0d793b495b8adfbad9b32e78cc

Download Submit
C:\Windows\{E034985A-1A46-4e43-B918-31BED1B65808}.exe

Filesize
344KB

MD5
d84472cd0171a98a82b09691532c5d81

SHA1
8916d2b17bfd3687f62a0f71a8c8f5e017b3a8d2

SHA256
362d8e8e7ce163ed6fbddbaee21edf19f83d0508692dcf0646ee1f716dbb4c99

SHA512
58ffb1678458f40991d83545d4aaca660f021bdb3cae25e323e64287f5d52c958254efc1ff9091025f02e70a186fbb675cbdfc9649509e9ad8322a4b4a374f3d

Download Submit
C:\Windows\{F2E78DDA-43BA-4d3f-80A9-667FE1B8F024}.exe

Filesize
344KB

MD5
8e1b0d085e3ba43d61172aff7c90328f

SHA1
a35830690aa7d2ac3dba338979bb38a953a1a6fb

SHA256
d7971464bf47d480053f4ba9ed04c7dbf655dcad62caa50493a6a2db4254fa07

SHA512
71486f789165ff2a8da495b0eb736b5f9490146e13a4808f94e7cf6833eff7c8b5555158fea8c6defce92b70d5a6135703dfdf85395d9010ab23659405c90fb9

Download Submit
C:\Windows\{F9E54598-78AC-440d-9251-9CC515FEE6A4}.exe

Filesize
344KB

MD5
de8e6ed15e418236493adcac885cc304

SHA1
2439c4e85b9bad44cb6a12dd0401ada6206cd6b5

SHA256
2b5b4a6e6fb54c9f8e06bc680cfa215abdf3dec96abc69ccd3527039e0a68ad7

SHA512
efdbc140220cdd473b451fe2773df1758aa06f7ca31e77c46125284c13a1bd6e978c0f6fccc257b2a1f634476ca2336d009f034c98887d3551a27e70f4c0160b

Download Submit