fbd7cd5f248fb04d5c19a76726ba7fc57aec5494f142166ed01c28da9e915359

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Size

372KB
MD5

cf588db8019232445c572ed0d1c19be6
SHA1

ead705b1b65bd3f86971868226e7cf3eb02380d4
SHA256

fbd7cd5f248fb04d5c19a76726ba7fc57aec5494f142166ed01c28da9e915359
SHA512

0835cdbff8bb272cdeeb47e2fbd7a140283bbcb3097b5870c7659d7aeee291e440d9c87e869faa651b17b4a9eabb308eb814a290355f43e4b7e70b7267c4d241
SSDEEP

3072:CEGh0oumlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG9l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{D2537946-F930-400d-A252-556D3B8B25BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{D2537946-F930-400d-A252-556D3B8B25BC}.exe{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7565A884-50FB-4695-AD8A-BFF95073E8BA}\stubpath = "C:\\Windows\\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe"	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F246D16D-6B59-4643-84D7-A4CA40974B6B}\stubpath = "C:\\Windows\\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe"	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}	{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}\stubpath = "C:\\Windows\\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe"	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7565A884-50FB-4695-AD8A-BFF95073E8BA}	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{506079F7-0600-4685-89DE-BFFC52DE35BE}\stubpath = "C:\\Windows\\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe"	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F246D16D-6B59-4643-84D7-A4CA40974B6B}	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B228C27E-E509-42e1-8385-784601E5F5A2}	{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B228C27E-E509-42e1-8385-784601E5F5A2}\stubpath = "C:\\Windows\\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe"	{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2537946-F930-400d-A252-556D3B8B25BC}	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}\stubpath = "C:\\Windows\\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe"	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DB625B-C42D-40a1-9857-4ED51404DD65}	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DB625B-C42D-40a1-9857-4ED51404DD65}\stubpath = "C:\\Windows\\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe"	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}\stubpath = "C:\\Windows\\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe"	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2537946-F930-400d-A252-556D3B8B25BC}\stubpath = "C:\\Windows\\{D2537946-F930-400d-A252-556D3B8B25BC}.exe"	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}\stubpath = "C:\\Windows\\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe"	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{506079F7-0600-4685-89DE-BFFC52DE35BE}	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}\stubpath = "C:\\Windows\\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe"	{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2792 cmd.exe

pid	process
2792	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{D2537946-F930-400d-A252-556D3B8B25BC}.exe{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe{B228C27E-E509-42e1-8385-784601E5F5A2}.exe

pid	process
2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
632	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
2108	{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
2992	{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
1504	{B228C27E-E509-42e1-8385-784601E5F5A2}.exe

Drops file in Windows directory 11 IoCs

Processes:

{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe{D2537946-F930-400d-A252-556D3B8B25BC}.exe{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe

description	ioc	process
File created	C:\Windows\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
File created	C:\Windows\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
File created	C:\Windows\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
File created	C:\Windows\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe	{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
File created	C:\Windows\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
File created	C:\Windows\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
File created	C:\Windows\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
File created	C:\Windows\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
File created	C:\Windows\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
File created	C:\Windows\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe	{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
File created	C:\Windows\{D2537946-F930-400d-A252-556D3B8B25BC}.exe	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe{D2537946-F930-400d-A252-556D3B8B25BC}.exe{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
Token: SeIncBasePriorityPrivilege	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
Token: SeIncBasePriorityPrivilege	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
Token: SeIncBasePriorityPrivilege	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
Token: SeIncBasePriorityPrivilege	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
Token: SeIncBasePriorityPrivilege	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
Token: SeIncBasePriorityPrivilege	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
Token: SeIncBasePriorityPrivilege	632	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
Token: SeIncBasePriorityPrivilege	2108	{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
Token: SeIncBasePriorityPrivilege	2992	{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2412 wrote to memory of 2732	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
PID 2412 wrote to memory of 2732	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
PID 2412 wrote to memory of 2732	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
PID 2412 wrote to memory of 2732	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{D2537946-F930-400d-A252-556D3B8B25BC}.exe
PID 2412 wrote to memory of 2792	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 2792	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 2792	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 2412 wrote to memory of 2792	2412	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 2732 wrote to memory of 2824	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
PID 2732 wrote to memory of 2824	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
PID 2732 wrote to memory of 2824	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
PID 2732 wrote to memory of 2824	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
PID 2732 wrote to memory of 2748	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	cmd.exe
PID 2732 wrote to memory of 2748	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	cmd.exe
PID 2732 wrote to memory of 2748	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	cmd.exe
PID 2732 wrote to memory of 2748	2732	{D2537946-F930-400d-A252-556D3B8B25BC}.exe	cmd.exe
PID 2824 wrote to memory of 2756	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
PID 2824 wrote to memory of 2756	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
PID 2824 wrote to memory of 2756	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
PID 2824 wrote to memory of 2756	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
PID 2824 wrote to memory of 2584	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	cmd.exe
PID 2824 wrote to memory of 2584	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	cmd.exe
PID 2824 wrote to memory of 2584	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	cmd.exe
PID 2824 wrote to memory of 2584	2824	{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe	cmd.exe
PID 2756 wrote to memory of 2888	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
PID 2756 wrote to memory of 2888	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
PID 2756 wrote to memory of 2888	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
PID 2756 wrote to memory of 2888	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
PID 2756 wrote to memory of 2676	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe	cmd.exe
PID 2888 wrote to memory of 796	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
PID 2888 wrote to memory of 796	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
PID 2888 wrote to memory of 796	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
PID 2888 wrote to memory of 796	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
PID 2888 wrote to memory of 364	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	cmd.exe
PID 2888 wrote to memory of 364	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	cmd.exe
PID 2888 wrote to memory of 364	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	cmd.exe
PID 2888 wrote to memory of 364	2888	{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe	cmd.exe
PID 796 wrote to memory of 2172	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
PID 796 wrote to memory of 2172	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
PID 796 wrote to memory of 2172	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
PID 796 wrote to memory of 2172	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
PID 796 wrote to memory of 2020	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	cmd.exe
PID 796 wrote to memory of 2020	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	cmd.exe
PID 796 wrote to memory of 2020	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	cmd.exe
PID 796 wrote to memory of 2020	796	{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe	cmd.exe
PID 2172 wrote to memory of 520	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
PID 2172 wrote to memory of 520	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
PID 2172 wrote to memory of 520	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
PID 2172 wrote to memory of 520	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
PID 2172 wrote to memory of 2632	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	cmd.exe
PID 2172 wrote to memory of 2632	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	cmd.exe
PID 2172 wrote to memory of 2632	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	cmd.exe
PID 2172 wrote to memory of 2632	2172	{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe	cmd.exe
PID 520 wrote to memory of 632	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
PID 520 wrote to memory of 632	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
PID 520 wrote to memory of 632	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
PID 520 wrote to memory of 632	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
PID 520 wrote to memory of 1708	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	cmd.exe
PID 520 wrote to memory of 1708	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	cmd.exe
PID 520 wrote to memory of 1708	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	cmd.exe
PID 520 wrote to memory of 1708	520	{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\{D2537946-F930-400d-A252-556D3B8B25BC}.exe
C:\Windows\{D2537946-F930-400d-A252-556D3B8B25BC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
C:\Windows\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
C:\Windows\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
C:\Windows\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3D12B~1.EXE > nul
6⤵
PID:364

C:\Windows\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
C:\Windows\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E94F6~1.EXE > nul
7⤵
PID:2020

C:\Windows\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
C:\Windows\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50607~1.EXE > nul
8⤵
PID:2632

C:\Windows\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
C:\Windows\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
C:\Windows\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F246D~1.EXE > nul
10⤵
PID:2396

C:\Windows\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
C:\Windows\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8136~1.EXE > nul
11⤵
PID:1352

C:\Windows\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
C:\Windows\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe
C:\Windows\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe
12⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3989C~1.EXE > nul
12⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02DB6~1.EXE > nul
9⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7565A~1.EXE > nul
5⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F760E~1.EXE > nul
4⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D2537~1.EXE > nul
3⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02DB625B-C42D-40a1-9857-4ED51404DD65}.exe

Filesize
372KB

MD5
5cfa2200a20ed2fe34f7ecb168032e38

SHA1
e94cc39bda896cc1ea7a5241f80f5969ca36fa62

SHA256
22cf8f2aaf154bf622b10b9070e9d824850924827b0e06acc3f2f34130b42289

SHA512
631466fac66b89abc0b80e6e52571e59444c49975a5d8ddabb484cad34c5cb8da0d68a5d461170e6e5d3e00425f2f7adbc68880065ce5849997d1efa8a0278d1

Download Submit
C:\Windows\{3989CF36-4D97-4f5a-8CD3-70716A55C18D}.exe

Filesize
372KB

MD5
1933266b1ffb6d43143d573369ce9b5d

SHA1
9be5944a198e5b5fc13438a0dace8bf6e407d5e5

SHA256
9488922f0110e9e96c9c2f741c414dbd19da79345ceb283baff2150ba3fca17f

SHA512
549cece2e3d381ad4ac5e90e9ab4ca4d39a170db9ebd050f6e142cc3cbd5c9c7967c0569e633b8e6603c8643e5ebaeae078224e9a3b66fddc82a249d2a6ceb6f

Download Submit
C:\Windows\{3D12BA4B-F131-4ed9-9084-42CD892AF73D}.exe

Filesize
372KB

MD5
3249927d3938724315234642e2d5bf93

SHA1
03671cd643133f1afe83df865d3e62a47c9849b9

SHA256
1ecd5192e2e3fe0b3fe58a98037dd1b33f5da9934a1bd7f4884a51ca1dbff01a

SHA512
48f02a27351dc6e27c02f18aced77544bdd23591ef1d43c56d135947c3bc9afaf5c7855fbbbc1758e93b3ca407ded0a0e15197fba8b8baac6936f4b3ac362406

Download Submit
C:\Windows\{506079F7-0600-4685-89DE-BFFC52DE35BE}.exe

Filesize
372KB

MD5
de1c4ee1a3ce3b147762c6ee05a6f2ed

SHA1
8e478d5c1edbec519239b5c7c955abb482feec7b

SHA256
713653fcac12c690c35a36d58a72b50cf1b89c988b47e1c7317927aff5f097ab

SHA512
66734196c97398773234a8076a57328a63358a0a473f35e9b7aa289dfaa6acdcd8b14b2508e70c27c286e3e0fcc83e803a7c2323fac00d3e4c8b4b519bf8f9ac

Download Submit
C:\Windows\{7565A884-50FB-4695-AD8A-BFF95073E8BA}.exe

Filesize
372KB

MD5
32742a7127d8bcdfce1a98d1042801a1

SHA1
788f2afca29934b934828d458998de8ae579bc43

SHA256
d6eabb8a86a3e7cd227105863ca102101fdba2f9b32bd7cecf16c90565dc994a

SHA512
d2d8cc0567ddd966de666e50db5a9d3f5c5e3cb66361505ec4d15c85cfe02528ab927ab20985e0b087b3f53ee2e786588ea640ee8608ecbde1e336ec4ed234ed

Download Submit
C:\Windows\{B228C27E-E509-42e1-8385-784601E5F5A2}.exe

Filesize
372KB

MD5
1d24929ee285c068f752cb39d4d95daf

SHA1
8588a2fecf20bc4e69595124562ddf79cd60e849

SHA256
14d134897c16d80ca6a8d57948fa2d911de5c8e0caa831e204a71d68acc6d3cb

SHA512
271ecb8d036a73c939cdd5106baf46bcd23929f4f860a7178d9be498b38127ad6ce7709d95eb5894df2b2b7a0bc42f3bcbcf7106a9155278eb49f144c892d308

Download Submit
C:\Windows\{D2537946-F930-400d-A252-556D3B8B25BC}.exe

Filesize
372KB

MD5
86492e19706dcda02da3cc504e3ed04d

SHA1
85538e7e8371f6e44a8159fe8b8b44c9c8b4e833

SHA256
b1e0c339dbff830a80b398f430fecfa2cbb21d32f8eca1073335ad689bc649cc

SHA512
c00f4d89dca4c9febd2d18203d7bc61231f841387e8a03db6c1672213c50d0760522e6f1d847d05d9750bcaa5f172425fded22252d053f692c1bfd71d8960140

Download Submit
C:\Windows\{E8136917-38FA-4c7e-A42A-D26AC0B9CF01}.exe

Filesize
372KB

MD5
40bbe1ed4838e772f2f708140c9584f6

SHA1
b1c282487774d96dbe2118ebb9643df7f8ddff05

SHA256
e1c351895f940f83aa74ab443384e3d7a8c848a0041d11c7e25c963287eb09f6

SHA512
2bf64333bcfe04f6f8875091258769083f404cb0c0e24d9385d0a5e68bd04b1a5d939cdb563ea3ce6fd4c2d6f2d8976a6b93c5e7497c3ed85201ed44d489f21a

Download Submit
C:\Windows\{E94F6C91-4B22-4386-A3E1-74D3AB1F9EF9}.exe

Filesize
372KB

MD5
5f96cb28105ea4f9b86d686fa61b027e

SHA1
5f1a585fff8893805024abe4398b38ecc0edd001

SHA256
6374b963d557a43fdcfde3df50069ce835e114e12c08969f9166be7df33c0da9

SHA512
39779c679012c8316cde08412e4f1fbf03f46d0c6c9e02d411c056977c2e189b2104614b43fd4b26ab10f971b5e59f433b9e9bcb42f65a0f80267169c6d78b6e

Download Submit
C:\Windows\{F246D16D-6B59-4643-84D7-A4CA40974B6B}.exe

Filesize
372KB

MD5
ef8e213aad2b2c1f2650d0e27b18b8da

SHA1
b96bb8cbc944c105ca4a7e8784e06c7ea8441b6c

SHA256
51012b611986dc976c59db211583d52c0f113abb7b929c7b25b986d2549de17a

SHA512
cbc53858de4d937ceb7e1370809f30079582b87b0229599193ffda04146435a5f2b6529995fa1d82a4e7b8400f8d10d508cb47ebe0434a8cdf556af257b4e9ab

Download Submit
C:\Windows\{F760E673-8650-4570-B9C5-44D7E1EE7BBD}.exe

Filesize
372KB

MD5
f6aebca6df7c71ea4de8d127fbc851af

SHA1
b9143493fb9570f834e7a4815f0f71dba18d9293

SHA256
c31ab51b1f7df2f4b0dffaa984a92b6910ffe3bdadaf3c586fbed72fbfbc7af3

SHA512
3bad18d210b7bc1457cc5949cc3a0cc3328c32f48441f62181f7518ab5ef094103d3c053172b683f21d49cc30f15c1fc7feb6a34ba9557205e2c4fc9110f8b2c

Download Submit