8f461d836a5540a2c43018397ccea692206512053f77ca03ea6daf48484210e7

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Size

372KB
MD5

ce09de74a24ae5891ffdaf2b69c0b5d1
SHA1

dba92e1d8f7c659907c6bfa5626dc7c07be54a36
SHA256

8f461d836a5540a2c43018397ccea692206512053f77ca03ea6daf48484210e7
SHA512

829308d90942e0c266f0894f92eaf609d99c73c4c498bd6d675bf530e6e1e015dc4f70c66c3542059802a5af2fa2d401ab0d4925766cd541afe1578745125d5f
SSDEEP

3072:CEGh0oXlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0508D169-BE44-4097-AE3D-6D6469330088}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe{0508D169-BE44-4097-AE3D-6D6469330088}.exe2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe{AD16725A-522C-433e-A73D-56FE36552AF0}.exe{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0508D169-BE44-4097-AE3D-6D6469330088}	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED47729-FCE2-44cf-8971-7B883357F29B}\stubpath = "C:\\Windows\\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe"	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD16725A-522C-433e-A73D-56FE36552AF0}	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A315B770-2622-4b9f-B98F-129CD28BC94C}	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}\stubpath = "C:\\Windows\\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe"	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}\stubpath = "C:\\Windows\\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe"	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}\stubpath = "C:\\Windows\\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe"	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0508D169-BE44-4097-AE3D-6D6469330088}\stubpath = "C:\\Windows\\{0508D169-BE44-4097-AE3D-6D6469330088}.exe"	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0430D383-2D39-45f4-803D-C7DC25DACD97}	{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD16725A-522C-433e-A73D-56FE36552AF0}\stubpath = "C:\\Windows\\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe"	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED47729-FCE2-44cf-8971-7B883357F29B}	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0430D383-2D39-45f4-803D-C7DC25DACD97}\stubpath = "C:\\Windows\\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe"	{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}\stubpath = "C:\\Windows\\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe"	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA03692-AF7B-4752-B1A3-68114BD968E3}	{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA03692-AF7B-4752-B1A3-68114BD968E3}\stubpath = "C:\\Windows\\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe"	{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}\stubpath = "C:\\Windows\\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe"	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A315B770-2622-4b9f-B98F-129CD28BC94C}\stubpath = "C:\\Windows\\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe"	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1640 cmd.exe

pid	process
1640	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{AD16725A-522C-433e-A73D-56FE36552AF0}.exe{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe{0508D169-BE44-4097-AE3D-6D6469330088}.exe{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe

pid	process
2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
2256	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
2020	{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
2136	{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
1440	{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{AD16725A-522C-433e-A73D-56FE36552AF0}.exe{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe{0508D169-BE44-4097-AE3D-6D6469330088}.exe{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe

description	ioc	process
File created	C:\Windows\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
File created	C:\Windows\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
File created	C:\Windows\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
File created	C:\Windows\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
File created	C:\Windows\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe	{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
File created	C:\Windows\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe	{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
File created	C:\Windows\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
File created	C:\Windows\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
File created	C:\Windows\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
File created	C:\Windows\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
File created	C:\Windows\{0508D169-BE44-4097-AE3D-6D6469330088}.exe	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{AD16725A-522C-433e-A73D-56FE36552AF0}.exe{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe{0508D169-BE44-4097-AE3D-6D6469330088}.exe{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
Token: SeIncBasePriorityPrivilege	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
Token: SeIncBasePriorityPrivilege	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
Token: SeIncBasePriorityPrivilege	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
Token: SeIncBasePriorityPrivilege	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
Token: SeIncBasePriorityPrivilege	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
Token: SeIncBasePriorityPrivilege	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
Token: SeIncBasePriorityPrivilege	2256	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
Token: SeIncBasePriorityPrivilege	2020	{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
Token: SeIncBasePriorityPrivilege	2136	{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2220 wrote to memory of 2988	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
PID 2220 wrote to memory of 2988	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
PID 2220 wrote to memory of 2988	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
PID 2220 wrote to memory of 2988	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
PID 2220 wrote to memory of 1640	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 2220 wrote to memory of 1640	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 2220 wrote to memory of 1640	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 2220 wrote to memory of 1640	2220	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 2988 wrote to memory of 2644	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
PID 2988 wrote to memory of 2644	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
PID 2988 wrote to memory of 2644	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
PID 2988 wrote to memory of 2644	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
PID 2988 wrote to memory of 2692	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	cmd.exe
PID 2988 wrote to memory of 2692	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	cmd.exe
PID 2988 wrote to memory of 2692	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	cmd.exe
PID 2988 wrote to memory of 2692	2988	{AD16725A-522C-433e-A73D-56FE36552AF0}.exe	cmd.exe
PID 2644 wrote to memory of 2596	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
PID 2644 wrote to memory of 2596	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
PID 2644 wrote to memory of 2596	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
PID 2644 wrote to memory of 2596	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
PID 2644 wrote to memory of 2836	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	cmd.exe
PID 2644 wrote to memory of 2836	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	cmd.exe
PID 2644 wrote to memory of 2836	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	cmd.exe
PID 2644 wrote to memory of 2836	2644	{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe	cmd.exe
PID 2596 wrote to memory of 2540	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
PID 2596 wrote to memory of 2540	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
PID 2596 wrote to memory of 2540	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
PID 2596 wrote to memory of 2540	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
PID 2596 wrote to memory of 2772	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	cmd.exe
PID 2596 wrote to memory of 2772	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	cmd.exe
PID 2596 wrote to memory of 2772	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	cmd.exe
PID 2596 wrote to memory of 2772	2596	{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe	cmd.exe
PID 2540 wrote to memory of 320	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
PID 2540 wrote to memory of 320	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
PID 2540 wrote to memory of 320	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
PID 2540 wrote to memory of 320	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
PID 2540 wrote to memory of 1276	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	cmd.exe
PID 2540 wrote to memory of 1276	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	cmd.exe
PID 2540 wrote to memory of 1276	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	cmd.exe
PID 2540 wrote to memory of 1276	2540	{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe	cmd.exe
PID 320 wrote to memory of 1900	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
PID 320 wrote to memory of 1900	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
PID 320 wrote to memory of 1900	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
PID 320 wrote to memory of 1900	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
PID 320 wrote to memory of 1548	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	cmd.exe
PID 320 wrote to memory of 1548	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	cmd.exe
PID 320 wrote to memory of 1548	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	cmd.exe
PID 320 wrote to memory of 1548	320	{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe	cmd.exe
PID 1900 wrote to memory of 1948	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
PID 1900 wrote to memory of 1948	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
PID 1900 wrote to memory of 1948	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
PID 1900 wrote to memory of 1948	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
PID 1900 wrote to memory of 1628	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	cmd.exe
PID 1900 wrote to memory of 1628	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	cmd.exe
PID 1900 wrote to memory of 1628	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	cmd.exe
PID 1900 wrote to memory of 1628	1900	{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe	cmd.exe
PID 1948 wrote to memory of 2256	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
PID 1948 wrote to memory of 2256	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
PID 1948 wrote to memory of 2256	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
PID 1948 wrote to memory of 2256	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	{0508D169-BE44-4097-AE3D-6D6469330088}.exe
PID 1948 wrote to memory of 1360	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	cmd.exe
PID 1948 wrote to memory of 1360	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	cmd.exe
PID 1948 wrote to memory of 1360	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	cmd.exe
PID 1948 wrote to memory of 1360	1948	{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
C:\Windows\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
C:\Windows\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{34134~1.EXE > nul
4⤵
PID:2836

C:\Windows\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
C:\Windows\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
C:\Windows\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
C:\Windows\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
C:\Windows\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
C:\Windows\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3B2FA~1.EXE > nul
9⤵
PID:1360

C:\Windows\{0508D169-BE44-4097-AE3D-6D6469330088}.exe
C:\Windows\{0508D169-BE44-4097-AE3D-6D6469330088}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0508D~1.EXE > nul
10⤵
PID:1136

C:\Windows\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
C:\Windows\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED47~1.EXE > nul
11⤵
PID:596

C:\Windows\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
C:\Windows\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0430D~1.EXE > nul
12⤵
PID:1248

C:\Windows\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe
C:\Windows\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe
12⤵
- Executes dropped EXE
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE4DD~1.EXE > nul
8⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFF3~1.EXE > nul
7⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FB7~1.EXE > nul
6⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A315B~1.EXE > nul
5⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD167~1.EXE > nul
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0430D383-2D39-45f4-803D-C7DC25DACD97}.exe

Filesize
372KB

MD5
f146d81edf9a34b7365b78e5b24ca7f9

SHA1
f250e354a21943ecd01a3de9539bb6f1b12896e1

SHA256
d6b86f1c3243b4f126ef0bc4b9a579055a5cd59543f7dd9186d951480f126f8f

SHA512
ed1c234d66c1002c3f84ab2ee9d4eab1155f19aa2d59d19dcc90b5afe4f74e7148b8af174d03d1f776b2e766bcc43f75e8ec229fdbb5b4c4482636e401f0405a

Download Submit
C:\Windows\{0508D169-BE44-4097-AE3D-6D6469330088}.exe

Filesize
372KB

MD5
aa03e59c16baf16411f18a6656852ef5

SHA1
f02ad5e41967e994949260a28c08fc23dbdd22c2

SHA256
8e352c4a7f83c57232433c22cb0f7c2e454ed005ca4c60cbd20c9beb5b329215

SHA512
60fea55df28b23840884bd0e1cea9c6874720ec95ce1b0d31e227ccbb7d1ef717b32505625c5ce8cca6c0c234929e9275c8419cbc28adfa3864381744c7772a8

Download Submit
C:\Windows\{34134B4B-E4D8-4fd5-97E7-CEB7D7B91F54}.exe

Filesize
372KB

MD5
a68fd167193263577aab9888b56a69bd

SHA1
69a8a1f904136f569a85607686d13b95bf3bfcfe

SHA256
972294a5a20b8e59da04945d4edd8d01acfa49a6bc7fd779139084d0c5b8392c

SHA512
7538bec2373587865ea929d48b18d0624041d47b74f71a465ba056674caad8d37e13e4f9528e421c01c4c7e5c4f63df0997530bad199ca3234351b95a28513cc

Download Submit
C:\Windows\{3B2FA5FF-8622-4985-94C9-B7FDB05FE90D}.exe

Filesize
372KB

MD5
3075849ea1b05b37e48b0d74287d12f5

SHA1
57b676b39e29cf7958257f431027b81556a8a78e

SHA256
eeff2a50f54d922f0130f6fc9ac6790a194ff6ff42f585cd3dc511b099226894

SHA512
288586943d19de732ad6c195b58f1a81ab6f6e5b3245b04e5639ca14edeafda28dc94d8362889f828e20acea5ac5f87bf5a0d356401ba0089a0e6f07e11836c2

Download Submit
C:\Windows\{3CFF3EAB-CB6A-45da-977C-296E4CE32940}.exe

Filesize
372KB

MD5
0d7ebb1a20af727dc2b2782bc41da136

SHA1
03884c7f8082481b3d78cefed4dbaefd49377d82

SHA256
3401dfbab46926c8e088e691ff825a27a2105eb3128499e1b71938060b48c3e3

SHA512
4c85f317cccbe5098977b17ade1b06ae0af548dff8a3b7c0dbcc807ff290576b04d68a509e96314db9f1370b9e81d45477cdcb736c1943fa8998cc9dcb431293

Download Submit
C:\Windows\{4ED47729-FCE2-44cf-8971-7B883357F29B}.exe

Filesize
372KB

MD5
16e6eb8fc2ff1addc7c85b87ffbe5ab0

SHA1
dc9c45fdca9e43b23a1284dc614a061f0dcbe7a2

SHA256
4656b026eccb49834fb752378c6385d82f56e588e65781d3085614d0470aea2e

SHA512
e390e5c744258550dd32874768dfd185445a2c4329385b4fd8611c78353dfada4585a27216bc1223d3d1c5c81e7ccc004e1e74cd49f5db10685b3741d579b771

Download Submit
C:\Windows\{A315B770-2622-4b9f-B98F-129CD28BC94C}.exe

Filesize
372KB

MD5
140efcb2f37740197e0f85ff3f089bba

SHA1
9547caace29429f36367ba5b640b56d6d7d89413

SHA256
601f612c48e51332363eda2188f5e2679919d2c7fce9c689b126a370a6d65f4f

SHA512
cd5a4290009b260878923157b7385c65425fd277c3c19862e355156dcf3983564a5431153c9993e5daa6421bee632d91ca54a0bc1e74d0ca23d9c9d245d6ac11

Download Submit
C:\Windows\{AD16725A-522C-433e-A73D-56FE36552AF0}.exe

Filesize
372KB

MD5
d3dbb409e3d4b9b62ef5168ae14e77e5

SHA1
adae990bd4971bcb47f5dac4cdf540b0f526c75e

SHA256
b1e51228fd01976cd09a07b661bab8bb6438a6ca2158d8b13210821081e2662b

SHA512
31ab53840e06a63beb3404082683871c88aa7a999f839c21f3fe272df67ef6ec35d79f643eec15575163c0c43196cec8fcefb5fc021c6a8866ab38447b9826bf

Download Submit
C:\Windows\{BE4DD1B1-907B-40ec-8AC7-7A0DDDE39B6E}.exe

Filesize
372KB

MD5
564d1ebe408bd2717db2a8297eb51b3b

SHA1
f64ca5233ab420d12f31ef3186852b2fa3962706

SHA256
0544777c533c0c71237dab9288d2f8ef2c0716fb28192fabab30ace266594359

SHA512
e38993ffc57fd9d9f4963991a476ebda88cd01338dda0a012ac5ff208d080f0b9eac5d4e3b5fa3b2bb78147a3c938f0c56d1ff6b173ea105b12dbfd88b4389a2

Download Submit
C:\Windows\{BEA03692-AF7B-4752-B1A3-68114BD968E3}.exe

Filesize
372KB

MD5
1db91b5c1b8ec81a232980a1336dd99b

SHA1
209c9146b50fcd4eaaeb0ae36f28ffea0f7e9861

SHA256
1bb06eb5633701bf015c2b69f9668dbc74cf412fe36c92fbba66dc828db21f1f

SHA512
dd5644e6d21223971dffbb1d0b3b22fc6a0312b57eb506f34ec543501eed068177cba60694fbfe9a9e5697870dc9522f559d9c523f3812c1f950be0b3718a308

Download Submit
C:\Windows\{C5FB7D97-C3EC-446f-A603-8E9685DBBCC6}.exe

Filesize
372KB

MD5
ec834b013d523cc07b2ad15873f94b90

SHA1
bb9cbd0b5bd019dc5d67bfc743ec109a1cdf8a43

SHA256
c8dc125573017a1cedb1887837875eb1b6329bf3722ea256d3260a5ff9ffae3d

SHA512
7e25d88037e677e1ca5c1af345abaf90c41772a01f4aacfe1f4aed47416cfbd3815e73ee04f1ee58856b3cd60eb322e64401045a41b59793bb2b9c20d3b1bef6

Download Submit