737c52f77a454826ab42a01e322da0f40205d617591c02430105d3b853c7029c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Size

344KB
MD5

d27ddf85b9f56d364385a1e304375ae5
SHA1

94515ff981f9353992b6c44faef80fc6faac5af8
SHA256

737c52f77a454826ab42a01e322da0f40205d617591c02430105d3b853c7029c
SHA512

53c1107f64162e32690c0308a7796606d56d8ce331fb5c86c5b6aa3840ee41dfc17662823c8eb505f8ef3a5704546da9c6a7abe20c7dfa3df087092568ece61a
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FD8400DC-573B-487f-AFBC-0309793B5506}.exe{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe{37634CF2-925A-467f-A699-3CDE4463C73B}.exe{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD86D26A-73F2-47e3-9F85-DA86555D5573}\stubpath = "C:\\Windows\\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe"	{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F16D797F-E4F0-429a-9E80-AB52A203F829}	{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37634CF2-925A-467f-A699-3CDE4463C73B}\stubpath = "C:\\Windows\\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe"	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623FAC94-D511-449f-A0E0-6358642CF8C5}\stubpath = "C:\\Windows\\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe"	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623FAC94-D511-449f-A0E0-6358642CF8C5}	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8976C64A-6780-4973-97D5-9D8E7AC007A8}\stubpath = "C:\\Windows\\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe"	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F16D797F-E4F0-429a-9E80-AB52A203F829}\stubpath = "C:\\Windows\\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe"	{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}\stubpath = "C:\\Windows\\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe"	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37634CF2-925A-467f-A699-3CDE4463C73B}	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}\stubpath = "C:\\Windows\\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe"	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8976C64A-6780-4973-97D5-9D8E7AC007A8}	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8400DC-573B-487f-AFBC-0309793B5506}	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8400DC-573B-487f-AFBC-0309793B5506}\stubpath = "C:\\Windows\\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe"	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD86D26A-73F2-47e3-9F85-DA86555D5573}	{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}\stubpath = "C:\\Windows\\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe"	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}\stubpath = "C:\\Windows\\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe"	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}\stubpath = "C:\\Windows\\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe"	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1612 cmd.exe

pid	process
1612	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe{37634CF2-925A-467f-A699-3CDE4463C73B}.exe{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe{FD8400DC-573B-487f-AFBC-0309793B5506}.exe{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe

pid	process
3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
2508	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
1308	{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
2328	{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
2956	{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe

Drops file in Windows directory 11 IoCs

Processes:

{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe{37634CF2-925A-467f-A699-3CDE4463C73B}.exe{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe{FD8400DC-573B-487f-AFBC-0309793B5506}.exe2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe

description	ioc	process
File created	C:\Windows\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
File created	C:\Windows\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe	{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
File created	C:\Windows\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
File created	C:\Windows\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
File created	C:\Windows\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
File created	C:\Windows\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
File created	C:\Windows\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
File created	C:\Windows\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
File created	C:\Windows\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
File created	C:\Windows\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe	{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
File created	C:\Windows\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe{37634CF2-925A-467f-A699-3CDE4463C73B}.exe{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe{FD8400DC-573B-487f-AFBC-0309793B5506}.exe{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
Token: SeIncBasePriorityPrivilege	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
Token: SeIncBasePriorityPrivilege	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
Token: SeIncBasePriorityPrivilege	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
Token: SeIncBasePriorityPrivilege	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
Token: SeIncBasePriorityPrivilege	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
Token: SeIncBasePriorityPrivilege	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
Token: SeIncBasePriorityPrivilege	2508	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
Token: SeIncBasePriorityPrivilege	1308	{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
Token: SeIncBasePriorityPrivilege	2328	{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2568 wrote to memory of 3060	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
PID 2568 wrote to memory of 3060	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
PID 2568 wrote to memory of 3060	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
PID 2568 wrote to memory of 3060	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
PID 2568 wrote to memory of 1612	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 2568 wrote to memory of 1612	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 2568 wrote to memory of 1612	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 2568 wrote to memory of 1612	2568	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 3060 wrote to memory of 2756	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
PID 3060 wrote to memory of 2756	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
PID 3060 wrote to memory of 2756	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
PID 3060 wrote to memory of 2756	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
PID 3060 wrote to memory of 2464	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	cmd.exe
PID 3060 wrote to memory of 2464	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	cmd.exe
PID 3060 wrote to memory of 2464	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	cmd.exe
PID 3060 wrote to memory of 2464	3060	{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe	cmd.exe
PID 2756 wrote to memory of 2620	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
PID 2756 wrote to memory of 2620	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
PID 2756 wrote to memory of 2620	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
PID 2756 wrote to memory of 2620	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
PID 2756 wrote to memory of 2676	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	cmd.exe
PID 2756 wrote to memory of 2676	2756	{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe	cmd.exe
PID 2620 wrote to memory of 2224	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
PID 2620 wrote to memory of 2224	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
PID 2620 wrote to memory of 2224	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
PID 2620 wrote to memory of 2224	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
PID 2620 wrote to memory of 1664	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	cmd.exe
PID 2620 wrote to memory of 1664	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	cmd.exe
PID 2620 wrote to memory of 1664	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	cmd.exe
PID 2620 wrote to memory of 1664	2620	{37634CF2-925A-467f-A699-3CDE4463C73B}.exe	cmd.exe
PID 2224 wrote to memory of 2664	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
PID 2224 wrote to memory of 2664	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
PID 2224 wrote to memory of 2664	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
PID 2224 wrote to memory of 2664	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
PID 2224 wrote to memory of 2888	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	cmd.exe
PID 2224 wrote to memory of 2888	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	cmd.exe
PID 2224 wrote to memory of 2888	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	cmd.exe
PID 2224 wrote to memory of 2888	2224	{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe	cmd.exe
PID 2664 wrote to memory of 1080	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
PID 2664 wrote to memory of 1080	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
PID 2664 wrote to memory of 1080	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
PID 2664 wrote to memory of 1080	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
PID 2664 wrote to memory of 1920	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	cmd.exe
PID 2664 wrote to memory of 1920	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	cmd.exe
PID 2664 wrote to memory of 1920	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	cmd.exe
PID 2664 wrote to memory of 1920	2664	{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe	cmd.exe
PID 1080 wrote to memory of 292	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
PID 1080 wrote to memory of 292	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
PID 1080 wrote to memory of 292	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
PID 1080 wrote to memory of 292	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
PID 1080 wrote to memory of 2528	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	cmd.exe
PID 1080 wrote to memory of 2528	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	cmd.exe
PID 1080 wrote to memory of 2528	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	cmd.exe
PID 1080 wrote to memory of 2528	1080	{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe	cmd.exe
PID 292 wrote to memory of 2508	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
PID 292 wrote to memory of 2508	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
PID 292 wrote to memory of 2508	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
PID 292 wrote to memory of 2508	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
PID 292 wrote to memory of 1620	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	cmd.exe
PID 292 wrote to memory of 1620	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	cmd.exe
PID 292 wrote to memory of 1620	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	cmd.exe
PID 292 wrote to memory of 1620	292	{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
C:\Windows\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
C:\Windows\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F772~1.EXE > nul
4⤵
PID:2676

C:\Windows\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
C:\Windows\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{37634~1.EXE > nul
5⤵
PID:1664

C:\Windows\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
C:\Windows\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
C:\Windows\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
C:\Windows\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
C:\Windows\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
C:\Windows\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
C:\Windows\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
C:\Windows\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe
C:\Windows\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe
12⤵
- Executes dropped EXE
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DD86D~1.EXE > nul
12⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD840~1.EXE > nul
11⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8364C~1.EXE > nul
10⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E44EC~1.EXE > nul
9⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8976C~1.EXE > nul
8⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{623FA~1.EXE > nul
7⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33878~1.EXE > nul
6⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{62173~1.EXE > nul
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33878EE1-CC8A-49cb-9D4A-7C6B032A7926}.exe

Filesize
344KB

MD5
055e1c4aa1d61c4c064fa39e007de6b2

SHA1
0c3a1e4e32d8702831c777d93b44bf36dba07de2

SHA256
0993f07dfdb14a479380c6440ef4af58fa32ac41c9af7e2aae47c0daf2d9db3c

SHA512
b7785cb16f7476d7b185d477a87f80a8f78417968f48120465678e0651fb2232ea0fd6783f8d5c73a4e106e9998f86608b49b2e47ef5dc9263fff8bc55da5c2e

Download Submit
C:\Windows\{37634CF2-925A-467f-A699-3CDE4463C73B}.exe

Filesize
344KB

MD5
0ef89dc6a163b0dcb7709db5f484b3f5

SHA1
c5dcc209e3c2135c492dde9f62ffe9d2331df1bd

SHA256
cdbd158c7f9d85268f090dc325793f0bc1c7402935f6bd0b94687488bd3e8003

SHA512
082060c9557cc0667797fb80fab87bf79dc1bc7a0dd0b42bfdabb30c21f9bee4e0719dfe5cbc59fb0f14fa0c8a45654e93cdf53327e0812101af1a403ae44f20

Download Submit
C:\Windows\{62173984-C5D9-4755-ADAF-6EC8DC3CC0D9}.exe

Filesize
344KB

MD5
0ad18bc538cd415838a8cedc80cff020

SHA1
56f2fce4dab3a45620dcc5532e187727d1f35043

SHA256
019c65740e199d4118064d622eb798000be9b0efcd40a2f00d93bebd67c178b1

SHA512
142e4414f7470d152a0a247ad8804d464182bba270fc85439500dedd59834f08cc3c51c9938c9ccc8205992d71e6c920986705760f5595e8152e34cee9fc8125

Download Submit
C:\Windows\{623FAC94-D511-449f-A0E0-6358642CF8C5}.exe

Filesize
344KB

MD5
9b1fb3192c9c62ec34c062d8637b9817

SHA1
a621d4fe2328112cc95c5d3c7f0703f30ef7b8fb

SHA256
b58798249177353c095c88b8402388acafcbf94c5ebf4c3d2fbc1cc28b26bb0c

SHA512
c98426bd237fc8584faf5bc91d817923320f158a29a583adccedd7d0926c3227a6ad86a2b0180e256867a0c164239b59b50edee15955e91a6e2997a81ed0f5ea

Download Submit
C:\Windows\{6F772756-075D-4be2-B3D5-63C8A20B8DAA}.exe

Filesize
344KB

MD5
049bc3a114da6d2f0c188b2072408f53

SHA1
6041caae415a161050e7667c73aa0d669bc6d9eb

SHA256
c03d48f47b7055afa998c3c585798c133a2aeaf9f4323e7b5ca115c91bfc2f02

SHA512
3b5f2c0f5bf9394e7daf2269343a7c29f73573a50459767ed4c8768842eba03c3f8ae87799854c94ec2433a885146a1b440bb7dd675ba22d8e18430a1cc71325

Download Submit
C:\Windows\{8364C3E5-DBAE-4b42-86E5-F59C52D7FA5A}.exe

Filesize
344KB

MD5
a531abdb78d67d3e299f9857724592a3

SHA1
66a3d46dd362efd2b31504d46f1831b771289b89

SHA256
e5844b9cac0d3b6f18fae2c29261d58d924e00f22f9ed066bb3ac7aa62f32b0b

SHA512
93ef5486bdef5bd2e8bd3ea7c7ca8e391d147f67ffd4153dd03631dc7ee12ff7fbcfeb59feccc462c2c338a7da48b9ab5388d30655dbcd5253b3515bdec527b6

Download Submit
C:\Windows\{8976C64A-6780-4973-97D5-9D8E7AC007A8}.exe

Filesize
344KB

MD5
899e744ee64abb61b128ae53b7df38ec

SHA1
736bc0a36a72254edac0e3998c08763ecb560447

SHA256
946842c4d515ae2f98bf6c9d00f6dcf44f4a178df84b5def05278827e07e2571

SHA512
182a37b363678dc9d9aa4b3d3f4b12d02db194ad6bcd415df285d796512a8eaf66ebeb48268887e08604997d94af97c736fa17762a3d88692a7ac52fbebfcdc5

Download Submit
C:\Windows\{DD86D26A-73F2-47e3-9F85-DA86555D5573}.exe

Filesize
344KB

MD5
2633245ad5b4718a0ad7163f9e94a8da

SHA1
93fe5fb3599a79dd083993a242f1929c6fed34c9

SHA256
258ffd10572a9310d7af566435422b9ac5a3f7610023a151c2cd8e120178be5f

SHA512
103ec301ef4b6a220ea00d3cb351a469bf853881968a7437424d91d38a9f432795fd5c9e69011714a5254671dc43d4dd225027dc030a25d1e61fe3fe5a25e25b

Download Submit
C:\Windows\{E44ECFF3-02B3-4122-A2EF-0EAF89EA76F5}.exe

Filesize
344KB

MD5
338bac7837b197b20d71d215e0b26079

SHA1
3c41f145d8284bb7c5d9cc08a2150aab740a7010

SHA256
fe89bb6f749c2918413051f4dfdab016f86013b0df089e22b10273642d9d1a1c

SHA512
4a16396ec6a214281e7f6f1ab9953a5d1f47e2bf3f32b757b97ba63a65dc254bad7e266c152e296c4e70b2d4d8f5dda00bbc4035669cf5db7291882bcbc9f383

Download Submit
C:\Windows\{F16D797F-E4F0-429a-9E80-AB52A203F829}.exe

Filesize
344KB

MD5
2aaabe381a667e010da0260c11473257

SHA1
f4bf8278c277a1d07047d62d6be9598d42d078ff

SHA256
9da6ad0b08de7f73de66631bbba9a0aaf768c4314b3d96db48964a62e93b360e

SHA512
62f7e47294148a4d22b52ff833dfb9d56e8aea4fe5b70a88c4e6cbc6ad51e90e94d57f8d4618ddc973a87d4e0433a3b968efb82670d3c0c5e17353b76eea1904

Download Submit
C:\Windows\{FD8400DC-573B-487f-AFBC-0309793B5506}.exe

Filesize
344KB

MD5
968955f762437ac8e47acf141208e058

SHA1
c6ca0023d58d25b3632080714c11cd5c31ec76a8

SHA256
19f8368ad5803a32781b3fa0aa00b8f7719fb891af9a74758cd1c8907f30cfab

SHA512
bd850628f766ad1742bc4d60113cf5122df3c828c9b3f3253a658a751f9ef9ea74c1fccd787de7b4c3620888c36d2a50ccfbfd2e76a9f357a62d77b90c3be5d8

Download Submit