737c52f77a454826ab42a01e322da0f40205d617591c02430105d3b853c7029c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Size

344KB
MD5

d27ddf85b9f56d364385a1e304375ae5
SHA1

94515ff981f9353992b6c44faef80fc6faac5af8
SHA256

737c52f77a454826ab42a01e322da0f40205d617591c02430105d3b853c7029c
SHA512

53c1107f64162e32690c0308a7796606d56d8ce331fb5c86c5b6aa3840ee41dfc17662823c8eb505f8ef3a5704546da9c6a7abe20c7dfa3df087092568ece61a
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe{24606611-F930-4a52-AB52-E8356B37EEF3}.exe{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B16F996-BDEF-4230-92F1-06DE7C437B04}\stubpath = "C:\\Windows\\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe"	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24606611-F930-4a52-AB52-E8356B37EEF3}	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}\stubpath = "C:\\Windows\\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe"	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B16F996-BDEF-4230-92F1-06DE7C437B04}	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24606611-F930-4a52-AB52-E8356B37EEF3}\stubpath = "C:\\Windows\\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe"	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}\stubpath = "C:\\Windows\\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe"	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}\stubpath = "C:\\Windows\\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe"	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}\stubpath = "C:\\Windows\\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe"	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}\stubpath = "C:\\Windows\\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe"	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}\stubpath = "C:\\Windows\\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe"	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E062C125-1145-484d-AB32-E5EFF29B3AB9}\stubpath = "C:\\Windows\\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe"	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F76F5D67-7476-4f76-BC64-0F72E00839FD}	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F76F5D67-7476-4f76-BC64-0F72E00839FD}\stubpath = "C:\\Windows\\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe"	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}\stubpath = "C:\\Windows\\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe"	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}\stubpath = "C:\\Windows\\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe"	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E062C125-1145-484d-AB32-E5EFF29B3AB9}	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe

Executes dropped EXE 12 IoCs

Processes:

{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe{24606611-F930-4a52-AB52-E8356B37EEF3}.exe{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe

pid	process
4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
4092	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
4880	{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe

Drops file in Windows directory 12 IoCs

Processes:

{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe{24606611-F930-4a52-AB52-E8356B37EEF3}.exe{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe

description	ioc	process
File created	C:\Windows\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
File created	C:\Windows\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
File created	C:\Windows\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
File created	C:\Windows\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
File created	C:\Windows\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
File created	C:\Windows\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
File created	C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
File created	C:\Windows\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
File created	C:\Windows\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
File created	C:\Windows\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
File created	C:\Windows\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
File created	C:\Windows\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe{24606611-F930-4a52-AB52-E8356B37EEF3}.exe{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
Token: SeIncBasePriorityPrivilege	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
Token: SeIncBasePriorityPrivilege	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
Token: SeIncBasePriorityPrivilege	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
Token: SeIncBasePriorityPrivilege	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
Token: SeIncBasePriorityPrivilege	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
Token: SeIncBasePriorityPrivilege	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
Token: SeIncBasePriorityPrivilege	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
Token: SeIncBasePriorityPrivilege	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
Token: SeIncBasePriorityPrivilege	4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
Token: SeIncBasePriorityPrivilege	4092	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4944 wrote to memory of 4288	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
PID 4944 wrote to memory of 4288	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
PID 4944 wrote to memory of 4288	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
PID 4944 wrote to memory of 1724	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 4944 wrote to memory of 1724	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 4944 wrote to memory of 1724	4944	2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe	cmd.exe
PID 4288 wrote to memory of 2240	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
PID 4288 wrote to memory of 2240	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
PID 4288 wrote to memory of 2240	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
PID 4288 wrote to memory of 3852	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	cmd.exe
PID 4288 wrote to memory of 3852	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	cmd.exe
PID 4288 wrote to memory of 3852	4288	{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe	cmd.exe
PID 2240 wrote to memory of 1844	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
PID 2240 wrote to memory of 1844	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
PID 2240 wrote to memory of 1844	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
PID 2240 wrote to memory of 1944	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	cmd.exe
PID 2240 wrote to memory of 1944	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	cmd.exe
PID 2240 wrote to memory of 1944	2240	{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe	cmd.exe
PID 1844 wrote to memory of 3216	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
PID 1844 wrote to memory of 3216	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
PID 1844 wrote to memory of 3216	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
PID 1844 wrote to memory of 2760	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	cmd.exe
PID 1844 wrote to memory of 2760	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	cmd.exe
PID 1844 wrote to memory of 2760	1844	{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe	cmd.exe
PID 3216 wrote to memory of 4336	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
PID 3216 wrote to memory of 4336	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
PID 3216 wrote to memory of 4336	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
PID 3216 wrote to memory of 4772	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	cmd.exe
PID 3216 wrote to memory of 4772	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	cmd.exe
PID 3216 wrote to memory of 4772	3216	{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe	cmd.exe
PID 4336 wrote to memory of 3128	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
PID 4336 wrote to memory of 3128	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
PID 4336 wrote to memory of 3128	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
PID 4336 wrote to memory of 1496	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	cmd.exe
PID 4336 wrote to memory of 1496	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	cmd.exe
PID 4336 wrote to memory of 1496	4336	{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe	cmd.exe
PID 3128 wrote to memory of 3384	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
PID 3128 wrote to memory of 3384	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
PID 3128 wrote to memory of 3384	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
PID 3128 wrote to memory of 976	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	cmd.exe
PID 3128 wrote to memory of 976	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	cmd.exe
PID 3128 wrote to memory of 976	3128	{24606611-F930-4a52-AB52-E8356B37EEF3}.exe	cmd.exe
PID 3384 wrote to memory of 3892	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
PID 3384 wrote to memory of 3892	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
PID 3384 wrote to memory of 3892	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
PID 3384 wrote to memory of 4756	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	cmd.exe
PID 3384 wrote to memory of 4756	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	cmd.exe
PID 3384 wrote to memory of 4756	3384	{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe	cmd.exe
PID 3892 wrote to memory of 4732	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
PID 3892 wrote to memory of 4732	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
PID 3892 wrote to memory of 4732	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
PID 3892 wrote to memory of 2540	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	cmd.exe
PID 3892 wrote to memory of 2540	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	cmd.exe
PID 3892 wrote to memory of 2540	3892	{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe	cmd.exe
PID 4732 wrote to memory of 4452	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
PID 4732 wrote to memory of 4452	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
PID 4732 wrote to memory of 4452	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
PID 4732 wrote to memory of 2772	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	cmd.exe
PID 4732 wrote to memory of 2772	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	cmd.exe
PID 4732 wrote to memory of 2772	4732	{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe	cmd.exe
PID 4452 wrote to memory of 4092	4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
PID 4452 wrote to memory of 4092	4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
PID 4452 wrote to memory of 4092	4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
PID 4452 wrote to memory of 4892	4452	{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d27ddf85b9f56d364385a1e304375ae5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
C:\Windows\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
C:\Windows\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E4FDD~1.EXE > nul
4⤵
PID:1944

C:\Windows\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
C:\Windows\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
C:\Windows\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
C:\Windows\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
C:\Windows\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
C:\Windows\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
C:\Windows\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
C:\Windows\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
C:\Windows\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe
C:\Windows\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe
13⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B16F~1.EXE > nul
13⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F78B~1.EXE > nul
12⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E062C~1.EXE > nul
11⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33D1B~1.EXE > nul
10⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1239D~1.EXE > nul
9⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24606~1.EXE > nul
8⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D49C~1.EXE > nul
7⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61A1B~1.EXE > nul
6⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9F0~1.EXE > nul
5⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F76F5~1.EXE > nul
3⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe

Filesize
264KB

MD5
df26ef98862b3aa900835c475056f072

SHA1
48ca18c3d78b6c34798b34ad9467633f3f4cfcc6

SHA256
ddfa53db838eb8589ede5b4c31aee349b66ef1f7ac1c6aec25927fe3f44d3ef2

SHA512
cfdb2b425ce49de073cd5051b5be3ca10e33329add2301062db30ef9b00cc05f76e2c556a19dd00221710fc21be58fdabf5ada0ed60259b690f072213ab556cd

Download Submit
C:\Windows\{1239D32E-A274-4a74-82C0-BD3BB3BC43F2}.exe

Filesize
344KB

MD5
741f1b0a9cd9b6ae8c22a9ee99863e6f

SHA1
c47e81bf5e9440303c458ac4f71824e43428494d

SHA256
61baab489a1c182712316fc91a15190c71aad0cc9cad36ac7b8f022e90d24883

SHA512
159f11e7bb5f39c49b897a2e59fbdd4927a0214d963f1b0a565a80e14d704f0dd73fb70672255726bcbbaa1432c7aab9d20a7556a1aff79bcf3925f7af9917bc

Download Submit
C:\Windows\{24606611-F930-4a52-AB52-E8356B37EEF3}.exe

Filesize
344KB

MD5
da81c8479fe388fb96a7c799e623f0ef

SHA1
ec57a34db7efa27b0bd09e626109b46624db7ae1

SHA256
1f492c5341454916a2b66589085cd9ba49d8c08a3b6bc2bab5b1a6f9272fe9ea

SHA512
c9db2b29c508df0ecd4f42d96700fb84242f79c3182dced2cd6ff9d6d8df0763aa03c5e0dca6f0f6984fef2c4d3e3b4ad16addd976dcabbb7a6a58e0bd6b0efc

Download Submit
C:\Windows\{33D1B9AE-E73E-4214-AE14-60CAA3A7C9A8}.exe

Filesize
344KB

MD5
8b170d6bdbbc868d202f889709946ea3

SHA1
f2abd323b83030d914811d9f31a57d17f0566c44

SHA256
0b26f7bb4640b59ab52fc4e250a9d0a140b698d915d37480f765baef8b1b1295

SHA512
3299bb566527ff1f3e24d64b10a3f88ac3f7a46bdf660d2df0477e01e8081c8c07e21a20e4144edd7acf443ca18176bfbbe4072162ba0c73f403330a9a2bed74

Download Submit
C:\Windows\{4C9F098A-F6A8-4351-9157-2B4FA62EA32C}.exe

Filesize
344KB

MD5
1bd6298811119a4435b711b6dd2a6caf

SHA1
1ce50010124c0b137759fd4170a77a260a18e691

SHA256
8a1ea68584f6cdd7996f4a626234f33f17c4887b1b06455690e1515739f6514e

SHA512
951726acc00c276e63dc39ce807a9954052782ad5f075e705f44b22c901356eb0307ac71c145adc2c412d8909e8440ff9abca98f716bc5d441ce1fb4429755f6

Download Submit
C:\Windows\{61A1B93D-EFE0-4063-BDBC-BBEEDB69DC7B}.exe

Filesize
344KB

MD5
1907b56918b8cc224daa36e0bd5dcbcb

SHA1
c6761a98e40df1b1f53f9664cdac7122ffee9d61

SHA256
0df6fcd9d368ffe13a30a397292dd56706c0d6933b7373cb554bdae8f7154ba2

SHA512
882e252df4e3445e75f551efa852b3db7142a97d60463e47f9e5ad6d084c1936d0c38c4388245a8cff52cd51492fc192e622ad48530f2bcb20c1433bbd9341a5

Download Submit
C:\Windows\{9B16F996-BDEF-4230-92F1-06DE7C437B04}.exe

Filesize
344KB

MD5
9d4d3ad3ef1b0c15100a25ba6a0b5e25

SHA1
dbadba5b8d0a16dbb90b9ace773193f2c7113e70

SHA256
bc5f19e51af0763dfb07c48baa8bf6198070a4e93780c8210dac1e651bcf5786

SHA512
c5d26ebd1451b4a2695b04d3f1a22e9be7e1ed3b94733b0b136bd56701c59e912d1578f52f3e87ce67ee4e47fca21862ec35313fdc75aabc43c075f3dff53e68

Download Submit
C:\Windows\{9D49C7D9-C0FE-4199-9BB7-8D07639AA07F}.exe

Filesize
344KB

MD5
74a7b630f8d6c5a277eb780f3c5267fc

SHA1
a25bcc2572a97a2bc1becc4931a04ec0be184c25

SHA256
509a227bfb81b030d0123511c74558ff93493e68f26a441d0a5459bb4a31bc3b

SHA512
2158def012288e3598abe2dfa4e6e6dad935424a7d66fc3f64e85736478a3d154d79f7360686eff41bcfaefc227d0b3a56114c3724541e847150fcf94e8fa54b

Download Submit
C:\Windows\{9F78BB7A-903C-401f-B31C-C83F507D0DDA}.exe

Filesize
344KB

MD5
4d59151bb84a555ef5c19e533f101a23

SHA1
27a7fd1ead04032850537f63d87472cb8966c690

SHA256
88d347c3dc09dec2ec9c6831c3302cc55c4217a3ab8789266926cbfcb9e07981

SHA512
98929673d1a995098d61a55855e42b219c0001fb6e91bddf74a72621c120090669b9d7524e4ef028fed9b4594ee9fba7c87e6e4a716cc750c31ed1b392b44bbc

Download Submit
C:\Windows\{CC3D439D-7ADD-4d93-9BC7-9952DF82F841}.exe

Filesize
344KB

MD5
481cb55d4d46576324924058ac475bfd

SHA1
d72fa33487bb50c1035525044f93499309799a31

SHA256
37d07916fa6209e0380086d4da7654f7fefeba999f527ac44cf9a6b11d5c9b5e

SHA512
dc3c60b152ede9d0f158cfc0381fdc4f7a6ad28632684aa4b4bf2dd235699c282dceed88ebac50ec52d7adc0e76c214917bdb6f5704c4c43b950c041eb45eff0

Download Submit
C:\Windows\{E062C125-1145-484d-AB32-E5EFF29B3AB9}.exe

Filesize
344KB

MD5
6c8933767d579664d0526aea38df0ca6

SHA1
5b95eba672870a4bde181533a7321cb00cf83f55

SHA256
4577de69a70437af245ed1358b3f547820a32f02f0be3e59750f8f159823f5f8

SHA512
193b1edba1f079bd284dd6ad9991f5cce1ac0f17a93f924c6f1e0b8bb06344ef61d6337b796cfa2dbfe517a7df55c9ee1440fb66b2aecbbaedaab108191141f8

Download Submit
C:\Windows\{E4FDDBD1-7A32-4637-8C7E-C7F01399BED6}.exe

Filesize
344KB

MD5
4a7f245cfe0bf09e92b1418353bdc468

SHA1
f05213e24f12a804a29857e285f88b8947bb5600

SHA256
f8d0d345abccc92dbeef9644336fa94128eca0e14b86752bcd70b689879ddacb

SHA512
d3b88cdffb2404e92cf254f972129219e5b19531e2a2a3493e699f47ec42b6603b58bc9e48e1efae4d0d7326eb3e192cd6a530aa2a8090420626a8d1f72fc370

Download Submit
C:\Windows\{F76F5D67-7476-4f76-BC64-0F72E00839FD}.exe

Filesize
344KB

MD5
67311c7addc36ca69ee157a1f1d1b5eb

SHA1
14478017928a73ef74f2ebc4bd284b90316864ba

SHA256
645e6dc423858ceee3feea90eb596f8386c2bfab830a2c1cd59570393e394980

SHA512
01d2d9692770a42e709cf0e2631fa7c4ab8f27c5289646417396d20a6f014afacbb6a84e2ab345ffe873ba6be03f68703c4eafd9e2bec6828d42627414d8efea

Download Submit