b734576561829c675a2fe1288981170ab4e61ab69860307763419c3aecbe4066

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Size

372KB
MD5

d84144c2408c9957bcb881f3bb1cda75
SHA1

acfa126bf745c2616b32648009df9f80cbd37523
SHA256

b734576561829c675a2fe1288981170ab4e61ab69860307763419c3aecbe4066
SHA512

4e0534696d0f637f7e12675073b4ff04c64afa39e99efcdfd904df21ca27786fc2d9b7c8d635873d21583367669f8d2df621767b597226243ddd2d52ab4897c4
SSDEEP

3072:CEGh0o1lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGzlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{D68C5711-D404-41c1-938A-70AC547F917D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A880AFD4-F107-445a-9351-83D59DC02859}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{31176D57-8677-4552-B247-361039D1C11D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe{A880AFD4-F107-445a-9351-83D59DC02859}.exe{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe{31176D57-8677-4552-B247-361039D1C11D}.exe{D68C5711-D404-41c1-938A-70AC547F917D}.exe{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}\stubpath = "C:\\Windows\\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe"	{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{335942F9-F169-4518-A6CA-A7BB7C056F5B}	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A880AFD4-F107-445a-9351-83D59DC02859}\stubpath = "C:\\Windows\\{A880AFD4-F107-445a-9351-83D59DC02859}.exe"	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31176D57-8677-4552-B247-361039D1C11D}	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}\stubpath = "C:\\Windows\\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe"	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}\stubpath = "C:\\Windows\\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe"	{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{243BF973-0C29-41bf-AB81-C2AF59F77131}	{31176D57-8677-4552-B247-361039D1C11D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{243BF973-0C29-41bf-AB81-C2AF59F77131}\stubpath = "C:\\Windows\\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe"	{31176D57-8677-4552-B247-361039D1C11D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC38FB47-702A-48ae-B932-177C9DD366FC}\stubpath = "C:\\Windows\\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe"	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{335942F9-F169-4518-A6CA-A7BB7C056F5B}\stubpath = "C:\\Windows\\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe"	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}\stubpath = "C:\\Windows\\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe"	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A880AFD4-F107-445a-9351-83D59DC02859}	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D68C5711-D404-41c1-938A-70AC547F917D}\stubpath = "C:\\Windows\\{D68C5711-D404-41c1-938A-70AC547F917D}.exe"	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC38FB47-702A-48ae-B932-177C9DD366FC}	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31176D57-8677-4552-B247-361039D1C11D}\stubpath = "C:\\Windows\\{31176D57-8677-4552-B247-361039D1C11D}.exe"	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}\stubpath = "C:\\Windows\\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe"	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}	{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D68C5711-D404-41c1-938A-70AC547F917D}	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}	{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2480 cmd.exe

pid	process
2480	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{D68C5711-D404-41c1-938A-70AC547F917D}.exe{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe{A880AFD4-F107-445a-9351-83D59DC02859}.exe{31176D57-8677-4552-B247-361039D1C11D}.exe{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe

pid	process
2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
3016	{31176D57-8677-4552-B247-361039D1C11D}.exe
796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
2800	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
692	{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
2052	{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe
2432	{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe

Drops file in Windows directory 11 IoCs

Processes:

{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe{A880AFD4-F107-445a-9351-83D59DC02859}.exe{31176D57-8677-4552-B247-361039D1C11D}.exe{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{D68C5711-D404-41c1-938A-70AC547F917D}.exe{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe

description	ioc	process
File created	C:\Windows\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
File created	C:\Windows\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe	{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe
File created	C:\Windows\{31176D57-8677-4552-B247-361039D1C11D}.exe	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
File created	C:\Windows\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	{31176D57-8677-4552-B247-361039D1C11D}.exe
File created	C:\Windows\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
File created	C:\Windows\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
File created	C:\Windows\{D68C5711-D404-41c1-938A-70AC547F917D}.exe	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
File created	C:\Windows\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
File created	C:\Windows\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
File created	C:\Windows\{A880AFD4-F107-445a-9351-83D59DC02859}.exe	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
File created	C:\Windows\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe	{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{D68C5711-D404-41c1-938A-70AC547F917D}.exe{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe{A880AFD4-F107-445a-9351-83D59DC02859}.exe{31176D57-8677-4552-B247-361039D1C11D}.exe{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
Token: SeIncBasePriorityPrivilege	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
Token: SeIncBasePriorityPrivilege	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
Token: SeIncBasePriorityPrivilege	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
Token: SeIncBasePriorityPrivilege	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
Token: SeIncBasePriorityPrivilege	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe
Token: SeIncBasePriorityPrivilege	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
Token: SeIncBasePriorityPrivilege	2800	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
Token: SeIncBasePriorityPrivilege	692	{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
Token: SeIncBasePriorityPrivilege	2052	{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1712 wrote to memory of 2772	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
PID 1712 wrote to memory of 2772	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
PID 1712 wrote to memory of 2772	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
PID 1712 wrote to memory of 2772	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{D68C5711-D404-41c1-938A-70AC547F917D}.exe
PID 1712 wrote to memory of 2480	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2480	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2480	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 1712 wrote to memory of 2480	1712	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 2772 wrote to memory of 2112	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
PID 2772 wrote to memory of 2112	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
PID 2772 wrote to memory of 2112	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
PID 2772 wrote to memory of 2112	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
PID 2772 wrote to memory of 2924	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	cmd.exe
PID 2772 wrote to memory of 2924	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	cmd.exe
PID 2772 wrote to memory of 2924	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	cmd.exe
PID 2772 wrote to memory of 2924	2772	{D68C5711-D404-41c1-938A-70AC547F917D}.exe	cmd.exe
PID 2112 wrote to memory of 2624	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
PID 2112 wrote to memory of 2624	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
PID 2112 wrote to memory of 2624	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
PID 2112 wrote to memory of 2624	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
PID 2112 wrote to memory of 2256	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	cmd.exe
PID 2112 wrote to memory of 2256	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	cmd.exe
PID 2112 wrote to memory of 2256	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	cmd.exe
PID 2112 wrote to memory of 2256	2112	{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe	cmd.exe
PID 2624 wrote to memory of 1512	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
PID 2624 wrote to memory of 1512	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
PID 2624 wrote to memory of 1512	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
PID 2624 wrote to memory of 1512	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
PID 2624 wrote to memory of 580	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	cmd.exe
PID 2624 wrote to memory of 580	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	cmd.exe
PID 2624 wrote to memory of 580	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	cmd.exe
PID 2624 wrote to memory of 580	2624	{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe	cmd.exe
PID 1512 wrote to memory of 1504	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
PID 1512 wrote to memory of 1504	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
PID 1512 wrote to memory of 1504	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
PID 1512 wrote to memory of 1504	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	{A880AFD4-F107-445a-9351-83D59DC02859}.exe
PID 1512 wrote to memory of 564	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	cmd.exe
PID 1512 wrote to memory of 564	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	cmd.exe
PID 1512 wrote to memory of 564	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	cmd.exe
PID 1512 wrote to memory of 564	1512	{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe	cmd.exe
PID 1504 wrote to memory of 3016	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	{31176D57-8677-4552-B247-361039D1C11D}.exe
PID 1504 wrote to memory of 3016	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	{31176D57-8677-4552-B247-361039D1C11D}.exe
PID 1504 wrote to memory of 3016	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	{31176D57-8677-4552-B247-361039D1C11D}.exe
PID 1504 wrote to memory of 3016	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	{31176D57-8677-4552-B247-361039D1C11D}.exe
PID 1504 wrote to memory of 2784	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	cmd.exe
PID 1504 wrote to memory of 2784	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	cmd.exe
PID 1504 wrote to memory of 2784	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	cmd.exe
PID 1504 wrote to memory of 2784	1504	{A880AFD4-F107-445a-9351-83D59DC02859}.exe	cmd.exe
PID 3016 wrote to memory of 796	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
PID 3016 wrote to memory of 796	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
PID 3016 wrote to memory of 796	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
PID 3016 wrote to memory of 796	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
PID 3016 wrote to memory of 1944	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	cmd.exe
PID 3016 wrote to memory of 1944	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	cmd.exe
PID 3016 wrote to memory of 1944	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	cmd.exe
PID 3016 wrote to memory of 1944	3016	{31176D57-8677-4552-B247-361039D1C11D}.exe	cmd.exe
PID 796 wrote to memory of 2800	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
PID 796 wrote to memory of 2800	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
PID 796 wrote to memory of 2800	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
PID 796 wrote to memory of 2800	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
PID 796 wrote to memory of 2808	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	cmd.exe
PID 796 wrote to memory of 2808	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	cmd.exe
PID 796 wrote to memory of 2808	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	cmd.exe
PID 796 wrote to memory of 2808	796	{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\{D68C5711-D404-41c1-938A-70AC547F917D}.exe
C:\Windows\{D68C5711-D404-41c1-938A-70AC547F917D}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
C:\Windows\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FC38F~1.EXE > nul
4⤵
PID:2256

C:\Windows\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
C:\Windows\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33594~1.EXE > nul
5⤵
PID:580

C:\Windows\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
C:\Windows\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F157~1.EXE > nul
6⤵
PID:564

C:\Windows\{A880AFD4-F107-445a-9351-83D59DC02859}.exe
C:\Windows\{A880AFD4-F107-445a-9351-83D59DC02859}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A880A~1.EXE > nul
7⤵
PID:2784

C:\Windows\{31176D57-8677-4552-B247-361039D1C11D}.exe
C:\Windows\{31176D57-8677-4552-B247-361039D1C11D}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
C:\Windows\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
C:\Windows\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
C:\Windows\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe
C:\Windows\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F8CA4~1.EXE > nul
12⤵
PID:2040

C:\Windows\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe
C:\Windows\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe
12⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B0E~1.EXE > nul
11⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB3C~1.EXE > nul
10⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{243BF~1.EXE > nul
9⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31176~1.EXE > nul
8⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D68C5~1.EXE > nul
3⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{243BF973-0C29-41bf-AB81-C2AF59F77131}.exe

Filesize
372KB

MD5
38fede7e19856516a5ff46ed2bfc835a

SHA1
89d63c80fd33098ccd9b9b55044def1f7cc194c1

SHA256
770122ac908816eb4955bf6cd2709f3c73c6cd2c29a15a8516f46c0b22f1b811

SHA512
a6819b970a93b7a7e94b121b33cca1f0e939a89b5ca7ff81112b7ca1924621d17bc6391811b4d4626c813df9d154cd357ba51da28dbe8206c68be70d15e2171d

Download Submit
C:\Windows\{31176D57-8677-4552-B247-361039D1C11D}.exe

Filesize
372KB

MD5
6d468ec44e2f747c8f06b1ecc767cd1e

SHA1
0971163e2bf3c0a6ee4b8b2388475aad026325fd

SHA256
97dcbd02cf185a9ddc9c928006b0ec7f9ae2197e253fd08f82d5d9c65c928793

SHA512
42edd02dfbbe3393343799e5dfc961e1895f4d681eeb42672c8dc19c918a137f8559b35e9fa99f39caf47cbbfcfd509d5077411420ad284859bb2269635c1df1

Download Submit
C:\Windows\{335942F9-F169-4518-A6CA-A7BB7C056F5B}.exe

Filesize
372KB

MD5
9ef4127cf5c50f6ae8d699b9c6ef4530

SHA1
d02b28dead12a5ad718eda718c501d5b4ba76681

SHA256
2cdba68ef0470f974501b6338a8f9ef61b647ff17daaf870fa0cca633fc5a660

SHA512
d9ac43e4353d9741414330d322d2b77d2dcbc3826675d26fa2e52ad94b9a724aacb92b151684adc4c993770514d85766a485cf0ce9485e2ce38a4c08af319795

Download Submit
C:\Windows\{6F1572C4-D72E-4477-92EC-7D3E7A4E0383}.exe

Filesize
372KB

MD5
c833cc345e73b43fab809d208cd7a869

SHA1
44f739b52e9c91da20078739b082a7a81aaa0ade

SHA256
45de9817347c98824c9442f70744d72a339b53243552ec5139647c6d83a5e7b6

SHA512
4da0d36b46d659a4754273c303fb0ccf8e0c06820389dcc98c7bb351ecb113555652b3e726d8ad41f53329b4fd7a565852793f3b66f0f1f53888058f7f35e19e

Download Submit
C:\Windows\{9EEE42EE-1C41-45e7-B777-1E5EE981CA1B}.exe

Filesize
372KB

MD5
911bd794cdc4f1152b57662574c233c7

SHA1
56e2f50426461fb026644cb990083ff1f22fbfc2

SHA256
38f754768ed968f2b6179bff8c2c8285bbd9f874eee64e11c67ec8d3ec794c7e

SHA512
330cbf51f141ad14d320eaec34bc11370a7f1ba2fc349e14386ee7bb604e42541d52810a8c112dcef9cfd01c871790399438a04eaaa586054c4a6bb6055066b6

Download Submit
C:\Windows\{A880AFD4-F107-445a-9351-83D59DC02859}.exe

Filesize
372KB

MD5
e400b853f7eb294e941fd4188ce92ffc

SHA1
1adbba5db409afe386717c6425c9b046cd024604

SHA256
940e0d9dc9d84e615fb16c07e82d471c950348c6f093f11105373f3d52db7c3d

SHA512
c4cab258ad62e65df0aa2dcf30c1c1ff5fa65e104b39223262db694987797073084c9c68d2700157d1c0bb91017cedb06f129721b2abcd5ca27ec6570f64e9b3

Download Submit
C:\Windows\{B2B0E83A-378D-45a2-AFE4-C5B570F2F4B0}.exe

Filesize
372KB

MD5
56da44cc92d8f3ded56ede592c59b478

SHA1
2b7bb9947285325d03bdb039228433c8e6759e33

SHA256
6d276031d5c0f4b1409b46735a6a0a4b1d95bf844c3799e480c03f31abf9fe9e

SHA512
9a457620d6d814f63f0662ddbfe89db539d2dfc6b7bebd742c9ceca32bd75a1ebb18d78feaee05e6f7203de6bd4aaf198b770be0ff1a3c626f5822f9bd68be38

Download Submit
C:\Windows\{CDB3C481-CA09-4fc5-B17F-1AF833C207AF}.exe

Filesize
372KB

MD5
843defa7be3eb0b0e7bdb72636574d64

SHA1
887b71af7e28dec2f772e83c0f71725c015f0a91

SHA256
7ccbca7bd01f0392bda0311fd0a8064c2e48e7e993c1c50a32562c98a9aece49

SHA512
5c7d9435fde2ddae24a94404aaecbc38582a0dddec2b9c0f669b9ea198c6abb5ef9a325615973a050d215fc089739e0428eacd0d5edff16804bfe6283abc8654

Download Submit
C:\Windows\{D68C5711-D404-41c1-938A-70AC547F917D}.exe

Filesize
372KB

MD5
7561e261004ed64ac52d5c1979be14b1

SHA1
82fa8a6b28746b3b24cc85e383e71af621650047

SHA256
6fe32640d28fa84648598ccbaf084b2eea8171d8d0caf29e8ff82505e0732e8f

SHA512
f85bd8c05edd9f93bf722618b873f70abf22041d40cc39e9cb9fcd9cfdc27b79c0a107eb8f3fe1bf827b14bc090d916848331dad7f7c3118b31004469a643260

Download Submit
C:\Windows\{F8CA4371-46C3-4c05-AD2B-8273D7BF2874}.exe

Filesize
372KB

MD5
26fc9c2a95fae08f40de8c8bc0720d6a

SHA1
e1440ce1559efe46464e2739ed6ff1d389c5f9d4

SHA256
4e0348483fbe14178ae8b12d06187ce331f83c4eeb9bdc60378d9867af26715d

SHA512
fc15705abceb63b427be3873f71dbca96eda5784a7e4585f28396f9b013ada9ff6248061ff694102aa7b5df0c95dfe214a5cfb22a5b828f60ef47328885ca120

Download Submit
C:\Windows\{FC38FB47-702A-48ae-B932-177C9DD366FC}.exe

Filesize
372KB

MD5
cd7426cd53f8c6c8bccf60551f6c4764

SHA1
43f41d44d2bf914c4e187ef315f2dab8787e6efb

SHA256
b10eadfd70320a66319ef1b76e78ea1d5dba0c8429c6825c316f7d7ac2b4c837

SHA512
944de9b0e23208f615e443144cf5f9c240b2d82bb914fdf61d13623f51b3acb50c1c18d186e8ee39a2173094b38676c1b53efcc20471f3ee329c05b942195848

Download Submit