b734576561829c675a2fe1288981170ab4e61ab69860307763419c3aecbe4066

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Size

372KB
MD5

d84144c2408c9957bcb881f3bb1cda75
SHA1

acfa126bf745c2616b32648009df9f80cbd37523
SHA256

b734576561829c675a2fe1288981170ab4e61ab69860307763419c3aecbe4066
SHA512

4e0534696d0f637f7e12675073b4ff04c64afa39e99efcdfd904df21ca27786fc2d9b7c8d635873d21583367669f8d2df621767b597226243ddd2d52ab4897c4
SSDEEP

3072:CEGh0o1lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGzlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4E64E034-8386-4898-A821-FC94B101566E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{52EE5A8E-3558-432e-B1D0-123836364026}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe{4E64E034-8386-4898-A821-FC94B101566E}.exe{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe{52EE5A8E-3558-432e-B1D0-123836364026}.exe2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}\stubpath = "C:\\Windows\\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe"	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB6E8D-5126-4146-A632-417765A8F4D2}\stubpath = "C:\\Windows\\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe"	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64E034-8386-4898-A821-FC94B101566E}	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64E034-8386-4898-A821-FC94B101566E}\stubpath = "C:\\Windows\\{4E64E034-8386-4898-A821-FC94B101566E}.exe"	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52EE5A8E-3558-432e-B1D0-123836364026}\stubpath = "C:\\Windows\\{52EE5A8E-3558-432e-B1D0-123836364026}.exe"	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE03FC49-45F5-49e9-B834-7C2D98320244}\stubpath = "C:\\Windows\\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe"	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}\stubpath = "C:\\Windows\\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe"	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}	{4E64E034-8386-4898-A821-FC94B101566E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}\stubpath = "C:\\Windows\\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe"	{4E64E034-8386-4898-A821-FC94B101566E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3B4093-7B9D-4885-8357-BCA903661FB6}\stubpath = "C:\\Windows\\{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe"	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FA2945-3D47-4861-9E7F-02EE821337A4}\stubpath = "C:\\Windows\\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe"	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3B4093-7B9D-4885-8357-BCA903661FB6}	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B7A694-D2B1-40a6-981B-063A61BA968E}\stubpath = "C:\\Windows\\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe"	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB6E8D-5126-4146-A632-417765A8F4D2}	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ED43389-7523-494a-A0A5-D501CEA0A202}\stubpath = "C:\\Windows\\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe"	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52EE5A8E-3558-432e-B1D0-123836364026}	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FA2945-3D47-4861-9E7F-02EE821337A4}	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D932B9D-9330-4389-8986-3B869C9589D8}\stubpath = "C:\\Windows\\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe"	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B7A694-D2B1-40a6-981B-063A61BA968E}	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ED43389-7523-494a-A0A5-D501CEA0A202}	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE03FC49-45F5-49e9-B834-7C2D98320244}	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D932B9D-9330-4389-8986-3B869C9589D8}	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe

Executes dropped EXE 11 IoCs

Processes:

{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe{4E64E034-8386-4898-A821-FC94B101566E}.exe{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe{52EE5A8E-3558-432e-B1D0-123836364026}.exe{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe{4D932B9D-9330-4389-8986-3B869C9589D8}.exe

pid	process
4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe
1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
2588	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
3908	{4D932B9D-9330-4389-8986-3B869C9589D8}.exe

Drops file in Windows directory 11 IoCs

Processes:

{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe{4E64E034-8386-4898-A821-FC94B101566E}.exe{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe{52EE5A8E-3558-432e-B1D0-123836364026}.exe{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe

description	ioc	process
File created	C:\Windows\{4E64E034-8386-4898-A821-FC94B101566E}.exe	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
File created	C:\Windows\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	{4E64E034-8386-4898-A821-FC94B101566E}.exe
File created	C:\Windows\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
File created	C:\Windows\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
File created	C:\Windows\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
File created	C:\Windows\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
File created	C:\Windows\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
File created	C:\Windows\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
File created	C:\Windows\{52EE5A8E-3558-432e-B1D0-123836364026}.exe	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
File created	C:\Windows\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
File created	C:\Windows\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe{4E64E034-8386-4898-A821-FC94B101566E}.exe{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe{52EE5A8E-3558-432e-B1D0-123836364026}.exe{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
Token: SeIncBasePriorityPrivilege	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
Token: SeIncBasePriorityPrivilege	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
Token: SeIncBasePriorityPrivilege	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe
Token: SeIncBasePriorityPrivilege	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
Token: SeIncBasePriorityPrivilege	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
Token: SeIncBasePriorityPrivilege	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
Token: SeIncBasePriorityPrivilege	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
Token: SeIncBasePriorityPrivilege	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
Token: SeIncBasePriorityPrivilege	692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3492 wrote to memory of 4392	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
PID 3492 wrote to memory of 4392	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
PID 3492 wrote to memory of 4392	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
PID 3492 wrote to memory of 1488	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 3492 wrote to memory of 1488	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 3492 wrote to memory of 1488	3492	2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe	cmd.exe
PID 4392 wrote to memory of 2532	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
PID 4392 wrote to memory of 2532	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
PID 4392 wrote to memory of 2532	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
PID 4392 wrote to memory of 876	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	cmd.exe
PID 4392 wrote to memory of 876	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	cmd.exe
PID 4392 wrote to memory of 876	4392	{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe	cmd.exe
PID 2532 wrote to memory of 1688	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
PID 2532 wrote to memory of 1688	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
PID 2532 wrote to memory of 1688	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
PID 2532 wrote to memory of 4660	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	cmd.exe
PID 2532 wrote to memory of 4660	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	cmd.exe
PID 2532 wrote to memory of 4660	2532	{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe	cmd.exe
PID 1688 wrote to memory of 2400	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	{4E64E034-8386-4898-A821-FC94B101566E}.exe
PID 1688 wrote to memory of 2400	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	{4E64E034-8386-4898-A821-FC94B101566E}.exe
PID 1688 wrote to memory of 2400	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	{4E64E034-8386-4898-A821-FC94B101566E}.exe
PID 1688 wrote to memory of 744	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	cmd.exe
PID 1688 wrote to memory of 744	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	cmd.exe
PID 1688 wrote to memory of 744	1688	{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe	cmd.exe
PID 2400 wrote to memory of 1568	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
PID 2400 wrote to memory of 1568	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
PID 2400 wrote to memory of 1568	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
PID 2400 wrote to memory of 4308	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	cmd.exe
PID 2400 wrote to memory of 4308	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	cmd.exe
PID 2400 wrote to memory of 4308	2400	{4E64E034-8386-4898-A821-FC94B101566E}.exe	cmd.exe
PID 1568 wrote to memory of 3972	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
PID 1568 wrote to memory of 3972	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
PID 1568 wrote to memory of 3972	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
PID 1568 wrote to memory of 4504	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	cmd.exe
PID 1568 wrote to memory of 4504	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	cmd.exe
PID 1568 wrote to memory of 4504	1568	{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe	cmd.exe
PID 3972 wrote to memory of 4304	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
PID 3972 wrote to memory of 4304	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
PID 3972 wrote to memory of 4304	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	{52EE5A8E-3558-432e-B1D0-123836364026}.exe
PID 3972 wrote to memory of 4032	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	cmd.exe
PID 3972 wrote to memory of 4032	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	cmd.exe
PID 3972 wrote to memory of 4032	3972	{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe	cmd.exe
PID 4304 wrote to memory of 2588	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
PID 4304 wrote to memory of 2588	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
PID 4304 wrote to memory of 2588	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
PID 4304 wrote to memory of 4484	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	cmd.exe
PID 4304 wrote to memory of 4484	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	cmd.exe
PID 4304 wrote to memory of 4484	4304	{52EE5A8E-3558-432e-B1D0-123836364026}.exe	cmd.exe
PID 4296 wrote to memory of 860	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
PID 4296 wrote to memory of 860	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
PID 4296 wrote to memory of 860	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
PID 4296 wrote to memory of 3324	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	cmd.exe
PID 4296 wrote to memory of 3324	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	cmd.exe
PID 4296 wrote to memory of 3324	4296	{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe	cmd.exe
PID 860 wrote to memory of 692	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
PID 860 wrote to memory of 692	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
PID 860 wrote to memory of 692	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
PID 860 wrote to memory of 1380	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	cmd.exe
PID 860 wrote to memory of 1380	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	cmd.exe
PID 860 wrote to memory of 1380	860	{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe	cmd.exe
PID 692 wrote to memory of 3908	692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	{4D932B9D-9330-4389-8986-3B869C9589D8}.exe
PID 692 wrote to memory of 3908	692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	{4D932B9D-9330-4389-8986-3B869C9589D8}.exe
PID 692 wrote to memory of 3908	692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	{4D932B9D-9330-4389-8986-3B869C9589D8}.exe
PID 692 wrote to memory of 4680	692	{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d84144c2408c9957bcb881f3bb1cda75_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
C:\Windows\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
C:\Windows\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00FB6~1.EXE > nul
4⤵
PID:4660

C:\Windows\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
C:\Windows\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\{4E64E034-8386-4898-A821-FC94B101566E}.exe
C:\Windows\{4E64E034-8386-4898-A821-FC94B101566E}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E64E~1.EXE > nul
6⤵
PID:4308

C:\Windows\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
C:\Windows\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
C:\Windows\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\{52EE5A8E-3558-432e-B1D0-123836364026}.exe
C:\Windows\{52EE5A8E-3558-432e-B1D0-123836364026}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
C:\Windows\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:2588

C:\Windows\{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
C:\Windows\{5A3B4093-7B9D-4885-8357-BCA903661FB6}.exe
10⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
C:\Windows\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE03F~1.EXE > nul
12⤵
PID:1380

C:\Windows\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
C:\Windows\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe
C:\Windows\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe
13⤵
- Executes dropped EXE
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{19F28~1.EXE > nul
13⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A3B4~1.EXE > nul
11⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6FA2~1.EXE > nul
10⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52EE5~1.EXE > nul
9⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED43~1.EXE > nul
8⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{527CC~1.EXE > nul
7⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5DBD3~1.EXE > nul
5⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45B7A~1.EXE > nul
3⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00FB6E8D-5126-4146-A632-417765A8F4D2}.exe

Filesize
372KB

MD5
f341b67e7d8feea70cbbb559243cc789

SHA1
e91e7983566d870bef13bb13261fbd6123695ec9

SHA256
7f35837d42bae05b21fff5611d8a3a0452776c775ab4e6a620d2754b2b09f4ad

SHA512
0b4fc4576e2eabac1edc05f15d894cc285d7e62342ecccd76a88bb5b200d2fb41fbfd5719159f2d6589337877f3dcf5fff0cb0313eda27fc91568930a73b9b2d

Download Submit
C:\Windows\{19F2897C-8DA2-4754-ACA9-6F675E21BE08}.exe

Filesize
372KB

MD5
75e036e6b2340266944273c4f5bb2a50

SHA1
1ec6c677a6ca4058a80518f5b734b38b36ff6916

SHA256
f657dc438f58c8692c833e69924cc779fa68d015c099e78dc83a44dd756dc372

SHA512
7cf36f19a6510a1ba31afe7b8cf1360140cdc8e87865689239c538f1af02bb8d08d0a5ef6ee0fa2b483ce33f27b1172f4a308fecc04a4ae14e36b3a26e0533e1

Download Submit
C:\Windows\{1ED43389-7523-494a-A0A5-D501CEA0A202}.exe

Filesize
372KB

MD5
d7de18e7cfdb4e93c3bac348cfc31104

SHA1
e89c301b827c159f25a2548057e9389c44e59293

SHA256
5b130b05ff0c97f6f6a1510c56906af6484e97e5620a2016c36e667bcc4f5716

SHA512
ca5a7c278d651b1cd6e60592f57962ed4ff62bdca57b31563e1ec6ccf56bc95372e07873e5f47a03ba0ee6c05480ef48846c0c41349057e37b053762779fc638

Download Submit
C:\Windows\{45B7A694-D2B1-40a6-981B-063A61BA968E}.exe

Filesize
372KB

MD5
474bbbf2b2fd8972c3754a46ea6cede6

SHA1
44b84715ada28b0e06d21475b51e8e6243615c58

SHA256
aa1a41ed5e9fbb083c53a8343e0474ea827cf78d203f221e1b8dba5201f18115

SHA512
6bf122470d70db61971ad21ef87bcc94f015a708d6266ff208a15d4b1dc2b2efec89feff698f50b2a8f17b2f59b9e1518a990fc056879d9bc8ac653962d1b4e9

Download Submit
C:\Windows\{4D932B9D-9330-4389-8986-3B869C9589D8}.exe

Filesize
372KB

MD5
cbaf9eb6c97904e6f63ca1bee5b9299b

SHA1
81af9fafeb140451dccd86d6f38969fc8e57e475

SHA256
1379f4caf448afc54674a53dda69967f2ded9cbdb728beaa4ec7b785b72bcf9c

SHA512
7be08f4f02c8f33a856c4737ecb94dd4c98dd73a0a8a309eeb44c7c9967383d9018ef8f6d0aef274886a29ee18125561b29ed672e752e9ac01700031fff7015b

Download Submit
C:\Windows\{4E64E034-8386-4898-A821-FC94B101566E}.exe

Filesize
372KB

MD5
69b164a5cb4886f120ba414a834ecb0b

SHA1
50d9829a294ed78288e82b3a2d05b749b0c71428

SHA256
f6fa6189df7a24d0376b0e338a6d8c677db0b4a35ca66d8fd38efd1bc97088b9

SHA512
3ed2ca7116c002efd684cf08def3651fbac358d1563bfe18eebec9c64cc8ba59931d0ba924bb9eda3b8f5c15d8fc0c1bd1b5ec4b0cedf8346030e90434ec5539

Download Submit
C:\Windows\{527CC80B-07D0-4de4-A28B-3DA1E38E6759}.exe

Filesize
372KB

MD5
37e12504e1fe6bbc78d72e1fb5a9c03a

SHA1
cd72001d9737e656950d60af1cf7017786df1ed7

SHA256
12567a2757e2099f8a21c345b47d49f059cb5aed3d897615c55eb44e0fc567fa

SHA512
269d6f5aa813b3ccbc752c046c25bbf33073f587f8fddc84d84a81110c7b9f1ff563c9bd912e83be84c07d073a0a9ea1f052963504571958183f0b1750c31e97

Download Submit
C:\Windows\{52EE5A8E-3558-432e-B1D0-123836364026}.exe

Filesize
372KB

MD5
05091fab58a6492bb254a740c57881e3

SHA1
830c4a7a9fefa3564877a848760547b1071f9aa9

SHA256
b8cbe084478c1961aed21f76636f6ed5cc4a4b946dd93f84849a54b72ba80af0

SHA512
5bde16a7875e5ecba1c4ccc738bc749afc21b6149ee9c2dc4aa369c5c8b2cb6dd48babd92be6b36223f7d92b7fdf0f5bd6b8786131638837982aa50ef14e2fea

Download Submit
C:\Windows\{5DBD3AEC-6578-408f-8F29-7E1E3E06EA70}.exe

Filesize
372KB

MD5
8f5d4733cacb38c4b6faa417bb5fb08f

SHA1
e5f385379297fa6fdeeb30df318c976eac64e0a7

SHA256
ce0d3239e7625d1eb7366820e6fe40090fc6136507ae4887e9e63bfe7f1cd15b

SHA512
1ddf65380431e21a2d7bf4ccc805c94a3e72bb45f9e30c26822979f2516cc45e8b49b4f24e7fc2f841cce7c6dbdf73de9329b4543ca9c43cb0c4e3754e3fb0b5

Download Submit
C:\Windows\{E6FA2945-3D47-4861-9E7F-02EE821337A4}.exe

Filesize
372KB

MD5
c847c0502b01c750b8e793ca90e57226

SHA1
ffc89fceb88ed6e1c14f3be916aeda9599d02300

SHA256
1e39eb28f4c34e5b8b599ad6e0a5ce31f7f6f17268c401814f248038741b8bc5

SHA512
795c90306588b6cf297f0dc0741df2b4d27680f063f11fadb6482ddedc94081dd64616776b9c6a4b3aea1691fe11308db7a9104e1298b7b73f748297a15be931

Download Submit
C:\Windows\{EE03FC49-45F5-49e9-B834-7C2D98320244}.exe

Filesize
372KB

MD5
35dd7cc0cd5f198fcb2c0f473e50fa00

SHA1
8c96db3304589d20381cf65ea4dc109a42cce1f0

SHA256
517c7bdd5af858caa341dc4c39c2be16842ec2ec660052a2b8809ac4dfe96d2d

SHA512
e4ec8c46fe154ae47afbd13b8cb677a95d363194547f4622bf75ec168130da77e224db0dbc511baa1d80c904c25ffba576459ce99c1791b4fb738e1ac07d4ef8

Download Submit