a54dcdd129b4014f5e38eed46d403d59acc3b308c6a413d711173d176ad19bbb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
Size

180KB
MD5

199298ada80a8c0568fae6c336e416b8
SHA1

7f11bd86eadf780547efb71dc7865c13305649cb
SHA256

a54dcdd129b4014f5e38eed46d403d59acc3b308c6a413d711173d176ad19bbb
SHA512

81df8a0b71499774963515e10ddfaec186f3810a1f5bfcbb993e2c7f8922ebaa75527aafb73f4a22dc444fd51d0bff46ee69537e82c3fdbd380526d4194c7350
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG8l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}	{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8491B41D-567C-42c1-829F-6036CBC8D8ED}	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}\stubpath = "C:\\Windows\\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe"	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}\stubpath = "C:\\Windows\\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe"	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}\stubpath = "C:\\Windows\\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe"	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}\stubpath = "C:\\Windows\\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe"	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}	{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}\stubpath = "C:\\Windows\\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe"	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19201695-F4AF-41be-AB3B-5437CF13C0D5}	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19201695-F4AF-41be-AB3B-5437CF13C0D5}\stubpath = "C:\\Windows\\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe"	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8491B41D-567C-42c1-829F-6036CBC8D8ED}\stubpath = "C:\\Windows\\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe"	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}\stubpath = "C:\\Windows\\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe"	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}\stubpath = "C:\\Windows\\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe"	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}\stubpath = "C:\\Windows\\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe"	{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}\stubpath = "C:\\Windows\\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe"	{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2000 cmd.exe

pid	process
2000	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe

pid	process
1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
900	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
1240	{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
2360	{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe
1656	{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe

Drops file in Windows directory 11 IoCs

Processes:

{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe

description	ioc	process
File created	C:\Windows\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
File created	C:\Windows\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
File created	C:\Windows\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
File created	C:\Windows\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
File created	C:\Windows\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
File created	C:\Windows\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
File created	C:\Windows\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe	{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
File created	C:\Windows\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe	{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe
File created	C:\Windows\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
File created	C:\Windows\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
File created	C:\Windows\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
Token: SeIncBasePriorityPrivilege	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
Token: SeIncBasePriorityPrivilege	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
Token: SeIncBasePriorityPrivilege	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
Token: SeIncBasePriorityPrivilege	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
Token: SeIncBasePriorityPrivilege	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
Token: SeIncBasePriorityPrivilege	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
Token: SeIncBasePriorityPrivilege	900	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
Token: SeIncBasePriorityPrivilege	1240	{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
Token: SeIncBasePriorityPrivilege	2360	{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2016 wrote to memory of 1960	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
PID 2016 wrote to memory of 1960	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
PID 2016 wrote to memory of 1960	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
PID 2016 wrote to memory of 1960	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
PID 2016 wrote to memory of 2000	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	cmd.exe
PID 2016 wrote to memory of 2000	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	cmd.exe
PID 2016 wrote to memory of 2000	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	cmd.exe
PID 2016 wrote to memory of 2000	2016	2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe	cmd.exe
PID 1960 wrote to memory of 2956	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
PID 1960 wrote to memory of 2956	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
PID 1960 wrote to memory of 2956	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
PID 1960 wrote to memory of 2956	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
PID 1960 wrote to memory of 2948	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	cmd.exe
PID 1960 wrote to memory of 2948	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	cmd.exe
PID 1960 wrote to memory of 2948	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	cmd.exe
PID 1960 wrote to memory of 2948	1960	{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe	cmd.exe
PID 2956 wrote to memory of 2516	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
PID 2956 wrote to memory of 2516	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
PID 2956 wrote to memory of 2516	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
PID 2956 wrote to memory of 2516	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
PID 2956 wrote to memory of 2556	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	cmd.exe
PID 2956 wrote to memory of 2556	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	cmd.exe
PID 2956 wrote to memory of 2556	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	cmd.exe
PID 2956 wrote to memory of 2556	2956	{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe	cmd.exe
PID 2516 wrote to memory of 2472	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
PID 2516 wrote to memory of 2472	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
PID 2516 wrote to memory of 2472	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
PID 2516 wrote to memory of 2472	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
PID 2516 wrote to memory of 1920	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	cmd.exe
PID 2516 wrote to memory of 1920	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	cmd.exe
PID 2516 wrote to memory of 1920	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	cmd.exe
PID 2516 wrote to memory of 1920	2516	{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe	cmd.exe
PID 2472 wrote to memory of 2688	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
PID 2472 wrote to memory of 2688	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
PID 2472 wrote to memory of 2688	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
PID 2472 wrote to memory of 2688	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
PID 2472 wrote to memory of 2928	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	cmd.exe
PID 2472 wrote to memory of 2928	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	cmd.exe
PID 2472 wrote to memory of 2928	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	cmd.exe
PID 2472 wrote to memory of 2928	2472	{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe	cmd.exe
PID 2688 wrote to memory of 604	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
PID 2688 wrote to memory of 604	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
PID 2688 wrote to memory of 604	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
PID 2688 wrote to memory of 604	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
PID 2688 wrote to memory of 1196	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	cmd.exe
PID 2688 wrote to memory of 1196	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	cmd.exe
PID 2688 wrote to memory of 1196	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	cmd.exe
PID 2688 wrote to memory of 1196	2688	{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe	cmd.exe
PID 604 wrote to memory of 2068	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
PID 604 wrote to memory of 2068	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
PID 604 wrote to memory of 2068	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
PID 604 wrote to memory of 2068	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
PID 604 wrote to memory of 2500	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	cmd.exe
PID 604 wrote to memory of 2500	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	cmd.exe
PID 604 wrote to memory of 2500	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	cmd.exe
PID 604 wrote to memory of 2500	604	{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe	cmd.exe
PID 2068 wrote to memory of 900	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
PID 2068 wrote to memory of 900	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
PID 2068 wrote to memory of 900	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
PID 2068 wrote to memory of 900	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
PID 2068 wrote to memory of 1496	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	cmd.exe
PID 2068 wrote to memory of 1496	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	cmd.exe
PID 2068 wrote to memory of 1496	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	cmd.exe
PID 2068 wrote to memory of 1496	2068	{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_199298ada80a8c0568fae6c336e416b8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
C:\Windows\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
C:\Windows\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
C:\Windows\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
C:\Windows\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
C:\Windows\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
C:\Windows\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
C:\Windows\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
C:\Windows\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
C:\Windows\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe
C:\Windows\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe
C:\Windows\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe
12⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F662B~1.EXE > nul
12⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6DE2~1.EXE > nul
11⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{19201~1.EXE > nul
10⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E166B~1.EXE > nul
9⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{95D3A~1.EXE > nul
8⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{428A1~1.EXE > nul
7⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC3E0~1.EXE > nul
6⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5FA2A~1.EXE > nul
5⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EF0E2~1.EXE > nul
4⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8491B~1.EXE > nul
3⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19201695-F4AF-41be-AB3B-5437CF13C0D5}.exe

Filesize
180KB

MD5
6dbd6fed40d800dc491573be1b8ee8e0

SHA1
ba3cd3a852b942751febfc27d6164633ab72b5d7

SHA256
f94d10f344fd6530642915a2025cd75578cce17d1655464a75cb631a89a0bcf3

SHA512
21d713c505b6c25a4a08b2197ac910cafbf61f62d7945e2ff86fe93073001ced6c9dddbd2d53292160f4344ae2e85cdf1f69bd3932bfa412e481cb80166f6422

Download Submit
C:\Windows\{428A189E-C173-4dd9-9A79-F9BC93EAD3A6}.exe

Filesize
180KB

MD5
97cbd346ced70d69ba4bc09713db941d

SHA1
7a3d96034a6364cb5f2fb1d155d1eea6280d896f

SHA256
2c59c3a5d3509afda2c0e298b1a488d234d28edccf2476de5455a55d2e25e097

SHA512
f3820c517d83eca75a1912c6b2f4cfd2a6eef7986ebac1ee0b1ef3bee95c4dbc2a87da9e1b711831735c3cb11a1ab01915f65cc0337acdec4b1dd6672668371b

Download Submit
C:\Windows\{5FA2A140-4682-4ef1-A154-FC2A597A2E9A}.exe

Filesize
180KB

MD5
4379c4e66ffc4814ce5b43c65b368b08

SHA1
63142136b29905d02b84844cf0b99bc25f4b9671

SHA256
2a272daa33b3007ef0677277333822ee202eaa5bff831275a77cd81a47a94302

SHA512
c9f0c58ad43348447ec190c2a9ad85696b393980923dd5d170a2c8f882700660cc6c43f818cc02ff8f80461789eaa657376fc40450299fef237df2f215f160f0

Download Submit
C:\Windows\{79779A2E-09B2-46f3-9D36-DC9C60CE7A65}.exe

Filesize
180KB

MD5
5746b642018145bc1fa2ba9d977aaaeb

SHA1
03114f806a851a70010ae6ef1f36b3544dbcf26e

SHA256
56736bf87cacdceef677f3eceab9627452e9aacd7c40fc0e630c3770027d9a9a

SHA512
4826c3b2f426972c3cd60a53d27891f6a706a7236cf9a7f5ee1b2f1f2f734647570ae278f2c2632c8f8cfeec82c9357b66209b070a140e9ba50786afce24d12d

Download Submit
C:\Windows\{8491B41D-567C-42c1-829F-6036CBC8D8ED}.exe

Filesize
180KB

MD5
5714d10c27a654cc86d95b752a70ab50

SHA1
42156244f19fde7bdb2ca3da54db8889611597b4

SHA256
09e92ab8b8f59df0a120f7f80408f1f21c551525dd047a9872788b48903a18fe

SHA512
6e290427991d19329d6e2ce30d7a36e6aca4736084029a928fd300c9c83cda5b733f1f0a16278f0a9acc5559c8bbd245c3ca80b12b10d56a3aaba6a948870ca2

Download Submit
C:\Windows\{95D3A503-24C5-4e8f-A319-FFC9A174B76A}.exe

Filesize
180KB

MD5
a808a8752d3630ba1b0d5e0776552605

SHA1
a575d6a29974d1c6e545da58ec3b54537b242944

SHA256
f4f2f1139cef685642aab407297f0ca15e00a0552a3a1be3d703c25da2891ec3

SHA512
b8f0f2c71d7941e3f311633a51ca267bb11d85ac3af86e9893272a345e12e742dad7409a865be3d84f9c85bf36737c28204fdd1c971cccca228af4a6b48e697f

Download Submit
C:\Windows\{DC3E0113-96FD-417a-AA6B-C53587EC2BB6}.exe

Filesize
180KB

MD5
cca5a842f27c90a06b7adcd307712931

SHA1
74a32d49819b14c914f3ddd474551702bb264b42

SHA256
5de3fa99a6948477a62bbb7dfeaaf84d2742b189d0e3778e8336fdaf5e771087

SHA512
866c7b27ff5d9fcdb5004fae1defa32cdd632533308ae2c1162913b40bd979a17f567160680baaee0f78d74ee7cc7b2a34b73918096e74a4c0fdce942f06634d

Download Submit
C:\Windows\{E166B0B6-093F-4999-BA04-C6EAC0DEF902}.exe

Filesize
180KB

MD5
f030baca138eda0bb0308c3adaca9215

SHA1
1cbf0f23f6f6e6c592cc30c11678c010ec16f528

SHA256
4e56d94f441aeeb1d434b78f9f3140113dbe085b5c1b8189fa7ff94431b10810

SHA512
5a8b24a73e709bc5a1e1c5c772460ff1e26ccd1a72e7ab43b0784d4611cbe244830bb793088cc090d6b367993150fcd2f82e4439bfe9be999eb515c044aa8ca2

Download Submit
C:\Windows\{E6DE2012-9B32-4c66-8DD8-F0738B63F9AB}.exe

Filesize
180KB

MD5
406a9f59ce6e5d9854cf68161729031e

SHA1
54e191f8a697122290bf488acd73e1ba2495bd17

SHA256
925d9f5e0eaf753bf8332a5dac9dd2f10a871f27beb0e6bf52c3a5d7f6c7b3bb

SHA512
aa71884c792ab79f47ec941aa669b0735cf371c680efda531e06788c411fafe3b82482515962cae5093a95e66a18af341c83473e6ea244536aabce67cb817060

Download Submit
C:\Windows\{EF0E275D-FABA-4781-B386-DC3EBCCC34D1}.exe

Filesize
180KB

MD5
ea172ac95d797902ba8ade6a0cb23871

SHA1
c0beeb9f56939331b3a82e47eb5be7f68d5d6544

SHA256
4283d955d1b820bd7418a3537fb4d4b1af6bf889c3a0a4d118156dd9812f75f5

SHA512
48240de71bc426ede3d003d6237ed49043a5db5d07b5dfc3e2f5c06553a79a30740cf86fe1ee037994880843fc39ed70ad9c473320c155978454621ca8fd73f7

Download Submit
C:\Windows\{F662BDA2-C4E3-4bc2-9D08-C78CAE8FDA4F}.exe

Filesize
180KB

MD5
33ffa0f1d0e6eb5fa697b46c33fb1f51

SHA1
be3593b4478225b3e51acd9f008566807d55ef18

SHA256
dafab766ff1eb0ea3e57f5e4b9c4392067215aa3e5225bb30e52161e306a23d1

SHA512
41d2a0cb2ad876f491caa99df4ffa28799184a5da58fc30be8b516c6bd906088c9f86ca2af50fe64358611426f6e2bf125a4e3671a9bbe62126d1a824a5ea898

Download Submit