938c761a7c1963ec4e0672a09a4b6b85535340f94fdad497d688d1cfb25c6e87

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Size

380KB
MD5

2f1c59e283dd639eaf00ebd8fd94072d
SHA1

535e29e5a55a10c331f6f48ace92db10df7dd043
SHA256

938c761a7c1963ec4e0672a09a4b6b85535340f94fdad497d688d1cfb25c6e87
SHA512

59a3efeb29a592cf403d8a00a2eea3f93c6b1dadd76551f300d732f0892912fc20a3499946f6c50fa5b4e4c8da2aec4b547e190a610ac692dc8bf53dd176fe5a
SSDEEP

3072:mEGh0oClPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{92A43152-F534-4507-B0E3-4942729BD310}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe{92A43152-F534-4507-B0E3-4942729BD310}.exe{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C1A92C-9B17-4778-A36C-363B8AFCD942}	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}	{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}\stubpath = "C:\\Windows\\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe"	{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}	{92A43152-F534-4507-B0E3-4942729BD310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420B0E76-AA7A-456b-9EFD-D920993B7820}\stubpath = "C:\\Windows\\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe"	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}\stubpath = "C:\\Windows\\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe"	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}\stubpath = "C:\\Windows\\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe"	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92A43152-F534-4507-B0E3-4942729BD310}	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}	{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}\stubpath = "C:\\Windows\\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe"	{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C1A92C-9B17-4778-A36C-363B8AFCD942}\stubpath = "C:\\Windows\\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe"	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420B0E76-AA7A-456b-9EFD-D920993B7820}	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}\stubpath = "C:\\Windows\\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe"	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}\stubpath = "C:\\Windows\\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe"	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}\stubpath = "C:\\Windows\\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe"	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92A43152-F534-4507-B0E3-4942729BD310}\stubpath = "C:\\Windows\\{92A43152-F534-4507-B0E3-4942729BD310}.exe"	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}\stubpath = "C:\\Windows\\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe"	{92A43152-F534-4507-B0E3-4942729BD310}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2872 cmd.exe

pid	process
2872	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe{92A43152-F534-4507-B0E3-4942729BD310}.exe{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe

pid	process
1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe
1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
1376	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
2712	{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
2268	{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
1576	{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe

Drops file in Windows directory 11 IoCs

Processes:

{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe{92A43152-F534-4507-B0E3-4942729BD310}.exe{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe

description	ioc	process
File created	C:\Windows\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe	{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
File created	C:\Windows\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
File created	C:\Windows\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
File created	C:\Windows\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
File created	C:\Windows\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	{92A43152-F534-4507-B0E3-4942729BD310}.exe
File created	C:\Windows\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
File created	C:\Windows\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
File created	C:\Windows\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
File created	C:\Windows\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
File created	C:\Windows\{92A43152-F534-4507-B0E3-4942729BD310}.exe	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
File created	C:\Windows\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe	{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe{92A43152-F534-4507-B0E3-4942729BD310}.exe{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
Token: SeIncBasePriorityPrivilege	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
Token: SeIncBasePriorityPrivilege	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
Token: SeIncBasePriorityPrivilege	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
Token: SeIncBasePriorityPrivilege	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
Token: SeIncBasePriorityPrivilege	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe
Token: SeIncBasePriorityPrivilege	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
Token: SeIncBasePriorityPrivilege	1376	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
Token: SeIncBasePriorityPrivilege	2712	{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
Token: SeIncBasePriorityPrivilege	2268	{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2544 wrote to memory of 1936	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
PID 2544 wrote to memory of 1936	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
PID 2544 wrote to memory of 1936	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
PID 2544 wrote to memory of 1936	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
PID 2544 wrote to memory of 2872	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 2544 wrote to memory of 2872	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 2544 wrote to memory of 2872	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 2544 wrote to memory of 2872	2544	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 1936 wrote to memory of 2608	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
PID 1936 wrote to memory of 2608	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
PID 1936 wrote to memory of 2608	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
PID 1936 wrote to memory of 2608	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
PID 1936 wrote to memory of 2676	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	cmd.exe
PID 1936 wrote to memory of 2676	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	cmd.exe
PID 1936 wrote to memory of 2676	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	cmd.exe
PID 1936 wrote to memory of 2676	1936	{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe	cmd.exe
PID 2608 wrote to memory of 2720	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
PID 2608 wrote to memory of 2720	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
PID 2608 wrote to memory of 2720	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
PID 2608 wrote to memory of 2720	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
PID 2608 wrote to memory of 2744	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	cmd.exe
PID 2608 wrote to memory of 2744	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	cmd.exe
PID 2608 wrote to memory of 2744	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	cmd.exe
PID 2608 wrote to memory of 2744	2608	{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe	cmd.exe
PID 2720 wrote to memory of 2580	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
PID 2720 wrote to memory of 2580	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
PID 2720 wrote to memory of 2580	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
PID 2720 wrote to memory of 2580	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
PID 2720 wrote to memory of 2692	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	cmd.exe
PID 2720 wrote to memory of 2692	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	cmd.exe
PID 2720 wrote to memory of 2692	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	cmd.exe
PID 2720 wrote to memory of 2692	2720	{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe	cmd.exe
PID 2580 wrote to memory of 956	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
PID 2580 wrote to memory of 956	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
PID 2580 wrote to memory of 956	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
PID 2580 wrote to memory of 956	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
PID 2580 wrote to memory of 936	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	cmd.exe
PID 2580 wrote to memory of 936	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	cmd.exe
PID 2580 wrote to memory of 936	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	cmd.exe
PID 2580 wrote to memory of 936	2580	{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe	cmd.exe
PID 956 wrote to memory of 1700	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	{92A43152-F534-4507-B0E3-4942729BD310}.exe
PID 956 wrote to memory of 1700	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	{92A43152-F534-4507-B0E3-4942729BD310}.exe
PID 956 wrote to memory of 1700	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	{92A43152-F534-4507-B0E3-4942729BD310}.exe
PID 956 wrote to memory of 1700	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	{92A43152-F534-4507-B0E3-4942729BD310}.exe
PID 956 wrote to memory of 1512	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	cmd.exe
PID 956 wrote to memory of 1512	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	cmd.exe
PID 956 wrote to memory of 1512	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	cmd.exe
PID 956 wrote to memory of 1512	956	{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe	cmd.exe
PID 1700 wrote to memory of 1076	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
PID 1700 wrote to memory of 1076	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
PID 1700 wrote to memory of 1076	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
PID 1700 wrote to memory of 1076	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
PID 1700 wrote to memory of 2436	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	cmd.exe
PID 1700 wrote to memory of 2436	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	cmd.exe
PID 1700 wrote to memory of 2436	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	cmd.exe
PID 1700 wrote to memory of 2436	1700	{92A43152-F534-4507-B0E3-4942729BD310}.exe	cmd.exe
PID 1076 wrote to memory of 1376	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
PID 1076 wrote to memory of 1376	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
PID 1076 wrote to memory of 1376	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
PID 1076 wrote to memory of 1376	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
PID 1076 wrote to memory of 1412	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	cmd.exe
PID 1076 wrote to memory of 1412	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	cmd.exe
PID 1076 wrote to memory of 1412	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	cmd.exe
PID 1076 wrote to memory of 1412	1076	{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
C:\Windows\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
C:\Windows\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
C:\Windows\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6C838~1.EXE > nul
5⤵
PID:2692

C:\Windows\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
C:\Windows\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF676~1.EXE > nul
6⤵
PID:936

C:\Windows\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
C:\Windows\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\{92A43152-F534-4507-B0E3-4942729BD310}.exe
C:\Windows\{92A43152-F534-4507-B0E3-4942729BD310}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
C:\Windows\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
C:\Windows\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{97C1A~1.EXE > nul
10⤵
PID:2240

C:\Windows\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
C:\Windows\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{420B0~1.EXE > nul
11⤵
PID:668

C:\Windows\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
C:\Windows\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CCE~1.EXE > nul
12⤵
PID:2988

C:\Windows\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe
C:\Windows\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe
12⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E11~1.EXE > nul
9⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{92A43~1.EXE > nul
8⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{704FC~1.EXE > nul
7⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8DD~1.EXE > nul
4⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5B613~1.EXE > nul
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F8DD4B9-63C5-4c72-828D-8DB915A79FB6}.exe

Filesize
380KB

MD5
63ff907e9c75fab2f745da4afc96ab78

SHA1
c0f4aa50f23dda43989f7a90031246a2d875e6ea

SHA256
fec383f5f817a5bb08a70ac81c1134f612418cce094de8824361e74803b93b9f

SHA512
dd37e89a0bd1575b96830afa0058bdda87c4d68425a4d0189c507cd6381994146a19f2db866b42d478a4d2c101127cc630976d24da6936cd94780d721344009d

Download Submit
C:\Windows\{420B0E76-AA7A-456b-9EFD-D920993B7820}.exe

Filesize
380KB

MD5
2f61216f6de22f2aa09e3c70e7dfd53f

SHA1
c662bf10c76b450d9b8017937e9abb5996a7daa8

SHA256
dea4f355fedbd74fd91382421725576a4a7c8e845eb12442bba56d9b2ec4ad98

SHA512
9264bbc26779caf9ee8dcd60c638587763c33011ffd239bf091a9fabc73cc367d6c2f4b3b602773e63bc992062125a00046719e2e0521ae4fa748f1477e23e3c

Download Submit
C:\Windows\{45AA014B-11C0-4ae3-B44A-7D59C995FBB5}.exe

Filesize
380KB

MD5
3a9ab8dc7f4752633c8c6d59cade67c7

SHA1
cc4cd3f21c270c88e2dfc61672ec96dad1b3167a

SHA256
ee7988ea77dc45eda6ea1c57565afcb2ee9a8815ab3b1ead1c10570b5a8d503b

SHA512
9f5f4d8ec737b41dd260c3460c852fddc397064ca084166c85e0c72af16bb74cbb960756ae2f4ae67c09e017cae4208b907955a7b48d82c712cec7f68762624d

Download Submit
C:\Windows\{5B6136CC-467D-40dc-9DDA-DAD87B61C2CA}.exe

Filesize
380KB

MD5
df0164a0328af9a2bed150b57e3508a0

SHA1
44cbfb370cef2e2af8a1561e5b27886e544089ad

SHA256
374e0f79d09ae206dc48f949dd5d9fba99f7fae6091b55e9f2cc1ff90469f788

SHA512
51688a192b75a9da2c95da94195e8b04c99d154d8169dfc984b40c334b53bf57adf336c25e67243671bd56c115281463dc5ff6496d7dad930c36d0fec4229a6e

Download Submit
C:\Windows\{6C838CA1-5444-4ec3-BE9B-B57BCA4E28CC}.exe

Filesize
380KB

MD5
4da40ab72fefaa45785a34e52e425ed5

SHA1
56ea0c01f515221bdda3cf78fb666f54362dd06e

SHA256
bcde1461b8d9bddd76961e54636687aeffb296022df4033d8510a3902a1851ca

SHA512
e8278f9b9d679284bb635d91295ce017d27a879fa832729fde561a6151fed8fc14eebe3baf96a0f4084ce5d2f7ba43013d3f1c7e5f4b660ad396e38673756db2

Download Submit
C:\Windows\{704FC9C3-4AD1-4173-9AE8-7C2F16F6B50E}.exe

Filesize
380KB

MD5
82ec249069e3ff5c0fe5b32dea37a6f6

SHA1
1b94e6e58f5341bb5cda15e7060f0b14ec2e3988

SHA256
25919dbd218ddd2145585ffd3f98da67fbacefc5db506e4803eab40b417972d1

SHA512
72b722a4a42d8f2369f89fe6c73e3095c1309fd6bdf10d1daf6934cd9821872a393eff4877ef263938523d702afe7524b2cf8174c0e33ca3e6d25c7f3a311ec2

Download Submit
C:\Windows\{92A43152-F534-4507-B0E3-4942729BD310}.exe

Filesize
380KB

MD5
9e798b9dba83151e2d74fd2eeeffcf57

SHA1
7e0598d0f4a4f6532634065f5b1ea37133a89eab

SHA256
277c0d15c85437c6d9274b15933a9863fe0220c625bd0812a27b6b662bd4e7ab

SHA512
798df33f2d953cea942d6b7c51d24627a43bbea0837f59e6066945873f31a774bb4d5afb94fc15cb98f60eb1aef67cef1c5c42ebb3a30247d384d756e3882ee4

Download Submit
C:\Windows\{97C1A92C-9B17-4778-A36C-363B8AFCD942}.exe

Filesize
380KB

MD5
c0b689b22650cc2455cd3505dccf21ed

SHA1
a129c8c4bc8072c013a98da52984ae012c059897

SHA256
31b09f418cbde8215a7532bf11d1c04707deab4af9d2e30db8cee4f41cf6fe42

SHA512
06b5d5452667af5700f45cdbe67d0f78529418c316f5860a55ce07e09413be574141cc69173c7894ce773865c04420dbc8a2f48588a7d124fe9e1944c078e824

Download Submit
C:\Windows\{B7CCE2DA-81BE-46bf-804A-3800CEEADFC4}.exe

Filesize
380KB

MD5
cee12eefe3203935403f07cd1b5fbf53

SHA1
848e9e355be7fb103d5b0f03d3eadbf2850d8094

SHA256
e4fa1a8fcbd1c0c3f262bc1550a059ec08f71e6e566c3cae43c636946e2e626d

SHA512
980595bd95b8489d4c4444131c71c189e75bc90d8aceb5877907b710a3deff8d3d8b6493073f912ab28c33ca192e9dab9637570b6883710ee4173c3a78ab384c

Download Submit
C:\Windows\{D0E1128A-2A1A-4149-938B-AF3BA41F2774}.exe

Filesize
380KB

MD5
3b36010a9cf723117c1178d4b6ddc2a8

SHA1
c7b99fae33c0cc613dc047e3e9d82f65c81435d6

SHA256
a7f73213ba812a2e044ec598ff92ecc18837fec7a244057fa067bffe044cbb34

SHA512
10ce311083bd06b0fd73c5f1f6b81c7579a2a636b807aff2d6d3a203c187a7d908070f006e0fe4459a3f27f0b2bc61c5a5d537da22f09a30a9c184895fb22834

Download Submit
C:\Windows\{DF676BE2-F6B6-4e91-A3E3-C9EBDF0EA177}.exe

Filesize
380KB

MD5
56d333455a0f7df420fca52af07ef5d1

SHA1
f15ff48e4afd97cce3b75f63f324a9557e923c7d

SHA256
4515a988988f78f2dd7f1271a9e9f80deac602742d6e472e5d3fd46dd12e5eed

SHA512
a6c4acda83d3ce22a6c55d14280859abbc905786dbb01c477739379d17bf55510e20a1828a0b52ae36a583c816d83d5fa711f381b987f309036ba560f862e0d2

Download Submit