938c761a7c1963ec4e0672a09a4b6b85535340f94fdad497d688d1cfb25c6e87

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Size

380KB
MD5

2f1c59e283dd639eaf00ebd8fd94072d
SHA1

535e29e5a55a10c331f6f48ace92db10df7dd043
SHA256

938c761a7c1963ec4e0672a09a4b6b85535340f94fdad497d688d1cfb25c6e87
SHA512

59a3efeb29a592cf403d8a00a2eea3f93c6b1dadd76551f300d732f0892912fc20a3499946f6c50fa5b4e4c8da2aec4b547e190a610ac692dc8bf53dd176fe5a
SSDEEP

3072:mEGh0oClPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{139A134D-838E-4479-9912-4423E0238CBE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe{139A134D-838E-4479-9912-4423E0238CBE}.exe{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe{EC5C22B8-0C64-467c-BB1F-333610944027}.exe{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5C22B8-0C64-467c-BB1F-333610944027}	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5C22B8-0C64-467c-BB1F-333610944027}\stubpath = "C:\\Windows\\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe"	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}\stubpath = "C:\\Windows\\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe"	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}\stubpath = "C:\\Windows\\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe"	{139A134D-838E-4479-9912-4423E0238CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10074FF2-69B5-4c22-A2AF-22676770DCB1}\stubpath = "C:\\Windows\\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe"	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}\stubpath = "C:\\Windows\\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe"	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}\stubpath = "C:\\Windows\\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe"	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}\stubpath = "C:\\Windows\\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe"	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}\stubpath = "C:\\Windows\\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe"	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10074FF2-69B5-4c22-A2AF-22676770DCB1}	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}\stubpath = "C:\\Windows\\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe"	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}\stubpath = "C:\\Windows\\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe"	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139A134D-838E-4479-9912-4423E0238CBE}	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139A134D-838E-4479-9912-4423E0238CBE}\stubpath = "C:\\Windows\\{139A134D-838E-4479-9912-4423E0238CBE}.exe"	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}	{139A134D-838E-4479-9912-4423E0238CBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}\stubpath = "C:\\Windows\\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe"	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe

Executes dropped EXE 12 IoCs

Processes:

{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe{139A134D-838E-4479-9912-4423E0238CBE}.exe{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe{EC5C22B8-0C64-467c-BB1F-333610944027}.exe{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe

pid	process
1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe
1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
3464	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
924	{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe

Drops file in Windows directory 12 IoCs

Processes:

{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe{139A134D-838E-4479-9912-4423E0238CBE}.exe{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe{EC5C22B8-0C64-467c-BB1F-333610944027}.exe2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe

description	ioc	process
File created	C:\Windows\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
File created	C:\Windows\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
File created	C:\Windows\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
File created	C:\Windows\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
File created	C:\Windows\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
File created	C:\Windows\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	{139A134D-838E-4479-9912-4423E0238CBE}.exe
File created	C:\Windows\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
File created	C:\Windows\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
File created	C:\Windows\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
File created	C:\Windows\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
File created	C:\Windows\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
File created	C:\Windows\{139A134D-838E-4479-9912-4423E0238CBE}.exe	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe{139A134D-838E-4479-9912-4423E0238CBE}.exe{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe{EC5C22B8-0C64-467c-BB1F-333610944027}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
Token: SeIncBasePriorityPrivilege	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
Token: SeIncBasePriorityPrivilege	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
Token: SeIncBasePriorityPrivilege	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
Token: SeIncBasePriorityPrivilege	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe
Token: SeIncBasePriorityPrivilege	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
Token: SeIncBasePriorityPrivilege	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
Token: SeIncBasePriorityPrivilege	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
Token: SeIncBasePriorityPrivilege	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
Token: SeIncBasePriorityPrivilege	1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
Token: SeIncBasePriorityPrivilege	3464	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3916 wrote to memory of 1916	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
PID 3916 wrote to memory of 1916	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
PID 3916 wrote to memory of 1916	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
PID 3916 wrote to memory of 2180	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 3916 wrote to memory of 2180	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 3916 wrote to memory of 2180	3916	2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe	cmd.exe
PID 1916 wrote to memory of 3968	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
PID 1916 wrote to memory of 3968	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
PID 1916 wrote to memory of 3968	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
PID 1916 wrote to memory of 4032	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	cmd.exe
PID 1916 wrote to memory of 4032	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	cmd.exe
PID 1916 wrote to memory of 4032	1916	{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe	cmd.exe
PID 3968 wrote to memory of 4632	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
PID 3968 wrote to memory of 4632	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
PID 3968 wrote to memory of 4632	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
PID 3968 wrote to memory of 396	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	cmd.exe
PID 3968 wrote to memory of 396	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	cmd.exe
PID 3968 wrote to memory of 396	3968	{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe	cmd.exe
PID 4632 wrote to memory of 4344	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
PID 4632 wrote to memory of 4344	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
PID 4632 wrote to memory of 4344	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
PID 4632 wrote to memory of 224	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	cmd.exe
PID 4632 wrote to memory of 224	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	cmd.exe
PID 4632 wrote to memory of 224	4632	{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe	cmd.exe
PID 4344 wrote to memory of 4396	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	{139A134D-838E-4479-9912-4423E0238CBE}.exe
PID 4344 wrote to memory of 4396	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	{139A134D-838E-4479-9912-4423E0238CBE}.exe
PID 4344 wrote to memory of 4396	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	{139A134D-838E-4479-9912-4423E0238CBE}.exe
PID 4344 wrote to memory of 3644	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	cmd.exe
PID 4344 wrote to memory of 3644	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	cmd.exe
PID 4344 wrote to memory of 3644	4344	{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe	cmd.exe
PID 4396 wrote to memory of 1432	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
PID 4396 wrote to memory of 1432	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
PID 4396 wrote to memory of 1432	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
PID 4396 wrote to memory of 4308	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	cmd.exe
PID 4396 wrote to memory of 4308	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	cmd.exe
PID 4396 wrote to memory of 4308	4396	{139A134D-838E-4479-9912-4423E0238CBE}.exe	cmd.exe
PID 1432 wrote to memory of 3424	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
PID 1432 wrote to memory of 3424	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
PID 1432 wrote to memory of 3424	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
PID 1432 wrote to memory of 3388	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	cmd.exe
PID 1432 wrote to memory of 3388	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	cmd.exe
PID 1432 wrote to memory of 3388	1432	{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe	cmd.exe
PID 3424 wrote to memory of 2424	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
PID 3424 wrote to memory of 2424	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
PID 3424 wrote to memory of 2424	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
PID 3424 wrote to memory of 2668	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	cmd.exe
PID 3424 wrote to memory of 2668	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	cmd.exe
PID 3424 wrote to memory of 2668	3424	{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe	cmd.exe
PID 2424 wrote to memory of 2448	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
PID 2424 wrote to memory of 2448	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
PID 2424 wrote to memory of 2448	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
PID 2424 wrote to memory of 1992	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	cmd.exe
PID 2424 wrote to memory of 1992	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	cmd.exe
PID 2424 wrote to memory of 1992	2424	{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe	cmd.exe
PID 2448 wrote to memory of 1628	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
PID 2448 wrote to memory of 1628	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
PID 2448 wrote to memory of 1628	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
PID 2448 wrote to memory of 2412	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	cmd.exe
PID 2448 wrote to memory of 2412	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	cmd.exe
PID 2448 wrote to memory of 2412	2448	{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe	cmd.exe
PID 1628 wrote to memory of 3464	1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
PID 1628 wrote to memory of 3464	1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
PID 1628 wrote to memory of 3464	1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
PID 1628 wrote to memory of 1816	1628	{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_2f1c59e283dd639eaf00ebd8fd94072d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
C:\Windows\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
C:\Windows\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
C:\Windows\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
C:\Windows\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\{139A134D-838E-4479-9912-4423E0238CBE}.exe
C:\Windows\{139A134D-838E-4479-9912-4423E0238CBE}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
C:\Windows\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
C:\Windows\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
C:\Windows\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
C:\Windows\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
C:\Windows\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
C:\Windows\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe
C:\Windows\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe
13⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC5C2~1.EXE > nul
13⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25419~1.EXE > nul
12⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D7D~1.EXE > nul
11⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0F6D~1.EXE > nul
10⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{10074~1.EXE > nul
9⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3273~1.EXE > nul
8⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{139A1~1.EXE > nul
7⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE8B~1.EXE > nul
6⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5BFA8~1.EXE > nul
5⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61B41~1.EXE > nul
4⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94D2B~1.EXE > nul
3⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10074FF2-69B5-4c22-A2AF-22676770DCB1}.exe

Filesize
380KB

MD5
17f01cf2637752ade2be16f4a3aa488e

SHA1
9f21dfb7bd3e822c13d47c7769a37b265ba693e1

SHA256
a942d419d0de2eccd6a9711547ad829928bd82bcce0edb1ffbf9a8ad5f39ab29

SHA512
f4aa75ae80e0d0e4114a164fac8c583042afff93e3427d2bde48c27e8b8abe39376984ea18b0f1242eb25dc34b17bd588fa57de7be2d829851a3b507d6372c07

Download Submit
C:\Windows\{139A134D-838E-4479-9912-4423E0238CBE}.exe

Filesize
380KB

MD5
bd90dcc5d5a3bb7d519f11aeec41bc42

SHA1
829442d31a71fbbd6dd6111f91fdc034a5d006cf

SHA256
40f78cbd239c4ccaa7d6ef2d06f34b6050bc443f5bb09c723d21a907c0e14022

SHA512
a32ad50e59bc3c9db004a6544eb71bb79620d0c6b0ed7aee6b9a63f66488cf4417eed4ccbd317fca4f9c21df1fc983013978cfbd56181e095bb1ab766cc94979

Download Submit
C:\Windows\{254192B8-C7FD-48c4-A30E-F8C9BCB72D43}.exe

Filesize
380KB

MD5
13c7ee10feb865e7e4333890b92548b6

SHA1
987368fc80f5b28d59b2c808753750d538151b54

SHA256
6b115792dc640ae5c604e17aeee904471d0485fd59150595fb98acc13add2aee

SHA512
0df52b0138cc79ef3fd7255b7e93c3079e39585e4ece37620046ff8ead1583db47db28bedd2d6b7e691f65076a5dfb5052c93e15c7aa30bb6600c1e4bbeadb83

Download Submit
C:\Windows\{5BFA82AF-CDE1-4a07-A8A3-49124C2C9471}.exe

Filesize
380KB

MD5
7b9673e9c92044c4362843d66984774b

SHA1
f51f5f140caa04d7ec5b265a3fcb105343c43379

SHA256
3159f8b250bb4b0a8ba52c3fb51bdba7b3866733b89b7fc5acf332b7e5914d50

SHA512
63a78251ae94854edd029448fc8dc60abff7f1c921ddcddd71c6766d47d60c2495e933618837d02294a4e5df12bab9909587cb919987c954147863dd73bad920

Download Submit
C:\Windows\{61B41394-9E92-4b52-8DAA-1E9B5A34BC68}.exe

Filesize
380KB

MD5
b51256c9a8b3f1be3fdfc8800a5d9110

SHA1
ff9e026648235c02abf9239d2fe35d4a13a29ab8

SHA256
16c60d76ec91453e5db9ad901645f93e460f52cc18dd75428e5c1f188e9ce8e5

SHA512
6ff4fb82cc604c59c79d95cb4bb61485d4af2961cd63b1821478be4722a1a72a4c41001b9d0f8f6b5784550f788b85117698a1a37c0ee02559781b9fdbd7abaf

Download Submit
C:\Windows\{8E7BAF21-BB9A-4503-9E83-86540A275FE9}.exe

Filesize
380KB

MD5
f325aa9a5f2f3b205834378157b907f0

SHA1
fffb88dd843bb30d43b6471ab0f6ed12bb7090b5

SHA256
a01574913d2cedf591a9d4eb6bb69b7db9873fce236de8dec9036a103f03127b

SHA512
a6372940f354a04bf551e234ce44a6532dce57607fa278ff782f0d10675144d6f92d5bffe2981c94d780c502201aaca27e9aebbdc42eb0946e97f9413de71e0d

Download Submit
C:\Windows\{94D2B78B-6853-4252-ADEE-F746FF9B6F6C}.exe

Filesize
380KB

MD5
7b4b24bb91266c94360e90b7aa11e7e2

SHA1
8b7b133a97ec4fef216d64ba79fd5f91f287696c

SHA256
96ebd932b7061ff1d8e60cc476506e0bd3c7412cf74a27abd094113514c84e68

SHA512
1b139709b9032809a66e3d0bbfe01b07d00036c5553057e4ef5e9df8a72f68fc369f77b11411560a55f2379f6b820e5a22eef4e5e46024318bb3a36176ba3898

Download Submit
C:\Windows\{B3273886-F4E8-4dac-9303-B3B58DDCC60F}.exe

Filesize
380KB

MD5
7b26fd7fc4e9a482eb38e820fe3d686e

SHA1
c095b4d58ca0318c5eae5861da42a9d16c22ca51

SHA256
361843c73095461dbf91f265b9fda79244b9ca07054c4bba08e1284c4fef3db2

SHA512
b8c1b1090076d981346ced8f148ddb57d4d5a1b2c420679de775cba9d35556f1edc1fb372e5cc0329e432caa5d42b380c769ce839419a7ded12304eb0765c449

Download Submit
C:\Windows\{B5D7D5DC-9F97-4b00-90A8-2D3688E9EC71}.exe

Filesize
380KB

MD5
35bf0e78e0fece5ac95e9999aabd3ec9

SHA1
c62fe39fb26717deb762b84d037e1d9c9fdb9038

SHA256
808c33f4cc56dc13f65355ee044cbea8e990e6c992560608208b43245f2d1d1f

SHA512
f91c49dd18a18257bdba01f13e2a252bc9c942f7eeac9df55d6fcc04dcc9e825efb7963f7d9852765372fba51dd0890dff3b030fb7d2706b066865b1c64ed69b

Download Submit
C:\Windows\{C0F6DF41-DEBD-4d29-90A8-C2E0C75EC3E6}.exe

Filesize
380KB

MD5
bc328793e67880cbe8c40bdde2053cc2

SHA1
b57ddf47660db4a2f3900b7137673bad66075976

SHA256
f42e329c6a3a4287c060b77cb6cbc1d9cbe4c68ee69459131590084666d086a1

SHA512
e0ede86db980ead19e284ffcc5d5a827485761f4ca39f8d46b7ca2af35d28003029c16b72a3b98fc97e34e74da5234d341435b35d312bbae53c305dae497a4b9

Download Submit
C:\Windows\{CFE8B8FE-D5DC-4ec6-9262-68FE1C26E399}.exe

Filesize
380KB

MD5
af65118e7542021c3c9128f4c3bd8a09

SHA1
077abc613e494e8f05ae7556a0f3ebe34496ec72

SHA256
4130443d31af22237a1b1048edef3aab5ee42f8b2abd2bf24563c678a62252c7

SHA512
4440b1a5eb52c4cb51256ebe2d7cdd79442d0202b85b944e0893607a7cfe279291bbf30b74015dbe1b77e17305a887e51d4069897ec36cd7d6c0d897dfde4b37

Download Submit
C:\Windows\{EC5C22B8-0C64-467c-BB1F-333610944027}.exe

Filesize
380KB

MD5
2c88b623101361556bbc309bfe3b9312

SHA1
a77ae3c3173d4dce6888a31d8d14a87aa1d999b4

SHA256
bedcdcc7ef640cda4821c4077b3ca2506a2074573bfd315c0e225cce86ec6f2f

SHA512
9d4db6f763cb2e80ce20ca929145c45a0b8550de33925d9264a180db0233515003745bcee546628f4e799edf038fff632b843435d199f86d77710f58b0b9fe8c

Download Submit