4627456033a36415855be1571abd60d8d252d93833616a6ba6a6094ae6604018

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
Size

180KB
MD5

65d6d992173d27b5d51a5933ccb33880
SHA1

0f48beb4b646b587ec17bd9a0f149fc386f3f330
SHA256

4627456033a36415855be1571abd60d8d252d93833616a6ba6a6094ae6604018
SHA512

c83241380aed6ba277924f9a3b0ea8eb5c1b9c05fe3350d58ea95b0448f3ab9f76f3c36d14472fcd1529cdb0591fd5b90ea76a733699847c006705d03aa49818
SSDEEP

3072:jEGh0oflfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGdl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe{BB84A230-234D-498c-914C-F29BFAF98E23}.exe{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}\stubpath = "C:\\Windows\\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe"	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}\stubpath = "C:\\Windows\\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe"	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}\stubpath = "C:\\Windows\\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe"	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}\stubpath = "C:\\Windows\\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe"	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB84A230-234D-498c-914C-F29BFAF98E23}	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D919D95-5FC8-48aa-B8CC-463A235C8604}	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D919D95-5FC8-48aa-B8CC-463A235C8604}\stubpath = "C:\\Windows\\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe"	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C48190-C15E-4a45-9C23-708450D5CEAE}\stubpath = "C:\\Windows\\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe"	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C48190-C15E-4a45-9C23-708450D5CEAE}	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35632287-9DFB-4d74-969C-5A512A53C3C4}	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}\stubpath = "C:\\Windows\\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe"	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DA1EBB-4BB9-4717-848C-041270C9F144}	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DA1EBB-4BB9-4717-848C-041270C9F144}\stubpath = "C:\\Windows\\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe"	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}\stubpath = "C:\\Windows\\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe"	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}\stubpath = "C:\\Windows\\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe"	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35632287-9DFB-4d74-969C-5A512A53C3C4}\stubpath = "C:\\Windows\\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe"	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB84A230-234D-498c-914C-F29BFAF98E23}\stubpath = "C:\\Windows\\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe"	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe

Executes dropped EXE 12 IoCs

Processes:

{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe{BB84A230-234D-498c-914C-F29BFAF98E23}.exe{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe

pid	process
2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
5040	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
3212	{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe

Drops file in Windows directory 12 IoCs

Processes:

{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe{BB84A230-234D-498c-914C-F29BFAF98E23}.exe

description	ioc	process
File created	C:\Windows\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
File created	C:\Windows\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
File created	C:\Windows\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
File created	C:\Windows\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
File created	C:\Windows\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
File created	C:\Windows\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
File created	C:\Windows\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
File created	C:\Windows\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
File created	C:\Windows\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
File created	C:\Windows\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
File created	C:\Windows\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
File created	C:\Windows\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe{BB84A230-234D-498c-914C-F29BFAF98E23}.exe{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
Token: SeIncBasePriorityPrivilege	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
Token: SeIncBasePriorityPrivilege	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
Token: SeIncBasePriorityPrivilege	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
Token: SeIncBasePriorityPrivilege	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
Token: SeIncBasePriorityPrivilege	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
Token: SeIncBasePriorityPrivilege	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
Token: SeIncBasePriorityPrivilege	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
Token: SeIncBasePriorityPrivilege	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
Token: SeIncBasePriorityPrivilege	3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
Token: SeIncBasePriorityPrivilege	5040	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 436 wrote to memory of 2348	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
PID 436 wrote to memory of 2348	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
PID 436 wrote to memory of 2348	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
PID 436 wrote to memory of 3236	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	cmd.exe
PID 436 wrote to memory of 3236	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	cmd.exe
PID 436 wrote to memory of 3236	436	2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe	cmd.exe
PID 2348 wrote to memory of 1680	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
PID 2348 wrote to memory of 1680	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
PID 2348 wrote to memory of 1680	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
PID 2348 wrote to memory of 4308	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	cmd.exe
PID 2348 wrote to memory of 4308	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	cmd.exe
PID 2348 wrote to memory of 4308	2348	{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe	cmd.exe
PID 1680 wrote to memory of 3008	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
PID 1680 wrote to memory of 3008	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
PID 1680 wrote to memory of 3008	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
PID 1680 wrote to memory of 4588	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	cmd.exe
PID 1680 wrote to memory of 4588	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	cmd.exe
PID 1680 wrote to memory of 4588	1680	{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe	cmd.exe
PID 3008 wrote to memory of 3784	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
PID 3008 wrote to memory of 3784	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
PID 3008 wrote to memory of 3784	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
PID 3008 wrote to memory of 3476	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	cmd.exe
PID 3008 wrote to memory of 3476	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	cmd.exe
PID 3008 wrote to memory of 3476	3008	{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe	cmd.exe
PID 3784 wrote to memory of 404	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
PID 3784 wrote to memory of 404	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
PID 3784 wrote to memory of 404	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
PID 3784 wrote to memory of 1808	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	cmd.exe
PID 3784 wrote to memory of 1808	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	cmd.exe
PID 3784 wrote to memory of 1808	3784	{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe	cmd.exe
PID 404 wrote to memory of 4844	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
PID 404 wrote to memory of 4844	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
PID 404 wrote to memory of 4844	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
PID 404 wrote to memory of 4292	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	cmd.exe
PID 404 wrote to memory of 4292	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	cmd.exe
PID 404 wrote to memory of 4292	404	{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe	cmd.exe
PID 4844 wrote to memory of 1360	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
PID 4844 wrote to memory of 1360	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
PID 4844 wrote to memory of 1360	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
PID 4844 wrote to memory of 1252	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	cmd.exe
PID 4844 wrote to memory of 1252	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	cmd.exe
PID 4844 wrote to memory of 1252	4844	{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe	cmd.exe
PID 1360 wrote to memory of 3260	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
PID 1360 wrote to memory of 3260	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
PID 1360 wrote to memory of 3260	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
PID 1360 wrote to memory of 3964	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	cmd.exe
PID 1360 wrote to memory of 3964	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	cmd.exe
PID 1360 wrote to memory of 3964	1360	{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe	cmd.exe
PID 3260 wrote to memory of 2392	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
PID 3260 wrote to memory of 2392	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
PID 3260 wrote to memory of 2392	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
PID 3260 wrote to memory of 4684	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	cmd.exe
PID 3260 wrote to memory of 4684	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	cmd.exe
PID 3260 wrote to memory of 4684	3260	{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe	cmd.exe
PID 2392 wrote to memory of 3452	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
PID 2392 wrote to memory of 3452	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
PID 2392 wrote to memory of 3452	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
PID 2392 wrote to memory of 2980	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	cmd.exe
PID 2392 wrote to memory of 2980	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	cmd.exe
PID 2392 wrote to memory of 2980	2392	{BB84A230-234D-498c-914C-F29BFAF98E23}.exe	cmd.exe
PID 3452 wrote to memory of 5040	3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
PID 3452 wrote to memory of 5040	3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
PID 3452 wrote to memory of 5040	3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
PID 3452 wrote to memory of 3092	3452	{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_65d6d992173d27b5d51a5933ccb33880_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
C:\Windows\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
C:\Windows\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52E30~1.EXE > nul
4⤵
PID:4588

C:\Windows\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
C:\Windows\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
C:\Windows\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
C:\Windows\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
C:\Windows\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
C:\Windows\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
C:\Windows\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
C:\Windows\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
C:\Windows\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
C:\Windows\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe
C:\Windows\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe
13⤵
- Executes dropped EXE
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{12DA1~1.EXE > nul
13⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3E228~1.EXE > nul
12⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB84A~1.EXE > nul
11⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA04B~1.EXE > nul
10⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35632~1.EXE > nul
9⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1C1~1.EXE > nul
8⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD7B4~1.EXE > nul
7⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C782~1.EXE > nul
6⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79C48~1.EXE > nul
5⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D919~1.EXE > nul
3⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12DA1EBB-4BB9-4717-848C-041270C9F144}.exe
Filesize
180KB

MD5
33dd107650ce1c2654621d02f256e736

SHA1
7ec0910c56b045d00379651d082a436a3b7aa46f

SHA256
fb56cf0d8f7631d9a8e17eb3e82cdb9e88de79a9835862ed8976d9258e38bfad

SHA512
fc8eeda4bac1b7bac314921f1750ecaa00ace35a9dbe89d43ea28e989b21468d778592fc4b679c4880a49fc960e9268cad2231f98852c321e28f9e34911a4e06

Download Submit
C:\Windows\{35632287-9DFB-4d74-969C-5A512A53C3C4}.exe
Filesize
180KB

MD5
15c072d4319f77f8e69320b8df55a62a

SHA1
1fe52ebf2cfa25301ab17fe409a5eaa1d4ddfc2c

SHA256
2d70ac1d46d2782a2ed3951435a0f6455d4dc194165b3dfc639f00d313ad08e0

SHA512
20f0197890d8a2ab3f7676055dea7b486671e6046f178a84643577040321910b520afb598fbdd6c611bbcc8686292c52e4b9550a3e08514665dbc51bbe08db5b

Download Submit
C:\Windows\{3E2282B1-24A6-4cb2-BFB0-3A9C2D3DD6EF}.exe
Filesize
180KB

MD5
a4c63d7620606a97fe372942d494c2d1

SHA1
fea024e8c3d2be6d4d1733c7c00eaa2d7a616b43

SHA256
ea428aead7f50ddd4a28e5df620405aaee64000e6437e7413563ddd6222caff8

SHA512
5048ccc12d300cf385809d67194f92d45d7520dd64900c18f48f44fbf18660a8be38ef2745b924dd87aef4ddf55d993bc659f4f578a5aa134cb829c345b4d32b

Download Submit
C:\Windows\{52E30F2C-0EF3-4925-BBFE-ED0BA36B42DD}.exe
Filesize
180KB

MD5
71b76487afb6ad8de2f2cb52dd679a7d

SHA1
64b8f03515e9e3dbd8e69c165d3aa464a74bf54f

SHA256
75013be34b1d02a530f1ed68250d6964a53370faad2d5a9d8ea13627428d790d

SHA512
b652e7cb92565ab1f090b94401fb76266bdceb38582fa3f11c381d496f6ecbb60dad9bcf7f07031528905b6e0abff07aeb985ad8aa1b2d072cec8ef49e575d40

Download Submit
C:\Windows\{5A1C1585-6FAE-436d-834C-24FB2E0FC118}.exe
Filesize
180KB

MD5
94b08bfdec4dfa6c569954cb898f3b34

SHA1
962a7399db8b7e9f5dd7f8c3f636c0ed82113502

SHA256
1695dbb0d163bb530247e5bb1cb27b3a6f30ab56799e7ab2174ec63939ed2e7d

SHA512
a4022494c2fdf4b797149d884a84370b342bfb28db281cf9ec93d69205ff03dcc66e1e309c3a9d732d02465ad0dfb90520da86487fb452b7879e6e685e5a0c76

Download Submit
C:\Windows\{70BCBF59-FB49-4fa4-9F5B-00BF443F3E35}.exe
Filesize
180KB

MD5
3f25ecd194e1d76b72c998dc1730b18c

SHA1
12d1733ee1fc80df64899177a2994e5065dcf2fa

SHA256
b330e75f3bb7dd0415248052926b6cfa5bdb0052c9aadc86bca8f9c3f5ef9efa

SHA512
2ca66dc63c1359ece4db66c400f1ad35a4e5587c3208f87a17ae5ae0f2db5a5d793b5b152705e1df3f6a864cf3dc5f80651c51d2c52377d35100df96c059c25d

Download Submit
C:\Windows\{79C48190-C15E-4a45-9C23-708450D5CEAE}.exe
Filesize
180KB

MD5
315cd6c75ef6e64c20e501d49b69eb5b

SHA1
98030739cd5933a4fac86ac19b5e2813d7e74b93

SHA256
fa6c8745d24fc9f27290cd9c376ea6cd077369854651f397820eeeb8d181eadd

SHA512
14d9488bb7c47eb342b0138f50ad3c1a2e6fc1966ee372ef2e1561751602250f57a1b65fd8aa7f017aba40ef671aab011105386636aa74ca85dc09417bdad7ab

Download Submit
C:\Windows\{9C78216E-40A6-48cd-A3DF-F04F8BD34E1C}.exe
Filesize
180KB

MD5
6ce54b86d6864541e67ee0a43f41fc63

SHA1
7f484ff1f39177ca5ab6a0ef828b43d5dbec9597

SHA256
da719adb2686e2e7531beaccc560e9057a6bac95ca81e8350df1ec4b80972c7c

SHA512
f77dcbcec0beb60b8fddf31c280ce1466f5d43d0ba7bf98d918582945360a61363e0dd149f5ae1ebe4e0d66bd9d9a0c740fb075f9e00b54ffa85e15c0c52a7a3

Download Submit
C:\Windows\{9D919D95-5FC8-48aa-B8CC-463A235C8604}.exe
Filesize
180KB

MD5
35eb7811e74f26342c7347875a43f8b6

SHA1
011194bc4385e5ad286e99d54eb6480cd120fbdb

SHA256
b9c463e7ea242b7253704e33059935a5e12b0c78759a396e8e28372400113cc1

SHA512
c57aab1266baee59dc67fbfa4ab0dbd049b3d2409e191f52fdbdf0685d0d47ba35bce2ed41df1a607ed41b612544c9a223857183e113b60b57e06f22fc0d8610

Download Submit
C:\Windows\{AD7B4B37-2EBC-4a6f-801F-1FED1808DE2B}.exe
Filesize
180KB

MD5
05541e502d4c18cd59b548d00999844c

SHA1
6b2b59e10985653f88dad656e0b0e5f2cee21562

SHA256
640ccb1d9d572fde8906665a07ab9385f54b8d0e759fa0994a7007962714d482

SHA512
9d9e08f4fd2c90ed96c2421abb0f9437b79c1dda732b4471ae6dbc8fa9d9cc3d71a6ccbe7492cd68dcb9e9b0861264a53731cbcd987223bf855c2fa4cd57c69b

Download Submit
C:\Windows\{BB84A230-234D-498c-914C-F29BFAF98E23}.exe
Filesize
180KB

MD5
f905c10e5c15916ce6bcea99bff6c051

SHA1
9371fd4ea39283f007ea04200990aa6a05994a54

SHA256
2fa59e96246f57e66068383bce86cec6be0c71c73125c91e09b9097c9e7f80d3

SHA512
b537c1eb14e0dbe2642a5ef23f025543f9c377adf450d886ad7e2a6c7384d67cccb7b81fbee2e11e76c81768da1fdb5f330579af592651bb2e7ed050ee4ce7e0

Download Submit
C:\Windows\{FA04BCFD-9B06-4936-9F1E-86DE05F330FE}.exe
Filesize
180KB

MD5
9135642de76350e50d38462851ed3f26

SHA1
7dbae5a5dd51a2e490ad962d3b02e2190a2c5778

SHA256
2e97298735e78bf55a2efaad82d55ae7b5b4b54d2b1999bf7a7148ee26dc5016

SHA512
e83591071bb1d47403da44e67267cc883cc25bea5299f3f37ddd1215f5e772e4b164f94584dc58e18bc3c32074028e84167bc296c5bc4c962b5146c1e7f3693b

Download Submit