84d8ab97737f7a1ae90817c422ada7ea9a36e2ae6cdb805c12d7469955c1b993

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
Size

408KB
MD5

669a3e507dbfcb2ef85f6b02da12c0fe
SHA1

b3698ba573a1b7dc76fa232ab014c714874c9306
SHA256

84d8ab97737f7a1ae90817c422ada7ea9a36e2ae6cdb805c12d7469955c1b993
SHA512

35b99a052dc11b31dc99eac98e9929cd9ceedfa0266b5fd055412dd25eaf383df2f1b5184e6495d428499649019e9c874c5518873f6e32aa9ea6202b8e60d0fd
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{55747614-4727-43e4-B282-EC8F73AEF670}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe{55747614-4727-43e4-B282-EC8F73AEF670}.exe{42032FE4-817C-4b1a-933F-E31D190830EE}.exe{B661D20B-715A-4f22-A03D-94F996333C7E}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}\stubpath = "C:\\Windows\\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe"	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}\stubpath = "C:\\Windows\\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe"	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55747614-4727-43e4-B282-EC8F73AEF670}\stubpath = "C:\\Windows\\{55747614-4727-43e4-B282-EC8F73AEF670}.exe"	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B661D20B-715A-4f22-A03D-94F996333C7E}\stubpath = "C:\\Windows\\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe"	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42032FE4-817C-4b1a-933F-E31D190830EE}	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}\stubpath = "C:\\Windows\\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe"	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5991344B-E73C-43d8-AB72-FE3DE2411888}	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B661D20B-715A-4f22-A03D-94F996333C7E}	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42032FE4-817C-4b1a-933F-E31D190830EE}\stubpath = "C:\\Windows\\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe"	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}\stubpath = "C:\\Windows\\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe"	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55747614-4727-43e4-B282-EC8F73AEF670}	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A03981-67A4-4a13-89C6-955B99EAF0D8}	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5991344B-E73C-43d8-AB72-FE3DE2411888}\stubpath = "C:\\Windows\\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe"	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}\stubpath = "C:\\Windows\\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe"	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95649B3-F4AE-4169-9CC4-6499664D53DF}	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A03981-67A4-4a13-89C6-955B99EAF0D8}\stubpath = "C:\\Windows\\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe"	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95649B3-F4AE-4169-9CC4-6499664D53DF}\stubpath = "C:\\Windows\\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe"	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}\stubpath = "C:\\Windows\\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe"	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe

Executes dropped EXE 12 IoCs

Processes:

{42032FE4-817C-4b1a-933F-E31D190830EE}.exe{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe{55747614-4727-43e4-B282-EC8F73AEF670}.exe{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe{B661D20B-715A-4f22-A03D-94F996333C7E}.exe{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe

pid	process
4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
376	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
4912	{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe

Drops file in Windows directory 12 IoCs

Processes:

{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe{42032FE4-817C-4b1a-933F-E31D190830EE}.exe{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe{55747614-4727-43e4-B282-EC8F73AEF670}.exe{B661D20B-715A-4f22-A03D-94F996333C7E}.exe{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe

description	ioc	process
File created	C:\Windows\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
File created	C:\Windows\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
File created	C:\Windows\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
File created	C:\Windows\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
File created	C:\Windows\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
File created	C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
File created	C:\Windows\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
File created	C:\Windows\{55747614-4727-43e4-B282-EC8F73AEF670}.exe	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
File created	C:\Windows\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
File created	C:\Windows\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
File created	C:\Windows\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
File created	C:\Windows\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe{42032FE4-817C-4b1a-933F-E31D190830EE}.exe{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe{55747614-4727-43e4-B282-EC8F73AEF670}.exe{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe{B661D20B-715A-4f22-A03D-94F996333C7E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
Token: SeIncBasePriorityPrivilege	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
Token: SeIncBasePriorityPrivilege	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
Token: SeIncBasePriorityPrivilege	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
Token: SeIncBasePriorityPrivilege	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
Token: SeIncBasePriorityPrivilege	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
Token: SeIncBasePriorityPrivilege	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
Token: SeIncBasePriorityPrivilege	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
Token: SeIncBasePriorityPrivilege	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
Token: SeIncBasePriorityPrivilege	3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
Token: SeIncBasePriorityPrivilege	376	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3808 wrote to memory of 4932	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
PID 3808 wrote to memory of 4932	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
PID 3808 wrote to memory of 4932	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
PID 3808 wrote to memory of 764	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	cmd.exe
PID 3808 wrote to memory of 764	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	cmd.exe
PID 3808 wrote to memory of 764	3808	2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe	cmd.exe
PID 4932 wrote to memory of 1592	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
PID 4932 wrote to memory of 1592	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
PID 4932 wrote to memory of 1592	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
PID 4932 wrote to memory of 544	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	cmd.exe
PID 4932 wrote to memory of 544	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	cmd.exe
PID 4932 wrote to memory of 544	4932	{42032FE4-817C-4b1a-933F-E31D190830EE}.exe	cmd.exe
PID 1592 wrote to memory of 2728	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
PID 1592 wrote to memory of 2728	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
PID 1592 wrote to memory of 2728	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
PID 1592 wrote to memory of 3508	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	cmd.exe
PID 1592 wrote to memory of 3508	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	cmd.exe
PID 1592 wrote to memory of 3508	1592	{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe	cmd.exe
PID 2728 wrote to memory of 1068	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
PID 2728 wrote to memory of 1068	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
PID 2728 wrote to memory of 1068	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
PID 2728 wrote to memory of 3084	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	cmd.exe
PID 2728 wrote to memory of 3084	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	cmd.exe
PID 2728 wrote to memory of 3084	2728	{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe	cmd.exe
PID 1068 wrote to memory of 2236	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
PID 1068 wrote to memory of 2236	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
PID 1068 wrote to memory of 2236	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
PID 1068 wrote to memory of 1284	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	cmd.exe
PID 1068 wrote to memory of 1284	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	cmd.exe
PID 1068 wrote to memory of 1284	1068	{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe	cmd.exe
PID 2236 wrote to memory of 4152	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
PID 2236 wrote to memory of 4152	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
PID 2236 wrote to memory of 4152	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
PID 2236 wrote to memory of 2204	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	cmd.exe
PID 2236 wrote to memory of 2204	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	cmd.exe
PID 2236 wrote to memory of 2204	2236	{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe	cmd.exe
PID 4152 wrote to memory of 1700	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
PID 4152 wrote to memory of 1700	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
PID 4152 wrote to memory of 1700	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	{55747614-4727-43e4-B282-EC8F73AEF670}.exe
PID 4152 wrote to memory of 2812	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	cmd.exe
PID 4152 wrote to memory of 2812	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	cmd.exe
PID 4152 wrote to memory of 2812	4152	{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe	cmd.exe
PID 1700 wrote to memory of 3152	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
PID 1700 wrote to memory of 3152	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
PID 1700 wrote to memory of 3152	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
PID 1700 wrote to memory of 4196	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	cmd.exe
PID 1700 wrote to memory of 4196	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	cmd.exe
PID 1700 wrote to memory of 4196	1700	{55747614-4727-43e4-B282-EC8F73AEF670}.exe	cmd.exe
PID 3152 wrote to memory of 1116	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
PID 3152 wrote to memory of 1116	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
PID 3152 wrote to memory of 1116	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
PID 3152 wrote to memory of 1848	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	cmd.exe
PID 3152 wrote to memory of 1848	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	cmd.exe
PID 3152 wrote to memory of 1848	3152	{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe	cmd.exe
PID 1116 wrote to memory of 3496	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
PID 1116 wrote to memory of 3496	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
PID 1116 wrote to memory of 3496	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
PID 1116 wrote to memory of 3448	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	cmd.exe
PID 1116 wrote to memory of 3448	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	cmd.exe
PID 1116 wrote to memory of 3448	1116	{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe	cmd.exe
PID 3496 wrote to memory of 376	3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
PID 3496 wrote to memory of 376	3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
PID 3496 wrote to memory of 376	3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
PID 3496 wrote to memory of 2208	3496	{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_669a3e507dbfcb2ef85f6b02da12c0fe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
C:\Windows\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D7C~1.EXE > nul
4⤵
PID:3508

C:\Windows\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
C:\Windows\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
C:\Windows\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
C:\Windows\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
C:\Windows\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\{55747614-4727-43e4-B282-EC8F73AEF670}.exe
C:\Windows\{55747614-4727-43e4-B282-EC8F73AEF670}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
C:\Windows\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
C:\Windows\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
C:\Windows\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
C:\Windows\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe
C:\Windows\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe
13⤵
- Executes dropped EXE
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B661D~1.EXE > nul
13⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B60~1.EXE > nul
12⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{59913~1.EXE > nul
11⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{34A03~1.EXE > nul
10⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55747~1.EXE > nul
9⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE741~1.EXE > nul
8⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AA28A~1.EXE > nul
7⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6ADBB~1.EXE > nul
6⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D50D1~1.EXE > nul
5⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{42032~1.EXE > nul
3⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34A03981-67A4-4a13-89C6-955B99EAF0D8}.exe
Filesize
408KB

MD5
09e9931640606469c0ca391a71ba385d

SHA1
a0ef67d417846aa95b550bec091eb997a83aa664

SHA256
92654bdb86293e4ad2738bf7b69f1908274682688b89c9e9d81e94dd0505ec93

SHA512
4244d38071df060a0ba2a5c6ffc4acd0177a9cae16c0101f054a2b3f62b23c49733c228c844abc54756330d0a9d40c5766dc6903584085b4e460c2a5674031d0

Download Submit
C:\Windows\{42032FE4-817C-4b1a-933F-E31D190830EE}.exe
Filesize
408KB

MD5
38ad385dedd8c4ef01b883777eba14b7

SHA1
637b89a7729091dda3313d9cf4c1c2430c7db8f3

SHA256
f47327db1ae5c0dd4e73ede42bf33bafe68ebd5111e25899fcbb7a6cf4cd2913

SHA512
1d209c8b7a48cf4bf933dbeed9a134ef0400899a6945388047101d668d3646743fa5d87d060547f884d7f21e36cfc64955f193bca7718feb79f7c62f30b305c9

Download Submit
C:\Windows\{55747614-4727-43e4-B282-EC8F73AEF670}.exe
Filesize
408KB

MD5
36b986035c31ac60c29d5e708ff30732

SHA1
881d118fd2a852c54b60e5eb6027f53f3594d930

SHA256
6120ab5bfa77cd146cb200949c139a91f6346a4b528f87e744854f90fa4974c5

SHA512
b10f9c058d4e3cff985d01eefc999e499eef30cdd106d5345977f2d691211ef81a7f0d5ea13e2b730e11ea14a2361f62d59cc8dbdfe911721856fd00328a8508

Download Submit
C:\Windows\{5991344B-E73C-43d8-AB72-FE3DE2411888}.exe
Filesize
408KB

MD5
1e8009a1e0e5baba65a39301d5b8c8d3

SHA1
19a588402e5bb4973a315c07d38c594b15b8f1a4

SHA256
e7879bb70bb4bd83a745967730d6a867e5e73ba382ec867a016d55eb505d8281

SHA512
70e1d45501897cdd4432c52b0dacf693b3d1af5acef218c812ea8bc6793a36972777ee3430f7d455d1c040cc9734dc037403bf230fee0d90daf18acedec952db

Download Submit
C:\Windows\{6ADBB96D-6AEB-4061-93C4-4D3011EF5789}.exe
Filesize
408KB

MD5
aa4abb6e3303551f763ef84433707f1d

SHA1
649c550e864e2701de634dcd976efa0ad533fcea

SHA256
156ca04750d250061823849844dae6f569d9446fe1046b1a111f137d7f02a211

SHA512
8577dc7067ebda5e131436bdb65d638db4d1d9f3b31d562aeaf77b3023411dcbbe4aa79fc6d880a89d9e777063e19e1b69b85f300ca841d70be2066aae598a57

Download Submit
C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
Filesize
314KB

MD5
ae844be291e651fbba0d3458ed73a91b

SHA1
27195874b3c121b298de876276a7b4f90453b80a

SHA256
7cd044f86c3e20b72c7ecbe0bf2c3951e26092c63ee1e019d678fbfdbac85bcf

SHA512
6b8400db8bb3661b61bd4e3f51e4267b015bf587372d25c0a8ce71107b5e2866bce60860154a601bf5ea669e51031b760bc4c6365f4777745fae569835c18984

Download Submit
C:\Windows\{A6D7C0F8-E598-4114-868F-A10A4EADD79E}.exe
Filesize
408KB

MD5
dc6018ffd88983a6f6db234dafbd8617

SHA1
a40fa522be9617554c798ab513af715d27a9528e

SHA256
229d29e0473c4be434ac318f8f7b10be05a2df844ade58c08982a5d805645ee2

SHA512
c3574b326ad652ce2046bb7ae8fe31fa7f05a641c271709631ca0cc6c7826f91d5561a948f97a1370f1c3625441c72bf1ca322ee1705e29615dde328f2785c30

Download Submit
C:\Windows\{AA28AE6B-C0EC-4680-8DC1-2C364FD6BECF}.exe
Filesize
408KB

MD5
8166da34b91dc8ec7de3781e015303bd

SHA1
3c62fd1d550f6d7c0315f55273bd34ecf52b4c94

SHA256
32b46ca4f7ec9d82ec3290e900ca9c953d5651aa2d650136263a422cff947404

SHA512
522e9d9d135d04e344a3ad3a6f4c3244d7eb49f84ec81691165eb65df2701946c6403e4ee21ae63e984201e021c984990737aa28ce6479a5a1f160d18a36bddb

Download Submit
C:\Windows\{B661D20B-715A-4f22-A03D-94F996333C7E}.exe
Filesize
408KB

MD5
1d8248f55aa543842e9fa25b5977f487

SHA1
9edb9a8571d20569fe5b213d6d9393b946446c1c

SHA256
9ff12fc53aeac74f47287e45db2bf679aaa78b453284117d2a3b130c5931e56d

SHA512
719eeff3632bc8d99b90863ca4b7f9ff03109ee2a29d20a826844a163da16ab9f391e4553b3cb0406b795937f363eeb1f8b65772a53a016cdb7a43f76d591070

Download Submit
C:\Windows\{D50D14CC-A444-4ead-9820-DBA2D2608F0D}.exe
Filesize
408KB

MD5
c780cb81103f2b6ed38af2a47de678af

SHA1
595dcf99ca14600fe0b2a5a7f3cff8ede00a0455

SHA256
9e2df85318c8ab12af7deb7f1c5b740213d52a9cc039d2b357d5c0091fc053f3

SHA512
5e6112121f8a098a3251b663ecf32e12ad4d148d94f76372777fd7ff66102095271d65b7606cd92d769a5dc3dfe60c58d30ada62a767c33057cc8a15b85bd347

Download Submit
C:\Windows\{E95649B3-F4AE-4169-9CC4-6499664D53DF}.exe
Filesize
408KB

MD5
ad442c64f7f925a7d7679914d040e053

SHA1
b84f734165c0a530bac44fd2c75e4775704cb88c

SHA256
3796c123619d98708a443954be170110fb664e410c520c3075583935ba7589e6

SHA512
f3da320bc4eb8a935cae1caa44ddadd8fb787526c04102c4405f2b2c6b60b83fcb90fe7ea2cbf6d9d3b3fe74b1ac9d4a06a564c50dbae844346650489b021478

Download Submit
C:\Windows\{EE741CDD-B304-4ecc-82A7-D8C0652B204C}.exe
Filesize
408KB

MD5
99c4d6b5c2efe4b354c15511a94e4f5a

SHA1
1c8874c3f1b7ae962d5ba14fb208934bafb9aee9

SHA256
93a80c00cc30847cf2ee17d2d44259abad169114922d65b7550cb6d47369f0b4

SHA512
3d864b591e511aa388f1a0f0bda63ae43952a65081c26aac52115a3e5e4219a3eeaa72c663f78ac9f360dfff94fcc352cb57c40c9e06e93eec9eabe9d71cb9a4

Download Submit
C:\Windows\{F1B60EF4-1DBF-4f2b-99B7-87ACA1E41685}.exe
Filesize
408KB

MD5
6cf2f4302fb047a94656207d4897d124

SHA1
962648baa1e40255001240b202ed5f327178add0

SHA256
f598351e23b85e44d715c6a8f1b81177c82131a5226afe5cbb8124d4c7ab5abe

SHA512
2922e1c4ddda0eb313a30eb30cdcb0bd763be453959ecd8a94add3d8783e5d19dd6d43169aafb0f32665777ed748e8a7d698509d8c578d1039779b9d5d6577db

Download Submit