32ee44992f71b79e2d8647ec4218bd7a3a61786da619d9fbcbef6b9bc86438a5

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
Size

216KB
MD5

6a8772d5dc2c1f05c2df1b455339b5a7
SHA1

8b4c7b1b03883aab91ed9f4cd8fb3b89f19cfe6f
SHA256

32ee44992f71b79e2d8647ec4218bd7a3a61786da619d9fbcbef6b9bc86438a5
SHA512

b89c5609b0b73e4773f5a350fc8ebd9866c111d3c1bcca6d31db1c88725b4a5175ada99f54a63fd465bab801786fa8d30b55b9040f4288a02fa9e7be64dc6eaa
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG+lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9A8894E9-B578-47cc-9699-70234732011A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe{9A8894E9-B578-47cc-9699-70234732011A}.exe{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe{8C93970D-A510-49d1-927C-599E8098E1CC}.exe{4203C36C-5703-43f8-969B-2331F5C747F3}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4203C36C-5703-43f8-969B-2331F5C747F3}	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4203C36C-5703-43f8-969B-2331F5C747F3}\stubpath = "C:\\Windows\\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe"	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}\stubpath = "C:\\Windows\\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe"	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C93970D-A510-49d1-927C-599E8098E1CC}\stubpath = "C:\\Windows\\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe"	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8894E9-B578-47cc-9699-70234732011A}	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}	{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}\stubpath = "C:\\Windows\\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe"	{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD312402-6F19-4739-8A2E-89EAE88CB644}	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C93970D-A510-49d1-927C-599E8098E1CC}	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FD6290-D688-4f73-A46F-AFCEB3100E51}	{9A8894E9-B578-47cc-9699-70234732011A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD312402-6F19-4739-8A2E-89EAE88CB644}\stubpath = "C:\\Windows\\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe"	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F78CB6-AE9F-412a-8477-FF006EB94008}	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F78CB6-AE9F-412a-8477-FF006EB94008}\stubpath = "C:\\Windows\\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe"	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11D879-33B3-45b2-910E-9EDA19080D75}	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11D879-33B3-45b2-910E-9EDA19080D75}\stubpath = "C:\\Windows\\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe"	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8894E9-B578-47cc-9699-70234732011A}\stubpath = "C:\\Windows\\{9A8894E9-B578-47cc-9699-70234732011A}.exe"	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FD6290-D688-4f73-A46F-AFCEB3100E51}\stubpath = "C:\\Windows\\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe"	{9A8894E9-B578-47cc-9699-70234732011A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}\stubpath = "C:\\Windows\\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe"	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}\stubpath = "C:\\Windows\\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe"	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2800 cmd.exe

pid	process
2800	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe{4203C36C-5703-43f8-969B-2331F5C747F3}.exe{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe{8C93970D-A510-49d1-927C-599E8098E1CC}.exe{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe{9A8894E9-B578-47cc-9699-70234732011A}.exe{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe

pid	process
2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
1620	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
1528	{9A8894E9-B578-47cc-9699-70234732011A}.exe
1720	{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe
3008	{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe{8C93970D-A510-49d1-927C-599E8098E1CC}.exe{9A8894E9-B578-47cc-9699-70234732011A}.exe{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe{4203C36C-5703-43f8-969B-2331F5C747F3}.exe{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe

description	ioc	process
File created	C:\Windows\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
File created	C:\Windows\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
File created	C:\Windows\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
File created	C:\Windows\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
File created	C:\Windows\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe	{9A8894E9-B578-47cc-9699-70234732011A}.exe
File created	C:\Windows\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
File created	C:\Windows\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
File created	C:\Windows\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
File created	C:\Windows\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
File created	C:\Windows\{9A8894E9-B578-47cc-9699-70234732011A}.exe	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
File created	C:\Windows\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe	{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe{4203C36C-5703-43f8-969B-2331F5C747F3}.exe{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe{8C93970D-A510-49d1-927C-599E8098E1CC}.exe{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe{9A8894E9-B578-47cc-9699-70234732011A}.exe{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
Token: SeIncBasePriorityPrivilege	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
Token: SeIncBasePriorityPrivilege	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
Token: SeIncBasePriorityPrivilege	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
Token: SeIncBasePriorityPrivilege	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
Token: SeIncBasePriorityPrivilege	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
Token: SeIncBasePriorityPrivilege	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
Token: SeIncBasePriorityPrivilege	1620	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
Token: SeIncBasePriorityPrivilege	1528	{9A8894E9-B578-47cc-9699-70234732011A}.exe
Token: SeIncBasePriorityPrivilege	1720	{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1932 wrote to memory of 2316	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
PID 1932 wrote to memory of 2316	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
PID 1932 wrote to memory of 2316	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
PID 1932 wrote to memory of 2316	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
PID 1932 wrote to memory of 2800	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	cmd.exe
PID 1932 wrote to memory of 2800	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	cmd.exe
PID 1932 wrote to memory of 2800	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	cmd.exe
PID 1932 wrote to memory of 2800	1932	2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe	cmd.exe
PID 2316 wrote to memory of 2576	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
PID 2316 wrote to memory of 2576	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
PID 2316 wrote to memory of 2576	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
PID 2316 wrote to memory of 2576	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
PID 2316 wrote to memory of 2688	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	cmd.exe
PID 2316 wrote to memory of 2688	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	cmd.exe
PID 2316 wrote to memory of 2688	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	cmd.exe
PID 2316 wrote to memory of 2688	2316	{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe	cmd.exe
PID 2576 wrote to memory of 2648	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
PID 2576 wrote to memory of 2648	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
PID 2576 wrote to memory of 2648	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
PID 2576 wrote to memory of 2648	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
PID 2576 wrote to memory of 2620	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	cmd.exe
PID 2576 wrote to memory of 2620	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	cmd.exe
PID 2576 wrote to memory of 2620	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	cmd.exe
PID 2576 wrote to memory of 2620	2576	{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe	cmd.exe
PID 2648 wrote to memory of 2160	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
PID 2648 wrote to memory of 2160	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
PID 2648 wrote to memory of 2160	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
PID 2648 wrote to memory of 2160	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
PID 2648 wrote to memory of 588	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	cmd.exe
PID 2648 wrote to memory of 588	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	cmd.exe
PID 2648 wrote to memory of 588	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	cmd.exe
PID 2648 wrote to memory of 588	2648	{4203C36C-5703-43f8-969B-2331F5C747F3}.exe	cmd.exe
PID 2160 wrote to memory of 2556	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
PID 2160 wrote to memory of 2556	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
PID 2160 wrote to memory of 2556	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
PID 2160 wrote to memory of 2556	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
PID 2160 wrote to memory of 2888	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	cmd.exe
PID 2160 wrote to memory of 2888	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	cmd.exe
PID 2160 wrote to memory of 2888	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	cmd.exe
PID 2160 wrote to memory of 2888	2160	{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe	cmd.exe
PID 2556 wrote to memory of 2952	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
PID 2556 wrote to memory of 2952	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
PID 2556 wrote to memory of 2952	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
PID 2556 wrote to memory of 2952	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
PID 2556 wrote to memory of 2476	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	cmd.exe
PID 2556 wrote to memory of 2476	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	cmd.exe
PID 2556 wrote to memory of 2476	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	cmd.exe
PID 2556 wrote to memory of 2476	2556	{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe	cmd.exe
PID 2952 wrote to memory of 652	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
PID 2952 wrote to memory of 652	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
PID 2952 wrote to memory of 652	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
PID 2952 wrote to memory of 652	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
PID 2952 wrote to memory of 1960	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	cmd.exe
PID 2952 wrote to memory of 1960	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	cmd.exe
PID 2952 wrote to memory of 1960	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	cmd.exe
PID 2952 wrote to memory of 1960	2952	{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe	cmd.exe
PID 652 wrote to memory of 1620	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
PID 652 wrote to memory of 1620	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
PID 652 wrote to memory of 1620	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
PID 652 wrote to memory of 1620	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
PID 652 wrote to memory of 2640	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	cmd.exe
PID 652 wrote to memory of 2640	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	cmd.exe
PID 652 wrote to memory of 2640	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	cmd.exe
PID 652 wrote to memory of 2640	652	{8C93970D-A510-49d1-927C-599E8098E1CC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_6a8772d5dc2c1f05c2df1b455339b5a7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
C:\Windows\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
C:\Windows\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
C:\Windows\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
C:\Windows\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
C:\Windows\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
C:\Windows\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
C:\Windows\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
C:\Windows\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\{9A8894E9-B578-47cc-9699-70234732011A}.exe
C:\Windows\{9A8894E9-B578-47cc-9699-70234732011A}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe
C:\Windows\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe
C:\Windows\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe
12⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{01FD6~1.EXE > nul
12⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A889~1.EXE > nul
11⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7A11D~1.EXE > nul
10⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8C939~1.EXE > nul
9⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E7002~1.EXE > nul
8⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98F31~1.EXE > nul
7⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{30712~1.EXE > nul
6⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4203C~1.EXE > nul
5⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F78~1.EXE > nul
4⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DD312~1.EXE > nul
3⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01FD6290-D688-4f73-A46F-AFCEB3100E51}.exe

Filesize
216KB

MD5
f0498d0f25196d5c840a3f0cd32800cf

SHA1
a2269f783b90bc14af13adc751cd8b000336c25d

SHA256
b5c3d13e86daa4db50128cb0778e205bceba5a9a68f4d96fc3d31be975f8861a

SHA512
4bdd31fe71d619f57836400e3a7c1905471b1c1bad3caafdf711a0c4e204a0765a55720b4ea3b0342b2bddad8b908f25550a7a5a55edf2112a297c83db3991b7

Download Submit
C:\Windows\{30712BC5-3EB4-48b0-8D50-FA764DADBD9F}.exe

Filesize
216KB

MD5
39f503a1294b0441bd48a5d37f3a370d

SHA1
82602126feebf930c40c413c344ce5b9b650f7d4

SHA256
dcbfae381e36c7db06fb8a937a83177b1c1293f55bb2f4404db8c82c781b8ffa

SHA512
7849ffcd0d13a761a585207d0f8afdb5899e9c7c90ab3c4dd1a5187fc341a3cd565c9e5b045b9f1c25722ff04d4589f1fd66712685f70023816834a7cd6deeb7

Download Submit
C:\Windows\{4203C36C-5703-43f8-969B-2331F5C747F3}.exe

Filesize
216KB

MD5
7d4e1a05efd89f5e9576a85c7228bd9b

SHA1
69b1c84553c724f353b8cb0b32e5906429ae3438

SHA256
93f2c562b60b81125ac2e7868809fc09c1605b5752ed283704bc8e82ae52e7c2

SHA512
1df8ce0528cd710575033f04412d6d89a5ed6e2c6ef93b65614ab67267306e6ad02ea68af0f3da85da0169d5e428183f9033466c20c40b83e0b3d5ceffb13f4f

Download Submit
C:\Windows\{7A11D879-33B3-45b2-910E-9EDA19080D75}.exe

Filesize
216KB

MD5
bd21547e4c40a1baee34926a6fd5c9c3

SHA1
ef734014b35ca47937f6853cad6db155950e67c9

SHA256
3498e8635cc333fa99b60f46b942e4249ae22b335f20ad5eb25ee4668eb165d5

SHA512
d009f8ec591dda5fe170b5809f9d52a8bef4231a086eb6aa359cb364700e251012c1f493532ee629242617e6155fbfcfa87d3ff79cef493dd4317d442b54ba92

Download Submit
C:\Windows\{8C93970D-A510-49d1-927C-599E8098E1CC}.exe

Filesize
216KB

MD5
4f547524322c7b337ba6d489b60ef7b8

SHA1
d5d3e1d2d10e1a7f09c7f046afb551a5ded796a7

SHA256
4b6cb5e7d49b2913a8a9dea58df6076236c3a3d9439c2665f8bf63098f0d3fcf

SHA512
ec5c5703819392f4d62bc69fdbd0bd012b28eb48e31516504a4d9b366abffd434a34bcd5500cfc14f8d2ef71300cc0f7b6729d29a93692255a76dcbc785ecdbf

Download Submit
C:\Windows\{98F31E87-5F7C-4acd-94BB-CCE350B506C7}.exe

Filesize
216KB

MD5
6d05ef486df43ab7933b128c93aa238a

SHA1
3f00cce752c4092b73f6b7c84140f615f2680c61

SHA256
d46b77542187950fd71d1e27a7ac8c910e5a7a037acdec53fabd2bb6a6ee09e0

SHA512
1c1a05c01873a7b1b88712e34dbfa572c98adca3b3545a69f9cd473fca1345a85231f7ba48a5c8ccb041ec9982df7b481e18e77912ba161e546a8d045d494909

Download Submit
C:\Windows\{9A8894E9-B578-47cc-9699-70234732011A}.exe

Filesize
216KB

MD5
cd215a4e584ebbb63e9460d08240c830

SHA1
d2b0ad46cdbca28d5afe4ceba5f1957d37873ff6

SHA256
9a731833733ba887667e7e4da614f1272087c796f1701ecf3fce1b2eda1113fa

SHA512
927ce610da71ad9d515fde47d0bb7660bc95727e521aa1329c699be918815205aaa3ba1f1e287fe1882841dc450b65ccbf8beb2651239a5dce87f068abf59d85

Download Submit
C:\Windows\{9EFEB9EA-D396-45ae-AA1C-772D0CB9B5E9}.exe

Filesize
216KB

MD5
dce1aa685d3300b54ed477f05d0eb10e

SHA1
14cd358ecff6239be871ec654c836a3844bac415

SHA256
9dffda32e217a39277e50af95d764af944953561a1898aa0678e5685e3fd7f66

SHA512
8ffafab51b957bf003460ad4b74555cdd60858c5ba98c4cbebe266cb953e2a48d57d3f633247618a79d9a427b65dc45037c94f5f79cf0b63e5c7b0c885d9f201

Download Submit
C:\Windows\{B6F78CB6-AE9F-412a-8477-FF006EB94008}.exe

Filesize
216KB

MD5
16e4e259d408c2dd6454db021c96a102

SHA1
9393dd4331fc7aeefd49e4e85163c1a272a865d8

SHA256
3106f45c8c485fc28c5e8867e059fa9fcf169f00b58d348280f524e4a8ca1216

SHA512
1774518ba84359c3036107d086fec0cf51f0440721b4edd4f250831d1d14662c034c5a519efc13597d23675b9ff9f512cfd7bc5914a1eb35865763cecf2afcee

Download Submit
C:\Windows\{DD312402-6F19-4739-8A2E-89EAE88CB644}.exe

Filesize
216KB

MD5
b267cfd49d1cf2e710d389b3667310a9

SHA1
0c2bf36dac437d7d07295c40d40d69f43f2fb26a

SHA256
a89ec142979647d0278a6f2f4156370efc812d470d5f40a8dd13867cfd10bc1c

SHA512
bd761110d2e5a9a91cd76d240351cd8c929266e4c07ea4a42fd5b0f64a91baac943c46a984712b2a4945da6665d276f8c946c74cb9e5ed22af214baf6c6a6f7c

Download Submit
C:\Windows\{E7002FDE-6CFE-4fe0-93E7-259D8470E338}.exe

Filesize
216KB

MD5
7fba4cced291879a650176b0b9415fb7

SHA1
87bb13d6f1cda1b9cd3c2021a35ca799b88bacd1

SHA256
7a07a5aaeaa4b82f1b89c53e2add63c17efdf1d2a9ed58d87d75ecae32411336

SHA512
53bd437b961d6a92ae5da294496ea2db29d356df4a9d23cf0674c9bcabb39dcf84236c780eddd90a0a5c3af18d2e228c10fb489caf035d51db03b48a06c29023

Download Submit