9cd5791ec2b1578dd2c882a4c74e660649b60416780ca921984bbb2de16b69e6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Size

180KB
MD5

6c95a31298c2f30c2ebd563aa054f496
SHA1

70c2ae1b4d89a6a27aa08ebd07cda5e77390f20c
SHA256

9cd5791ec2b1578dd2c882a4c74e660649b60416780ca921984bbb2de16b69e6
SHA512

6a3b3bbbe87e2f121c3e4ca6943ccbf67ac0fb4939594a3f369151cb23dda4b50823b8fa9fabbbfb61ebe131236b1f624f5058f421c3de4ffeaa04cbd29b2cd4
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGKl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9BF45106-F83E-4061-9957-51971623C978}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe{B2C37729-E137-4592-BF6A-837D089B0A01}.exe{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe{6CF8442D-EB01-418a-96AB-70B879B19042}.exe{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe{9BF45106-F83E-4061-9957-51971623C978}.exe{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C37729-E137-4592-BF6A-837D089B0A01}\stubpath = "C:\\Windows\\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe"	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221211A7-0A5F-4e3b-9047-20C51B1039FB}	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FACFB7-4216-4c9c-94AB-9BFA98342272}	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}\stubpath = "C:\\Windows\\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe"	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98A143-19EF-415c-B865-BCCA1BC4968D}\stubpath = "C:\\Windows\\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe"	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}\stubpath = "C:\\Windows\\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe"	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}\stubpath = "C:\\Windows\\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe"	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FACFB7-4216-4c9c-94AB-9BFA98342272}\stubpath = "C:\\Windows\\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe"	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF8442D-EB01-418a-96AB-70B879B19042}	{9BF45106-F83E-4061-9957-51971623C978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C37729-E137-4592-BF6A-837D089B0A01}	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF45106-F83E-4061-9957-51971623C978}\stubpath = "C:\\Windows\\{9BF45106-F83E-4061-9957-51971623C978}.exe"	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF8442D-EB01-418a-96AB-70B879B19042}\stubpath = "C:\\Windows\\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe"	{9BF45106-F83E-4061-9957-51971623C978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98A143-19EF-415c-B865-BCCA1BC4968D}	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}\stubpath = "C:\\Windows\\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe"	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221211A7-0A5F-4e3b-9047-20C51B1039FB}\stubpath = "C:\\Windows\\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe"	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF45106-F83E-4061-9957-51971623C978}	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}\stubpath = "C:\\Windows\\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe"	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}\stubpath = "C:\\Windows\\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe"	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe

Executes dropped EXE 12 IoCs

Processes:

{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe{9BF45106-F83E-4061-9957-51971623C978}.exe{6CF8442D-EB01-418a-96AB-70B879B19042}.exe{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe{B2C37729-E137-4592-BF6A-837D089B0A01}.exe{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe

pid	process
3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
4476	{9BF45106-F83E-4061-9957-51971623C978}.exe
1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
1828	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
1700	{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe

Drops file in Windows directory 12 IoCs

Processes:

{9BF45106-F83E-4061-9957-51971623C978}.exe{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe{6CF8442D-EB01-418a-96AB-70B879B19042}.exe{B2C37729-E137-4592-BF6A-837D089B0A01}.exe{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe

description	ioc	process
File created	C:\Windows\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	{9BF45106-F83E-4061-9957-51971623C978}.exe
File created	C:\Windows\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
File created	C:\Windows\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
File created	C:\Windows\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
File created	C:\Windows\{9BF45106-F83E-4061-9957-51971623C978}.exe	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
File created	C:\Windows\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
File created	C:\Windows\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
File created	C:\Windows\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
File created	C:\Windows\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
File created	C:\Windows\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
File created	C:\Windows\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
File created	C:\Windows\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe{9BF45106-F83E-4061-9957-51971623C978}.exe{6CF8442D-EB01-418a-96AB-70B879B19042}.exe{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe{B2C37729-E137-4592-BF6A-837D089B0A01}.exe{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
Token: SeIncBasePriorityPrivilege	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe
Token: SeIncBasePriorityPrivilege	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
Token: SeIncBasePriorityPrivilege	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
Token: SeIncBasePriorityPrivilege	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
Token: SeIncBasePriorityPrivilege	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
Token: SeIncBasePriorityPrivilege	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
Token: SeIncBasePriorityPrivilege	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
Token: SeIncBasePriorityPrivilege	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
Token: SeIncBasePriorityPrivilege	1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
Token: SeIncBasePriorityPrivilege	1828	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2800 wrote to memory of 3252	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
PID 2800 wrote to memory of 3252	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
PID 2800 wrote to memory of 3252	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
PID 2800 wrote to memory of 2032	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 2800 wrote to memory of 2032	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 2800 wrote to memory of 2032	2800	2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe	cmd.exe
PID 3252 wrote to memory of 4476	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	{9BF45106-F83E-4061-9957-51971623C978}.exe
PID 3252 wrote to memory of 4476	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	{9BF45106-F83E-4061-9957-51971623C978}.exe
PID 3252 wrote to memory of 4476	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	{9BF45106-F83E-4061-9957-51971623C978}.exe
PID 3252 wrote to memory of 4532	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	cmd.exe
PID 3252 wrote to memory of 4532	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	cmd.exe
PID 3252 wrote to memory of 4532	3252	{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe	cmd.exe
PID 4476 wrote to memory of 1848	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
PID 4476 wrote to memory of 1848	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
PID 4476 wrote to memory of 1848	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
PID 4476 wrote to memory of 5072	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	cmd.exe
PID 4476 wrote to memory of 5072	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	cmd.exe
PID 4476 wrote to memory of 5072	4476	{9BF45106-F83E-4061-9957-51971623C978}.exe	cmd.exe
PID 1848 wrote to memory of 2160	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
PID 1848 wrote to memory of 2160	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
PID 1848 wrote to memory of 2160	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
PID 1848 wrote to memory of 3672	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	cmd.exe
PID 1848 wrote to memory of 3672	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	cmd.exe
PID 1848 wrote to memory of 3672	1848	{6CF8442D-EB01-418a-96AB-70B879B19042}.exe	cmd.exe
PID 2160 wrote to memory of 3256	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
PID 2160 wrote to memory of 3256	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
PID 2160 wrote to memory of 3256	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
PID 2160 wrote to memory of 5052	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	cmd.exe
PID 2160 wrote to memory of 5052	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	cmd.exe
PID 2160 wrote to memory of 5052	2160	{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe	cmd.exe
PID 3256 wrote to memory of 3604	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
PID 3256 wrote to memory of 3604	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
PID 3256 wrote to memory of 3604	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
PID 3256 wrote to memory of 3296	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	cmd.exe
PID 3256 wrote to memory of 3296	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	cmd.exe
PID 3256 wrote to memory of 3296	3256	{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe	cmd.exe
PID 3604 wrote to memory of 4540	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
PID 3604 wrote to memory of 4540	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
PID 3604 wrote to memory of 4540	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
PID 3604 wrote to memory of 3464	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	cmd.exe
PID 3604 wrote to memory of 3464	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	cmd.exe
PID 3604 wrote to memory of 3464	3604	{B2C37729-E137-4592-BF6A-837D089B0A01}.exe	cmd.exe
PID 4540 wrote to memory of 708	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
PID 4540 wrote to memory of 708	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
PID 4540 wrote to memory of 708	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
PID 4540 wrote to memory of 2076	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	cmd.exe
PID 4540 wrote to memory of 2076	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	cmd.exe
PID 4540 wrote to memory of 2076	4540	{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe	cmd.exe
PID 708 wrote to memory of 3124	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
PID 708 wrote to memory of 3124	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
PID 708 wrote to memory of 3124	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
PID 708 wrote to memory of 4428	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	cmd.exe
PID 708 wrote to memory of 4428	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	cmd.exe
PID 708 wrote to memory of 4428	708	{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe	cmd.exe
PID 3124 wrote to memory of 1164	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
PID 3124 wrote to memory of 1164	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
PID 3124 wrote to memory of 1164	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
PID 3124 wrote to memory of 3292	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	cmd.exe
PID 3124 wrote to memory of 3292	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	cmd.exe
PID 3124 wrote to memory of 3292	3124	{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe	cmd.exe
PID 1164 wrote to memory of 1828	1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
PID 1164 wrote to memory of 1828	1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
PID 1164 wrote to memory of 1828	1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
PID 1164 wrote to memory of 3792	1164	{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_6c95a31298c2f30c2ebd563aa054f496_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
C:\Windows\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\{9BF45106-F83E-4061-9957-51971623C978}.exe
C:\Windows\{9BF45106-F83E-4061-9957-51971623C978}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF45~1.EXE > nul
4⤵
PID:5072

C:\Windows\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
C:\Windows\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
C:\Windows\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
C:\Windows\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
C:\Windows\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
C:\Windows\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
C:\Windows\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
C:\Windows\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
C:\Windows\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
C:\Windows\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe
C:\Windows\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe
13⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79FAC~1.EXE > nul
13⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64B1D~1.EXE > nul
12⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2DB8~1.EXE > nul
11⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA217~1.EXE > nul
10⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22121~1.EXE > nul
9⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C37~1.EXE > nul
8⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B947~1.EXE > nul
7⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D98A~1.EXE > nul
6⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF84~1.EXE > nul
5⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF243~1.EXE > nul
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{221211A7-0A5F-4e3b-9047-20C51B1039FB}.exe

Filesize
180KB

MD5
e3e07a61ead8013d98585dc1f880135e

SHA1
d0ac798981c8f40ec8c1834ba551798f19816d54

SHA256
f5457577f80b6eb89a075410ca0f02c6c798149e4b2e55cb9f869ecb4e98eb80

SHA512
78904ac89022318db64d795b253e85001aa063f0e3b52b3572ffb2a4c0e1f00fccdbbba825834142e736d3274d00a2a8df3836d137127bab1a0bc605b4d2290a

Download Submit
C:\Windows\{46EC41C4-A813-49cc-AE29-D0D6D7EC66ED}.exe

Filesize
180KB

MD5
b49b19e2cd3e13ae3600e63f75fbae5d

SHA1
d30b845c8897db3c09c04abdc1efffc519514f6e

SHA256
50a60b17c7a14da093eaa2eb0086dade07bd1947ba9c4a449832eeedfafc90fb

SHA512
e7e41bfc91c3488db7bfb150f9a45a8de78d83112bcf85c7b3660313378699be91c188c1b3905ad8532d3ca8d94cbb691fe6ccb539a420e3a28ce02f27d8b075

Download Submit
C:\Windows\{64B1D5DD-0F7E-4e18-9833-79BFCA20C1BF}.exe

Filesize
180KB

MD5
926c2ace6f0ffa16bbfff615578d321a

SHA1
d13fa70b3ac6317ddd80674f9d0dfe23ede4624c

SHA256
4966565b1066e039ca028edd282e7b3d3e1c7abf41d771c1c41b5e7ee56c354b

SHA512
362737820dfb193ace12ca07b182640c986cde456527798d3847c04e4dac5d7fb01849b28304b8309c72153dfdcddfbc69536297abeb6daba43c19fc8dae83f3

Download Submit
C:\Windows\{6CF8442D-EB01-418a-96AB-70B879B19042}.exe

Filesize
180KB

MD5
804b8c976e85100aa067d00190442971

SHA1
54b1ae8c555610aabc864f8fe6b1e31dc9e7570a

SHA256
d69a66d0fd4cf35f6cfe883c5085f7a921e22cd04ad02395844bf0f6631c4ccc

SHA512
c714e21d1a33f532f93a0c6af1d2bb53be2699d7e7e7d079e4797e219deb54eb3b32262de184996700dc3af0ac70fe8f3966409c353488e56d4f2e87f2c1eb6a

Download Submit
C:\Windows\{79FACFB7-4216-4c9c-94AB-9BFA98342272}.exe

Filesize
180KB

MD5
929b3c5063989b781c6a22ca57d96c8e

SHA1
27f7c76905b4205e05f1822b1e561521000b31ce

SHA256
c533d796be1de23b21f93208b6f74a6d39007537850e302318f5c506e8cc16bd

SHA512
4634821011928022009ff230da076eea83f0abf9f9312a818f767c2252cf97663ca53f8802a12846492854b747d99f2317cd0253afe95cf79a1c36adb3023ea1

Download Submit
C:\Windows\{7D98A143-19EF-415c-B865-BCCA1BC4968D}.exe

Filesize
180KB

MD5
30a4e8c8867510482371e2256fefcc7b

SHA1
208edb6c8b4766a0fb11720cb26086f12dc4f341

SHA256
57feb4c57d34a46ab1d6911e731896d932b77006b0ce1f8007837413bb49f5a9

SHA512
61598cadd315f79a970c34ae84f3be880edcfbf2b64fbaa1fb8377f4355f0985af72f15a4b426c757225159aca77da64738b41e36d1ca755b71daf070c0cc19a

Download Submit
C:\Windows\{9B9478E2-5AED-4339-9D14-992A1E28BC4E}.exe

Filesize
180KB

MD5
c8765f8aaf6e4f51c209e9e644bc53d6

SHA1
a4d5cc7eee6478e2e2f1a5532ba71b0ac19bccf4

SHA256
101d77cbda7709e3903523b599253063297b8d7fbba10b6087493d2df0d229f6

SHA512
96c8723fbe8d778467d3cb71506463eec010bcd7e9e85413be53bede26dcdf0f99f773baff930b1aa452cffd218eb307229be09e1f6965850d949faa62f334ad

Download Submit
C:\Windows\{9BF45106-F83E-4061-9957-51971623C978}.exe

Filesize
180KB

MD5
b1878a454f3941d5911b8b312bf6c592

SHA1
00943e7498efe4fdc684a4f31632bb3495704720

SHA256
42527682f4ebeb361f2b1bb0a555402a6dbe5bf15a208444961f1f101584e6f8

SHA512
8dbd666ef5ff965c5b9bfc0863c6b5ce83e12f032cd5d6bddfc97b9864a793f64193d432b536fea5e9baaeb7759434c31150a0c45f6f783bd19965ee4418fd9a

Download Submit
C:\Windows\{B2C37729-E137-4592-BF6A-837D089B0A01}.exe

Filesize
180KB

MD5
fdbe7fb9e58643da025de3df1384db4f

SHA1
e4aead64938bffcb5fdd7d754cb03758d0fefbf6

SHA256
2dea4ca286c3872eec182cf6c293121336796c9ddca16ec7d7b9eca54456f884

SHA512
b0f7633bac1941a0e94a1cc5c21d96819401efefd46b7b7362b193fb9c606b20dd4e4936fe459abbf418cef040bd369174b4606f61a381e9601e800727199263

Download Submit
C:\Windows\{C2DB8776-B4C6-42cb-884F-C52B314D64C7}.exe

Filesize
180KB

MD5
593502586e2465dacb53bb57546d3c9e

SHA1
d58595391b4bef1e019802379535c73783cc2332

SHA256
2c85173c777bd9b972f861ae4c760e024d373ecd76252f2853de9700f29c6d4d

SHA512
9f2811bb5df801e462caa47d4626f4539104b6807909fcedb764c7e417f2e9dca6cfadf1efcbe06f0a6236560d9b30123e4bdc8f57e02859d4d038cd7b1ab244

Download Submit
C:\Windows\{CF243A63-FAA7-4667-A4F1-A29854F89FDD}.exe

Filesize
180KB

MD5
91ffec7362a5f18b5e240279874df43b

SHA1
8f7cd145577832d07b9ed6933eb17b32f261b5a3

SHA256
2483f8f7cc28e6d4a154ee818bc4de4c47b6ba7e1006ee2e087c779a75ebc3a1

SHA512
e82d0bf8c28a47f0fc5acccc57bed10597b509d61efbf14198a5d11bbfbffdeaeae719729183f63b2396ae56449a3fa6cadd4c2ba22beaee8308fc655629c348

Download Submit
C:\Windows\{DA21769D-E59D-4e79-9BAE-02E82B9E3C55}.exe

Filesize
180KB

MD5
84270c478d3850c254433d613f3d8017

SHA1
115b462a82c2b43b302810dae149526860dfa467

SHA256
512d2e5b7609848cbf378f8b7379f6c4f6a3cc5b4ed27331f970066fc930466e

SHA512
6f215eddde37e05de0194414756d02a77199f1ad66d1896b0f888c9b28be02f37757d266c73a40a2d18d4376d182e6a5cb5c185f27cafb835125a07e8f87b2ec

Download Submit