20a914e065277ddf631c84d45bf538b7dc1426f8360c02e40c6d2ce94b0ef395

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Size

408KB
MD5

83052f06014ba3284f9cf8ccaba105fb
SHA1

2fe6c06734e5e283d36b35243583c35cd1aa2d1b
SHA256

20a914e065277ddf631c84d45bf538b7dc1426f8360c02e40c6d2ce94b0ef395
SHA512

a50f6a2943c2badc68c830a6173329cce2ebad01273572e24daad82cddc1150787cd90fd11ce13e28d974440251bc74f713fb10a3170dd2a3411f10f27d603f4
SSDEEP

3072:CEGh0ojl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{48D45D43-AC0C-490f-9271-AB11E364948E}.exe{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}\stubpath = "C:\\Windows\\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe"	{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}\stubpath = "C:\\Windows\\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe"	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48D45D43-AC0C-490f-9271-AB11E364948E}	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}	{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}\stubpath = "C:\\Windows\\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe"	{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}\stubpath = "C:\\Windows\\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe"	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79997AB7-8812-4b96-9F32-43E4DFEB284F}	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C361E9-B927-49e6-8C17-341F7C7096FD}\stubpath = "C:\\Windows\\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe"	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDFE542F-4E22-4600-A838-E67A8CF3870A}	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDFE542F-4E22-4600-A838-E67A8CF3870A}\stubpath = "C:\\Windows\\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe"	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79997AB7-8812-4b96-9F32-43E4DFEB284F}\stubpath = "C:\\Windows\\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe"	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}\stubpath = "C:\\Windows\\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe"	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C361E9-B927-49e6-8C17-341F7C7096FD}	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48D45D43-AC0C-490f-9271-AB11E364948E}\stubpath = "C:\\Windows\\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe"	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}	{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}\stubpath = "C:\\Windows\\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe"	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}\stubpath = "C:\\Windows\\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe"	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2064 cmd.exe

pid	process
2064	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe{48D45D43-AC0C-490f-9271-AB11E364948E}.exe{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe

pid	process
2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
944	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
1368	{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
2656	{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
112	{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe

Drops file in Windows directory 11 IoCs

Processes:

{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe{48D45D43-AC0C-490f-9271-AB11E364948E}.exe2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe

description	ioc	process
File created	C:\Windows\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
File created	C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
File created	C:\Windows\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
File created	C:\Windows\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
File created	C:\Windows\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe	{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
File created	C:\Windows\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
File created	C:\Windows\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
File created	C:\Windows\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
File created	C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe	{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
File created	C:\Windows\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
File created	C:\Windows\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe{48D45D43-AC0C-490f-9271-AB11E364948E}.exe{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
Token: SeIncBasePriorityPrivilege	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
Token: SeIncBasePriorityPrivilege	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
Token: SeIncBasePriorityPrivilege	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
Token: SeIncBasePriorityPrivilege	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
Token: SeIncBasePriorityPrivilege	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
Token: SeIncBasePriorityPrivilege	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
Token: SeIncBasePriorityPrivilege	944	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
Token: SeIncBasePriorityPrivilege	1368	{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
Token: SeIncBasePriorityPrivilege	2656	{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2508 wrote to memory of 2928	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
PID 2508 wrote to memory of 2928	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
PID 2508 wrote to memory of 2928	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
PID 2508 wrote to memory of 2928	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
PID 2508 wrote to memory of 2064	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 2508 wrote to memory of 2064	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 2508 wrote to memory of 2064	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 2508 wrote to memory of 2064	2508	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
PID 2928 wrote to memory of 2660	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
PID 2928 wrote to memory of 2660	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
PID 2928 wrote to memory of 2660	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
PID 2928 wrote to memory of 1196	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	cmd.exe
PID 2928 wrote to memory of 1196	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	cmd.exe
PID 2928 wrote to memory of 1196	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	cmd.exe
PID 2928 wrote to memory of 1196	2928	{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe	cmd.exe
PID 2660 wrote to memory of 2616	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
PID 2660 wrote to memory of 2616	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
PID 2660 wrote to memory of 2616	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
PID 2660 wrote to memory of 2616	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
PID 2660 wrote to memory of 2180	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	cmd.exe
PID 2660 wrote to memory of 2180	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	cmd.exe
PID 2660 wrote to memory of 2180	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	cmd.exe
PID 2660 wrote to memory of 2180	2660	{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe	cmd.exe
PID 2616 wrote to memory of 2028	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
PID 2616 wrote to memory of 2028	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
PID 2616 wrote to memory of 2028	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
PID 2616 wrote to memory of 2028	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
PID 2616 wrote to memory of 2888	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	cmd.exe
PID 2616 wrote to memory of 2888	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	cmd.exe
PID 2616 wrote to memory of 2888	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	cmd.exe
PID 2616 wrote to memory of 2888	2616	{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe	cmd.exe
PID 2028 wrote to memory of 2304	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
PID 2028 wrote to memory of 2304	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
PID 2028 wrote to memory of 2304	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
PID 2028 wrote to memory of 2304	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
PID 2028 wrote to memory of 576	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	cmd.exe
PID 2028 wrote to memory of 576	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	cmd.exe
PID 2028 wrote to memory of 576	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	cmd.exe
PID 2028 wrote to memory of 576	2028	{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe	cmd.exe
PID 2304 wrote to memory of 2492	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
PID 2304 wrote to memory of 2492	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
PID 2304 wrote to memory of 2492	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
PID 2304 wrote to memory of 2492	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
PID 2304 wrote to memory of 1780	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	cmd.exe
PID 2304 wrote to memory of 1780	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	cmd.exe
PID 2304 wrote to memory of 1780	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	cmd.exe
PID 2304 wrote to memory of 1780	2304	{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe	cmd.exe
PID 2492 wrote to memory of 320	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
PID 2492 wrote to memory of 320	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
PID 2492 wrote to memory of 320	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
PID 2492 wrote to memory of 320	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
PID 2492 wrote to memory of 1576	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	cmd.exe
PID 2492 wrote to memory of 1576	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	cmd.exe
PID 2492 wrote to memory of 1576	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	cmd.exe
PID 2492 wrote to memory of 1576	2492	{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe	cmd.exe
PID 320 wrote to memory of 944	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
PID 320 wrote to memory of 944	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
PID 320 wrote to memory of 944	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
PID 320 wrote to memory of 944	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
PID 320 wrote to memory of 2328	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	cmd.exe
PID 320 wrote to memory of 2328	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	cmd.exe
PID 320 wrote to memory of 2328	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	cmd.exe
PID 320 wrote to memory of 2328	320	{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
C:\Windows\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F64C5~1.EXE > nul
3⤵
PID:1196

C:\Windows\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
C:\Windows\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
C:\Windows\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{46C36~1.EXE > nul
5⤵
PID:2888

C:\Windows\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
C:\Windows\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C3E~1.EXE > nul
6⤵
PID:576

C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
C:\Windows\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79997~1.EXE > nul
8⤵
PID:1576

C:\Windows\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
C:\Windows\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4F91~1.EXE > nul
9⤵
PID:2328

C:\Windows\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
C:\Windows\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
C:\Windows\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{67E5A~1.EXE > nul
12⤵
PID:832

C:\Windows\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe
C:\Windows\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe
12⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{48D45~1.EXE > nul
11⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1B19~1.EXE > nul
10⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFE5~1.EXE > nul
7⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C1~1.EXE > nul
4⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{46C361E9-B927-49e6-8C17-341F7C7096FD}.exe

Filesize
408KB

MD5
3e9538d85a0eacc3e012afb8414ac968

SHA1
3d1b7027be0e3f17b0abd42218d0e3afad5e8948

SHA256
a5314d9a77c6b4c628d9ef51a2a7ad2bb9c79ad14af41d3869be344c7fe92958

SHA512
466751c8cfe3ce700fe2b960fd8a04ad9341617b0ab4caf5acf03378929631fe38c4546f7149f8ed5b0f3a7d5aa3b996d48f16b88c7ec53171ae7dcf65103de5

Download Submit
C:\Windows\{48D45D43-AC0C-490f-9271-AB11E364948E}.exe

Filesize
408KB

MD5
19f18cc247bcba8d8ce1301abf91ff18

SHA1
fce2ff08ce9313de6d536aafdbd5a0176b79a670

SHA256
dd7d9ac202527ffccabd38723a976b39d31e820e16cd5ae1cb016dc88ff7004c

SHA512
e5716f2a292628fcdfee8fe475310fb5c92bd54631c0e935bb4bd0515984d1cf44be0e036822ac740738e423e00ea2983878019d02daf02866caebdfc8dd0d7c

Download Submit
C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe

Filesize
290KB

MD5
8e0fecc247dbffde0d2e4a07b654c587

SHA1
2340e180ed56826610c23baf3d980a2a235ad7fa

SHA256
1b3e91193afc3841145199c92c3ddb32022e0758b32a586aae86cd2274da753b

SHA512
796971fd8ec2f0b34e3a7500c4159f0c83f05bc2ed13ddf66308ed0346854bdeda03ca936efe2f4c60724553eb0fa6164fe6db44007409a6e33e1dbfff570c91

Download Submit
C:\Windows\{67E5AB20-FFBA-4125-A4D4-62BA5F720ACC}.exe

Filesize
408KB

MD5
18350e240dc043bb1e638f4c94e01801

SHA1
93b28e60d0a07cb087ea838a70b97768483692a8

SHA256
ac2371c41b7c004a4be64b3e2f797be7f1bb496ec8a822f11ed718c9a0cafa4d

SHA512
ecdac1d025f8b560bb61a9f380969db8460923579b15742d9c2118e6880f0e2121be21c6245524d68427026b98d6f2d46b1a7671ca0ef8dac53b5133adc8512e

Download Submit
C:\Windows\{79997AB7-8812-4b96-9F32-43E4DFEB284F}.exe

Filesize
408KB

MD5
0e2efe7d2bfd1db598bd5e064e6430f4

SHA1
d5a76ab456728ee78b63a81e081314376a65e7d8

SHA256
32905bc79ad8c25d1b8c6d8cdb7eb97593a640567a34a5767c435a2b7a4ee762

SHA512
f1ea8c77f76ee1c5b7f2295201cd77b2a18a449a49966888bcf5c492712a50a8f80c1fb6352e4bceca8486154cb1f249b8450c2001a2b3419408d502810b1744

Download Submit
C:\Windows\{A3C3E2AA-DF59-4d30-96A6-7FFBEEDB5676}.exe

Filesize
408KB

MD5
822df23c9a905773bb6a99cf6912fc86

SHA1
8ddd2b4d3b67c0ca8e3c1659126d2bfed17067d8

SHA256
f73c113724f4c63f2576829e8ef01b4c828bc2b81dabd3776487ec716c8365d8

SHA512
a5eaa11beae2eb1ba5a6332b3716cbc1950aec7cb45f13bb1f32ca33d634d00c0a1a193f5ecf6b10399fd8df4caffd942fa33973f13f3e84344cab65fec3358b

Download Submit
C:\Windows\{B40D2FF3-1448-4585-8AB7-CD0EDEF3D73A}.exe

Filesize
408KB

MD5
e5830d7c39e2df106c7e0bcd654d72d1

SHA1
67e06c05b63f4e219ae3cff493ff906676f245aa

SHA256
f26cadef5798974955a68306f5b8043608552e35ea1e75c97e1499f7cd665ef0

SHA512
948a0b0697b06c8508699ba9c1f54de0cbf70cc8c8bbb4f115cfd875760ef290ed76b5f3509e367ee9d04233e261bde6634c9a832770067ff2a0de670bca0f64

Download Submit
C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe

Filesize
408KB

MD5
b0e9c843591c192a754d268b6364b9bf

SHA1
4a0266dca0b0edf814fa708849ab0e540829a678

SHA256
35947b9b10498ce157843d6eb7f3394102e90c4b0e160ee73ab5edc67f72390a

SHA512
cef4b66e0780dbf83e499ffedfc8a59a12d6bdf48f34ca76fd21888306a217ef65609acb6637541e64a932f7c4a34ddfbcf45deb82c031cbcf6bfda408ec6691

Download Submit
C:\Windows\{CDFE542F-4E22-4600-A838-E67A8CF3870A}.exe

Filesize
176KB

MD5
a5e1e58efb0e1afbcf565007962388af

SHA1
ccd6a4bc663ffb84d9ffb3eb3be41173732554c1

SHA256
abad27047c0e1e36e5d5c58f8cd4aec9b54850dd50c0d027854ed9c9266b03eb

SHA512
6414e93db018283d94a8ba65b08395d880a09777abf77a2ded5ad2c29c04197ff660d198f4e3cdda77226375c4181010f4bb3c245c055d54449791a6493f73e4

Download Submit
C:\Windows\{D1B1922B-1E23-49e0-81CC-6739AC5C70E2}.exe

Filesize
408KB

MD5
915d385b55522deddefe0b5fd4ce3246

SHA1
ffc50999e8a09d35af6a90e9cb86c005054c42a5

SHA256
536841bd872aaea0f17cd826d568fdd1d3b2d5fd0e22eaa729a110409964a868

SHA512
7a7bd6a9d10e2ba123f7b1cdb5cd7fbca248c0a218ae72f5a4a73c6dc6ab70ff35bd6fcddd6e6c05b0b385e0fc87a1783d774f1cc95c62be80f2f33cba63caba

Download Submit
C:\Windows\{D4F9164E-55ED-401f-9BFF-2F5EA2A80EF0}.exe

Filesize
408KB

MD5
b13836d47a6a8d26b6e7a76487b26c9e

SHA1
4d135b4d3714290e06bd6ab98049d022c23d57bb

SHA256
c7eaf7858821fa23c005a319f2d9b4025018631dd2200981638acd6b75618d60

SHA512
da7d641007b53f5d5a75d35849b72c6cf47231a097d23980473169b1636ca839f92d6f83e80bfec820f3bd7b763799d6a8658a29fa1a913c04395629c29ca1c4

Download Submit
C:\Windows\{EB3C1B08-256B-4dd0-B38D-2BDD2F546268}.exe

Filesize
408KB

MD5
b465042a1800ff4e5712b3ee881f16cd

SHA1
a717ca417f8bd8f3e7a2661ebeb7e1a2cd8ae607

SHA256
fa9df02f779d57c7d778de8934dc79ee369b7fa2eaa764eef4a4f88384404fa0

SHA512
baa838bfaa230ee47467ea4c2a8febf8eefb3443856c321c0a8ab1d4fa443d5729d0e420b1cbbf1a9457816b72b2e319d41952b8449c85a251650a37991556d0

Download Submit
C:\Windows\{F64C5232-E0CB-47fe-865F-15E2FAAFFCFC}.exe

Filesize
408KB

MD5
31b98f6972e6a644aee61ede28859486

SHA1
94a075e1ef0398e35c80518f47f28bda597ec7c2

SHA256
ad276a790222b8223fdeb62e8de0a6ce5385f35ffea7a80652e169e46a122b75

SHA512
b52639f26cfe1dec1b05e674e5e57f862544e06ed1d2d0824762e28e5af29ef73cd761a82e4a5aca0dff18ec4c4ea005cf4e1acd024b387aa75046e029053c58

Download Submit