20a914e065277ddf631c84d45bf538b7dc1426f8360c02e40c6d2ce94b0ef395

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Size

408KB
MD5

83052f06014ba3284f9cf8ccaba105fb
SHA1

2fe6c06734e5e283d36b35243583c35cd1aa2d1b
SHA256

20a914e065277ddf631c84d45bf538b7dc1426f8360c02e40c6d2ce94b0ef395
SHA512

a50f6a2943c2badc68c830a6173329cce2ebad01273572e24daad82cddc1150787cd90fd11ce13e28d974440251bc74f713fb10a3170dd2a3411f10f27d603f4
SSDEEP

3072:CEGh0ojl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{55EC0168-9E30-425b-9055-86ED46897E42}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe{55EC0168-9E30-425b-9055-86ED46897E42}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}\stubpath = "C:\\Windows\\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe"	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D653980-0DA0-405c-9129-ECBBC05C7D47}	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D653980-0DA0-405c-9129-ECBBC05C7D47}\stubpath = "C:\\Windows\\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe"	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2BEC5D-C152-40d9-BC95-F6A497415860}\stubpath = "C:\\Windows\\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe"	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}\stubpath = "C:\\Windows\\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe"	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F52411-D5C0-4d00-A750-6DCD59DEE390}\stubpath = "C:\\Windows\\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe"	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EC360A-C589-44c6-94D7-DE5A98959007}	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}\stubpath = "C:\\Windows\\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe"	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}\stubpath = "C:\\Windows\\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe"	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}\stubpath = "C:\\Windows\\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe"	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F52411-D5C0-4d00-A750-6DCD59DEE390}	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EC0168-9E30-425b-9055-86ED46897E42}\stubpath = "C:\\Windows\\{55EC0168-9E30-425b-9055-86ED46897E42}.exe"	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}\stubpath = "C:\\Windows\\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe"	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2BEC5D-C152-40d9-BC95-F6A497415860}	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EC360A-C589-44c6-94D7-DE5A98959007}\stubpath = "C:\\Windows\\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe"	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EC0168-9E30-425b-9055-86ED46897E42}	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}\stubpath = "C:\\Windows\\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe"	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe

Executes dropped EXE 12 IoCs

Processes:

{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe{55EC0168-9E30-425b-9055-86ED46897E42}.exe{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe

pid	process
4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
4004	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
516	{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe

Drops file in Windows directory 12 IoCs

Processes:

{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe{55EC0168-9E30-425b-9055-86ED46897E42}.exe{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe

description	ioc	process
File created	C:\Windows\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
File created	C:\Windows\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
File created	C:\Windows\{55EC0168-9E30-425b-9055-86ED46897E42}.exe	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
File created	C:\Windows\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
File created	C:\Windows\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
File created	C:\Windows\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
File created	C:\Windows\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
File created	C:\Windows\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
File created	C:\Windows\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
File created	C:\Windows\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
File created	C:\Windows\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
File created	C:\Windows\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe{55EC0168-9E30-425b-9055-86ED46897E42}.exe{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
Token: SeIncBasePriorityPrivilege	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
Token: SeIncBasePriorityPrivilege	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
Token: SeIncBasePriorityPrivilege	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
Token: SeIncBasePriorityPrivilege	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
Token: SeIncBasePriorityPrivilege	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
Token: SeIncBasePriorityPrivilege	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
Token: SeIncBasePriorityPrivilege	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
Token: SeIncBasePriorityPrivilege	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
Token: SeIncBasePriorityPrivilege	3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
Token: SeIncBasePriorityPrivilege	4004	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1720 wrote to memory of 4784	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
PID 1720 wrote to memory of 4784	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
PID 1720 wrote to memory of 4784	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
PID 1720 wrote to memory of 2808	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 1720 wrote to memory of 2808	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 1720 wrote to memory of 2808	1720	2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe	cmd.exe
PID 4784 wrote to memory of 2140	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
PID 4784 wrote to memory of 2140	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
PID 4784 wrote to memory of 2140	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
PID 4784 wrote to memory of 924	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	cmd.exe
PID 4784 wrote to memory of 924	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	cmd.exe
PID 4784 wrote to memory of 924	4784	{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe	cmd.exe
PID 2140 wrote to memory of 2188	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
PID 2140 wrote to memory of 2188	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
PID 2140 wrote to memory of 2188	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
PID 2140 wrote to memory of 1368	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	cmd.exe
PID 2140 wrote to memory of 1368	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	cmd.exe
PID 2140 wrote to memory of 1368	2140	{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe	cmd.exe
PID 2188 wrote to memory of 2924	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
PID 2188 wrote to memory of 2924	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
PID 2188 wrote to memory of 2924	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	{55EC0168-9E30-425b-9055-86ED46897E42}.exe
PID 2188 wrote to memory of 2412	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	cmd.exe
PID 2188 wrote to memory of 2412	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	cmd.exe
PID 2188 wrote to memory of 2412	2188	{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe	cmd.exe
PID 2924 wrote to memory of 1868	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
PID 2924 wrote to memory of 1868	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
PID 2924 wrote to memory of 1868	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
PID 2924 wrote to memory of 3224	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	cmd.exe
PID 2924 wrote to memory of 3224	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	cmd.exe
PID 2924 wrote to memory of 3224	2924	{55EC0168-9E30-425b-9055-86ED46897E42}.exe	cmd.exe
PID 1868 wrote to memory of 2572	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
PID 1868 wrote to memory of 2572	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
PID 1868 wrote to memory of 2572	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
PID 1868 wrote to memory of 5052	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	cmd.exe
PID 1868 wrote to memory of 5052	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	cmd.exe
PID 1868 wrote to memory of 5052	1868	{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe	cmd.exe
PID 2572 wrote to memory of 4092	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
PID 2572 wrote to memory of 4092	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
PID 2572 wrote to memory of 4092	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
PID 2572 wrote to memory of 3452	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	cmd.exe
PID 2572 wrote to memory of 3452	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	cmd.exe
PID 2572 wrote to memory of 3452	2572	{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe	cmd.exe
PID 4092 wrote to memory of 4476	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
PID 4092 wrote to memory of 4476	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
PID 4092 wrote to memory of 4476	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
PID 4092 wrote to memory of 3644	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	cmd.exe
PID 4092 wrote to memory of 3644	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	cmd.exe
PID 4092 wrote to memory of 3644	4092	{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe	cmd.exe
PID 4476 wrote to memory of 872	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
PID 4476 wrote to memory of 872	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
PID 4476 wrote to memory of 872	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
PID 4476 wrote to memory of 3060	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	cmd.exe
PID 4476 wrote to memory of 3060	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	cmd.exe
PID 4476 wrote to memory of 3060	4476	{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe	cmd.exe
PID 872 wrote to memory of 3628	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
PID 872 wrote to memory of 3628	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
PID 872 wrote to memory of 3628	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
PID 872 wrote to memory of 5112	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	cmd.exe
PID 872 wrote to memory of 5112	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	cmd.exe
PID 872 wrote to memory of 5112	872	{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe	cmd.exe
PID 3628 wrote to memory of 4004	3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
PID 3628 wrote to memory of 4004	3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
PID 3628 wrote to memory of 4004	3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
PID 3628 wrote to memory of 2156	3628	{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_83052f06014ba3284f9cf8ccaba105fb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
C:\Windows\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
C:\Windows\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55F52~1.EXE > nul
4⤵
PID:1368

C:\Windows\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
C:\Windows\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\{55EC0168-9E30-425b-9055-86ED46897E42}.exe
C:\Windows\{55EC0168-9E30-425b-9055-86ED46897E42}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
C:\Windows\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
C:\Windows\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
C:\Windows\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
C:\Windows\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
C:\Windows\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
C:\Windows\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
C:\Windows\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe
C:\Windows\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe
13⤵
- Executes dropped EXE
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99926~1.EXE > nul
13⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2BE~1.EXE > nul
12⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0D653~1.EXE > nul
11⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{92E0C~1.EXE > nul
10⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1C97D~1.EXE > nul
9⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9D25~1.EXE > nul
8⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EED42~1.EXE > nul
7⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55EC0~1.EXE > nul
6⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EC3~1.EXE > nul
5⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55F55~1.EXE > nul
3⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D653980-0DA0-405c-9129-ECBBC05C7D47}.exe
Filesize
408KB

MD5
c1a28d3156c545f48a93cc939d173f6b

SHA1
db5377e46769ea4f9ebb0d4b58c76e986f65279c

SHA256
a1d0b31e61e9bb1ce0306ced9f37a42eaaba92b4e82617d06e94670a3bfe6936

SHA512
ab92ce40d142fbf888c22963fafd4a07389f36ecc03bccb457de524300964cc59fc07cebdd6cb79aaf952b32c1d8bad6a5281071dda7b6d986e9ef178a0892a8

Download Submit
C:\Windows\{1C97D88C-2E42-42ce-BFAD-CB2B0FDEF82F}.exe
Filesize
408KB

MD5
3bf4f30adf32261c664ef2d61f03946b

SHA1
d3a7d31277d53aceb15cf174b7655663dd285177

SHA256
aaf63324dad750ba79a42896f68d210f0dd89775ddafaca38831e1688a406e12

SHA512
882ac0e5674239f7d0f72bd0ce324b27bb40192a3e4d363a916c06ce01d3567f64b091df77ceee48397ac89a6d53e90e9f801b876e2128624638d09856f0e669

Download Submit
C:\Windows\{32E7DF9B-545C-47e5-8FFA-77D2034B5471}.exe
Filesize
408KB

MD5
1d440de88281305f7d5c0cb6202fe203

SHA1
bc15c87d771fbb56439d0e82bdc3c3742f24c6e1

SHA256
deb752f8736bc0706c4be8f2a86ed1dd1ed622c28d10c23126daa83960c47131

SHA512
00b61e8e6bf65ee2eae7108ec1bc0d2b3e08c7495df63775347362d5ac56a93b00a9d1bb88aaf3a0f99826f8aa61168ae90bcd5a7326aa20db5b89ce49ac4282

Download Submit
C:\Windows\{55EC0168-9E30-425b-9055-86ED46897E42}.exe
Filesize
408KB

MD5
a054072c22fd4706b4db2a8a053502d6

SHA1
b3b2dcbe641728d03bd863b7140fd352d2d3bd09

SHA256
38affe45bad136a4b06b8244e50b3eef18a6ba8e3c2fa2a104b202e59889fe59

SHA512
32d16005d274e71433ad6a42b205aec71e27c1a2087674b1f2dfa550a9ce594b3d60f21e6d3744bc0a9046cbc38144ec4bf40066089af1bd41e23437d4995507

Download Submit
C:\Windows\{55F52411-D5C0-4d00-A750-6DCD59DEE390}.exe
Filesize
408KB

MD5
022ec35fe5922e21f62506a20fcc2dbe

SHA1
6f046fefc1928a1399bb48a4f62fc52b56de260f

SHA256
3a4b87a881f25bc571d33e9853a27104ef6140fce700489a5c9a016a6dc3191b

SHA512
830aa01631f70b44795d03485088f689cb487da033f1d00a24a0539721d0add49b5d64605746a85448fd9738fb27d03ecfcba2e99161c71ffdd733284506340f

Download Submit
C:\Windows\{55F55580-44DC-4ca8-BCE1-A8CD17A3812E}.exe
Filesize
408KB

MD5
953617577681fce7c926322401544390

SHA1
e942c5616abdb1a60c9d945428c41ddc3b3610ee

SHA256
c6898224e8e9711dfe95effa7a0a843239a8e1f3e6bd9de4edc4b418066fc5a7

SHA512
0ad732918e9f6d5980c07fc94580c97f2c052818a40a8eeefac354e72e5ba16faee01a9e28bb7ace8cf51a7ab855e11fc5a1640f86f7c894b5240dcfcd71d2df

Download Submit
C:\Windows\{8B2BEC5D-C152-40d9-BC95-F6A497415860}.exe
Filesize
408KB

MD5
2848dab78f48a40ad804a98f4f986f11

SHA1
2ecf51c0eb0833e0aae66fae87854da9a332b91a

SHA256
6188ff5c9109b53f6a22a071b9857e934128412b8b13a292d0c8fbcc91671eea

SHA512
077850c0acb9217d25de844193634741c4eae15995633d3c67922fc5bc7f51d61b401c710fac2df074fda91b0728665591e6d1a4f4bb9ce2f268cf40200d7237

Download Submit
C:\Windows\{92E0CE23-7820-455a-A7DC-67AB08A4FD18}.exe
Filesize
408KB

MD5
71cf7e161558fcd17e2d4531dc81bf01

SHA1
ecb084febf3ff4bead426cdb16acdd4cb8dd06af

SHA256
1c1ecf2fa2b9b55f5c9945830aee0508ebbebe1d4efc3043d23af0448f789eca

SHA512
23e0735d8acd0acf42c59c2d7a32b65e6f5645160a149900d2c508949cfa8e87e1ad568917ea57f47f5ab5a70fbaf5d0636be9ad629b09c7152bb0dfdfa08996

Download Submit
C:\Windows\{999261C3-ECEC-49fc-A2D6-AB07AA7E959A}.exe
Filesize
408KB

MD5
b52643a661d83d5e437e9d6f03567db6

SHA1
234cc6dd4fc871de6b5f0a104fd6781489278688

SHA256
7cbe09f7d3cc682828792769c616b9756260dfd64ef685f57696a0b22cb2dbd9

SHA512
1f85d51ac2bdb14c9c22815c16d249cf28e0737610f6a3414e68544415e14b1ec6bb6eec38bd05e0c81bfc1567e74296dcab597c085527de05cdf2a71d28d73a

Download Submit
C:\Windows\{A9D25F3F-A493-474d-9B65-BB00C04A70DA}.exe
Filesize
408KB

MD5
a0d8079da0f72546e0f77f0d2a72524f

SHA1
109c7c59a6ac446a95c9d5f5dca68774ac05c9f0

SHA256
bed3d60b5f55755a52c8afc1bed1edfd6a333102ab2381e01a7ce9f2ef9775f4

SHA512
957f87bc66bc4b9271785a42110ed5c1f7923c789186b53d27340f78e9914f041c042a839b5d96c5791502e06ff3e69b51c7d2d5d3ff43e1a6875372e75a3b53

Download Submit
C:\Windows\{C3EC360A-C589-44c6-94D7-DE5A98959007}.exe
Filesize
408KB

MD5
04a698ca896d2059d3d423f3705ab307

SHA1
e48a0213a7bd99db7a041a1c2f34f85e42770a10

SHA256
b551e861fb54b4bf9247c791b889d617a4adcdaef1c6c0e2289dcc2d80413484

SHA512
b764929ae8e91198dd904641336255e8c74f8dd59d409e65551fb10917f089977b2bddef0fc9fb52578fce361ba3e4aa8767da3e5ad77599768d477a56bb3a94

Download Submit
C:\Windows\{EED42F69-CAE6-4ce0-9867-E0C9FD4D2AC6}.exe
Filesize
408KB

MD5
e138d1811ad30a496461c72372b1b764

SHA1
d0f7ff04375a58c75c70677ab867c08fd33c4b1d

SHA256
abfa021dd30a514aae31f1cd047f797a705cf687714f5523a51baf7cebed4c00

SHA512
bf9fea6139ebe50b063e93929de822774b31c387870b0ef0d8915278011e769b69b68097904744370c3376f9895ec9a7448dd807985c7641c8b1424fe8938f43

Download Submit