6602224d2faacc3e3bc165392990c3e6902d6970f4113a8225a2c0e4ebb12742

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Size

180KB
MD5

8213a2c675d9f27dde8949fcff8ee215
SHA1

5c0c73121b78b10cab2762b5183369495e8ca139
SHA256

6602224d2faacc3e3bc165392990c3e6902d6970f4113a8225a2c0e4ebb12742
SHA512

17876229bd28cacaca2edf4df7460391a9cf0a2c18bd508eb5da9217163d4092bc0c179b70d909fa238434a6325884b4f9c942c1b949ad0146ffd93b6030442d
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGBl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2F8DE624-C732-408c-830C-A77574AD4005}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe{2F8DE624-C732-408c-830C-A77574AD4005}.exe{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29415C2E-3B10-411f-BB6D-DC382CD29147}	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95C5E08-711A-442c-B87B-890EC0B490B8}\stubpath = "C:\\Windows\\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe"	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96F777C-51D2-45d3-9894-6FCF441E117F}\stubpath = "C:\\Windows\\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe"	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8DE624-C732-408c-830C-A77574AD4005}\stubpath = "C:\\Windows\\{2F8DE624-C732-408c-830C-A77574AD4005}.exe"	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}\stubpath = "C:\\Windows\\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe"	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}\stubpath = "C:\\Windows\\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe"	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}\stubpath = "C:\\Windows\\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe"	{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}\stubpath = "C:\\Windows\\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe"	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95C5E08-711A-442c-B87B-890EC0B490B8}	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29415C2E-3B10-411f-BB6D-DC382CD29147}\stubpath = "C:\\Windows\\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe"	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96F777C-51D2-45d3-9894-6FCF441E117F}	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}	{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}\stubpath = "C:\\Windows\\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe"	{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}\stubpath = "C:\\Windows\\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe"	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8DE624-C732-408c-830C-A77574AD4005}	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}\stubpath = "C:\\Windows\\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe"	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}	{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe

pid	process
2728	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe{2F8DE624-C732-408c-830C-A77574AD4005}.exe{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe

pid	process
2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
2896	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
1628	{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
1552	{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe
1128	{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe

Drops file in Windows directory 11 IoCs

Processes:

{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe{2F8DE624-C732-408c-830C-A77574AD4005}.exe{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

description	ioc	process
File created	C:\Windows\{2F8DE624-C732-408c-830C-A77574AD4005}.exe	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
File created	C:\Windows\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
File created	C:\Windows\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
File created	C:\Windows\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
File created	C:\Windows\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
File created	C:\Windows\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
File created	C:\Windows\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
File created	C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
File created	C:\Windows\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
File created	C:\Windows\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe	{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
File created	C:\Windows\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe	{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe{2F8DE624-C732-408c-830C-A77574AD4005}.exe{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
Token: SeIncBasePriorityPrivilege	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
Token: SeIncBasePriorityPrivilege	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
Token: SeIncBasePriorityPrivilege	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
Token: SeIncBasePriorityPrivilege	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
Token: SeIncBasePriorityPrivilege	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
Token: SeIncBasePriorityPrivilege	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
Token: SeIncBasePriorityPrivilege	2896	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
Token: SeIncBasePriorityPrivilege	1628	{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
Token: SeIncBasePriorityPrivilege	1552	{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2528 wrote to memory of 2420	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
PID 2528 wrote to memory of 2420	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
PID 2528 wrote to memory of 2420	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
PID 2528 wrote to memory of 2420	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
PID 2528 wrote to memory of 2728	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 2528 wrote to memory of 2728	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 2528 wrote to memory of 2728	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 2528 wrote to memory of 2728	2528	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 2420 wrote to memory of 2708	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
PID 2420 wrote to memory of 2708	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
PID 2420 wrote to memory of 2708	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
PID 2420 wrote to memory of 2708	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
PID 2420 wrote to memory of 2888	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	cmd.exe
PID 2420 wrote to memory of 2888	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	cmd.exe
PID 2420 wrote to memory of 2888	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	cmd.exe
PID 2420 wrote to memory of 2888	2420	{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe	cmd.exe
PID 2708 wrote to memory of 2288	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
PID 2708 wrote to memory of 2288	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
PID 2708 wrote to memory of 2288	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
PID 2708 wrote to memory of 2288	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
PID 2708 wrote to memory of 2756	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	cmd.exe
PID 2708 wrote to memory of 2756	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	cmd.exe
PID 2708 wrote to memory of 2756	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	cmd.exe
PID 2708 wrote to memory of 2756	2708	{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe	cmd.exe
PID 2288 wrote to memory of 1948	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
PID 2288 wrote to memory of 1948	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
PID 2288 wrote to memory of 1948	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
PID 2288 wrote to memory of 1948	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
PID 2288 wrote to memory of 2904	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	cmd.exe
PID 2288 wrote to memory of 2904	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	cmd.exe
PID 2288 wrote to memory of 2904	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	cmd.exe
PID 2288 wrote to memory of 2904	2288	{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe	cmd.exe
PID 1948 wrote to memory of 2972	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
PID 1948 wrote to memory of 2972	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
PID 1948 wrote to memory of 2972	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
PID 1948 wrote to memory of 2972	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
PID 1948 wrote to memory of 3032	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	cmd.exe
PID 1948 wrote to memory of 3032	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	cmd.exe
PID 1948 wrote to memory of 3032	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	cmd.exe
PID 1948 wrote to memory of 3032	1948	{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe	cmd.exe
PID 2972 wrote to memory of 2024	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
PID 2972 wrote to memory of 2024	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
PID 2972 wrote to memory of 2024	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
PID 2972 wrote to memory of 2024	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	{2F8DE624-C732-408c-830C-A77574AD4005}.exe
PID 2972 wrote to memory of 292	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	cmd.exe
PID 2972 wrote to memory of 292	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	cmd.exe
PID 2972 wrote to memory of 292	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	cmd.exe
PID 2972 wrote to memory of 292	2972	{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe	cmd.exe
PID 2024 wrote to memory of 1012	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
PID 2024 wrote to memory of 1012	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
PID 2024 wrote to memory of 1012	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
PID 2024 wrote to memory of 1012	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
PID 2024 wrote to memory of 2684	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	cmd.exe
PID 2024 wrote to memory of 2684	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	cmd.exe
PID 2024 wrote to memory of 2684	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	cmd.exe
PID 2024 wrote to memory of 2684	2024	{2F8DE624-C732-408c-830C-A77574AD4005}.exe	cmd.exe
PID 1012 wrote to memory of 2896	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
PID 1012 wrote to memory of 2896	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
PID 1012 wrote to memory of 2896	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
PID 1012 wrote to memory of 2896	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
PID 1012 wrote to memory of 1500	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	cmd.exe
PID 1012 wrote to memory of 1500	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	cmd.exe
PID 1012 wrote to memory of 1500	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	cmd.exe
PID 1012 wrote to memory of 1500	1012	{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
C:\Windows\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
C:\Windows\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
C:\Windows\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
C:\Windows\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\{2F8DE624-C732-408c-830C-A77574AD4005}.exe
C:\Windows\{2F8DE624-C732-408c-830C-A77574AD4005}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
C:\Windows\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
C:\Windows\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
C:\Windows\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe
C:\Windows\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe
C:\Windows\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe
12⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4325D~1.EXE > nul
12⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E0EFB~1.EXE > nul
11⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1CC4~1.EXE > nul
10⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0F3~1.EXE > nul
9⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8DE~1.EXE > nul
8⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F96F7~1.EXE > nul
7⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD920~1.EXE > nul
6⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E95C5~1.EXE > nul
5⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C7A9~1.EXE > nul
4⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29415~1.EXE > nul
3⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe

Filesize
180KB

MD5
ea2e751d9b20c493bd6145d1de9ee49d

SHA1
768c550fdcb42ef6eacd2aa0598fe402417b52a1

SHA256
412dc5085011ee12ed00da97019895f3379e37d340ac4bb028e5b402b28bba09

SHA512
ba65c5a57b9873311f7c9714dbf9b841f7baeb217cde35ab4334a596bafb5070f5cce319e5fa4d845b6404b0a3770724920209b6853df63155177b5280ca076c

Download Submit
C:\Windows\{29415C2E-3B10-411f-BB6D-DC382CD29147}.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\{2F8DE624-C732-408c-830C-A77574AD4005}.exe

Filesize
180KB

MD5
ca81059ad94115893c3a0b322d3bd4f4

SHA1
fd01e8ddf65a69f4df9aaf2533e824ab47da8269

SHA256
1f49ff7d96e930b2afc0cd8af82c3ba0afdd7e62eae5f3b0381f0d538ad7a298

SHA512
cb3e832a7915a3c91f5e4f73dc99d0664b1d428d7756a2ea9a764c36b3c4bf76776add58e7feb1435a84619cb7920e67b664192866c42c52a2df844de1ed9c68

Download Submit
C:\Windows\{4325DC5E-A87A-4f4b-A3AB-8A1C9ADE1FA7}.exe

Filesize
180KB

MD5
54e567caf91b374e5ae00269dac22afa

SHA1
822dc6117cea9345ca00df29e0aa064e31a002f6

SHA256
389d8c2a406a098c6ba440d37fa2ce7af4cb5021b58bd107d928ca4be8b944d6

SHA512
560fa6d6dc1948188596568ab941b9b9cb519df6a9faaed56f80b356105d62786e6c0c8366ec146289fef78fe5aef290835d130cc663b59db7f72f28ced7b010

Download Submit
C:\Windows\{4F01A9F9-3873-4678-B6E0-48AA2B7A96D7}.exe

Filesize
180KB

MD5
7802d3ac173959ce206244c6b2b61f4f

SHA1
39443ac0e43d9323c538f87c3994dedcf81d3b9e

SHA256
78c617e6dc077bf9342e090fd878a1028894defffd7e43b7ebf3d459aba17090

SHA512
333720e2a23736424f18605ede9e6ab6aa861dc305ee110e560e621d5af050e7cae1ff211c4b44469a6f6cf957de7777aab86d51985e2ecc91dd34cce512071f

Download Submit
C:\Windows\{5C7A986D-47D3-497c-8352-8E5EC4CBF541}.exe

Filesize
180KB

MD5
13e02f45e2577770c9ecc1ee722b06e2

SHA1
25c0e020f04f6c73e53d92f1f3318bb4ae3af826

SHA256
ff82acbbbb2dc6efedfe09f5fd61667a94875e03f00dec0273a0c9ca33804eb6

SHA512
3ec6b474586cbe2bedea8c0d8f0d30829c170d589262b4e36415bc9faebcae43699867b78d2f4e96987d55997e0e12b3ee6f0ae6e659e02cb0020fd8f602b94e

Download Submit
C:\Windows\{A1CC470F-926C-41a1-9CEC-E65D2C559E16}.exe

Filesize
180KB

MD5
581b0746a17a5db5bf1182ea0829e90f

SHA1
44a4d98dfdec5049624728bd444f3b53d1e50856

SHA256
6c59be26e2c48d09e843da60ae060e0afa6dae226f60f844c3986c0fb21028fe

SHA512
fddb23f7591f318bd8d64259e725c6187aea8a1da2a25713961d539ba747282b6a05c76e3ceb2edb1403018b9d23940a79bec072792059303f16bf904631a4fa

Download Submit
C:\Windows\{AD920ECE-EEAE-434c-A35C-3C56FA7BB0B4}.exe

Filesize
180KB

MD5
b55f09eed145c4a0c202a7ac4311bcf3

SHA1
60a80c7bb14e8f7d323596339ad39dfc0e597d85

SHA256
349e1213cfd130e469632fe7b1fb90d8ed352acda454cae0dda5de250b5ef256

SHA512
2d65a489c93a5a6def32b126dd19586df2eac64443302cfb2a09457750bc37058a2aee5c64678882339be32f2f9b1ed57695211332932e19b1f821d28a427368

Download Submit
C:\Windows\{BB0F368A-EC15-48a4-9F90-9015DE119B9D}.exe

Filesize
180KB

MD5
8542269ecf05b77c0a7d63f89b10f346

SHA1
0bdee08ecb1b69ec53d43db674b51c80411093c1

SHA256
2c19edc08fe2f45eba90903f67afede35f5edaf00bb34736878f9c921a15a9fe

SHA512
9f699b53439278be54318f0610e73cac80d50a8d120aa6ca1e21f0587d0d7f39aa417dcdb255b33f093586535e3da6d2504a35369f96c6dace371b4405ff6052

Download Submit
C:\Windows\{E0EFB04F-4BE0-4b35-9FC0-0E846074A9B0}.exe

Filesize
180KB

MD5
4d44b9c14ee08c2e31a2d88185f8e54a

SHA1
bf5f2c8f766bf67b944ab4b8ea31b267e53f6dd5

SHA256
199e0404d34e4e891949cdc3d7ead97aa795e287f5fe9571fca688222e1aa16c

SHA512
d4bbf2c2f68cb8c759fa62905ab9e24b5edc248a30c75f6d20342e3097eff46b081bfb99635275b9faed846a02f1170e435fd68254088d73fe9cddb2d4b63bb9

Download Submit
C:\Windows\{E95C5E08-711A-442c-B87B-890EC0B490B8}.exe

Filesize
180KB

MD5
1194b79574f07e4b20b9309bacb02785

SHA1
20507f2953a0b8d9c5ba5d8e0fd01293aaad5540

SHA256
3b331eb8c30999ef937642655442654654a943ab89dd28155d99009ef659b513

SHA512
902f8a97831f9006b4333e2d9f13d1d267d10c41d8a8350856f743d2167acb881478e077e700c3956a4482e2418e703f4d0ec47dfbc54ae7d52d21c280e27ec9

Download Submit
C:\Windows\{F96F777C-51D2-45d3-9894-6FCF441E117F}.exe

Filesize
180KB

MD5
87d56c7587ccb48da723ba4cfd4b8c29

SHA1
ce6184d4e65caa1b9cc53601431e58d39908f5ed

SHA256
76b45ff9d6aa8f81615158242cf889fdfd3ecaa4cc655fa96d1a497c2a004d26

SHA512
bd4097ca72662c75029ece594c401904767c96b5fef877b29246fd5e8865607723a174032a05290588b7b26516e4e1e3d205ca234a8e7c0e0d31723b58b712eb

Download Submit