6602224d2faacc3e3bc165392990c3e6902d6970f4113a8225a2c0e4ebb12742

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Size

180KB
MD5

8213a2c675d9f27dde8949fcff8ee215
SHA1

5c0c73121b78b10cab2762b5183369495e8ca139
SHA256

6602224d2faacc3e3bc165392990c3e6902d6970f4113a8225a2c0e4ebb12742
SHA512

17876229bd28cacaca2edf4df7460391a9cf0a2c18bd508eb5da9217163d4092bc0c179b70d909fa238434a6325884b4f9c942c1b949ad0146ffd93b6030442d
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGBl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe{35FAC471-FD0A-4603-B975-9923F83F199E}.exe{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}\stubpath = "C:\\Windows\\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe"	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FAC471-FD0A-4603-B975-9923F83F199E}\stubpath = "C:\\Windows\\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe"	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}\stubpath = "C:\\Windows\\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe"	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}\stubpath = "C:\\Windows\\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe"	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}\stubpath = "C:\\Windows\\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe"	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}\stubpath = "C:\\Windows\\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe"	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035A1D33-C30D-4861-8E9D-B053A409B2B2}	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}\stubpath = "C:\\Windows\\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe"	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9ACE401-9175-40aa-A627-62A8CBBA605E}\stubpath = "C:\\Windows\\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe"	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}\stubpath = "C:\\Windows\\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe"	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4DB662-AE1F-463d-A932-45543134FF5C}	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4DB662-AE1F-463d-A932-45543134FF5C}\stubpath = "C:\\Windows\\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe"	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9ACE401-9175-40aa-A627-62A8CBBA605E}	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}\stubpath = "C:\\Windows\\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe"	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FAC471-FD0A-4603-B975-9923F83F199E}	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035A1D33-C30D-4861-8E9D-B053A409B2B2}\stubpath = "C:\\Windows\\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe"	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe

Executes dropped EXE 12 IoCs

Processes:

{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe{35FAC471-FD0A-4603-B975-9923F83F199E}.exe{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe

pid	process
2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
1856	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
4516	{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe

Drops file in Windows directory 12 IoCs

Processes:

{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe{35FAC471-FD0A-4603-B975-9923F83F199E}.exe

description	ioc	process
File created	C:\Windows\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
File created	C:\Windows\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
File created	C:\Windows\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
File created	C:\Windows\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
File created	C:\Windows\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
File created	C:\Windows\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
File created	C:\Windows\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
File created	C:\Windows\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
File created	C:\Windows\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
File created	C:\Windows\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
File created	C:\Windows\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
File created	C:\Windows\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe{35FAC471-FD0A-4603-B975-9923F83F199E}.exe{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
Token: SeIncBasePriorityPrivilege	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
Token: SeIncBasePriorityPrivilege	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
Token: SeIncBasePriorityPrivilege	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
Token: SeIncBasePriorityPrivilege	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
Token: SeIncBasePriorityPrivilege	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
Token: SeIncBasePriorityPrivilege	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
Token: SeIncBasePriorityPrivilege	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
Token: SeIncBasePriorityPrivilege	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
Token: SeIncBasePriorityPrivilege	2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
Token: SeIncBasePriorityPrivilege	1856	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4944 wrote to memory of 2528	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
PID 4944 wrote to memory of 2528	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
PID 4944 wrote to memory of 2528	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
PID 4944 wrote to memory of 2496	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 4944 wrote to memory of 2496	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 4944 wrote to memory of 2496	4944	2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe	cmd.exe
PID 2528 wrote to memory of 4476	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
PID 2528 wrote to memory of 4476	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
PID 2528 wrote to memory of 4476	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
PID 2528 wrote to memory of 528	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	cmd.exe
PID 2528 wrote to memory of 528	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	cmd.exe
PID 2528 wrote to memory of 528	2528	{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe	cmd.exe
PID 4476 wrote to memory of 5044	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
PID 4476 wrote to memory of 5044	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
PID 4476 wrote to memory of 5044	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
PID 4476 wrote to memory of 5008	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	cmd.exe
PID 4476 wrote to memory of 5008	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	cmd.exe
PID 4476 wrote to memory of 5008	4476	{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe	cmd.exe
PID 5044 wrote to memory of 4412	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
PID 5044 wrote to memory of 4412	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
PID 5044 wrote to memory of 4412	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
PID 5044 wrote to memory of 4704	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	cmd.exe
PID 5044 wrote to memory of 4704	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	cmd.exe
PID 5044 wrote to memory of 4704	5044	{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe	cmd.exe
PID 4412 wrote to memory of 2292	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
PID 4412 wrote to memory of 2292	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
PID 4412 wrote to memory of 2292	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
PID 4412 wrote to memory of 4732	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	cmd.exe
PID 4412 wrote to memory of 4732	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	cmd.exe
PID 4412 wrote to memory of 4732	4412	{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe	cmd.exe
PID 2292 wrote to memory of 2132	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
PID 2292 wrote to memory of 2132	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
PID 2292 wrote to memory of 2132	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
PID 2292 wrote to memory of 3824	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	cmd.exe
PID 2292 wrote to memory of 3824	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	cmd.exe
PID 2292 wrote to memory of 3824	2292	{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe	cmd.exe
PID 2132 wrote to memory of 4348	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
PID 2132 wrote to memory of 4348	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
PID 2132 wrote to memory of 4348	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
PID 2132 wrote to memory of 3568	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	cmd.exe
PID 2132 wrote to memory of 3568	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	cmd.exe
PID 2132 wrote to memory of 3568	2132	{35FAC471-FD0A-4603-B975-9923F83F199E}.exe	cmd.exe
PID 4348 wrote to memory of 376	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
PID 4348 wrote to memory of 376	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
PID 4348 wrote to memory of 376	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
PID 4348 wrote to memory of 3992	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	cmd.exe
PID 4348 wrote to memory of 3992	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	cmd.exe
PID 4348 wrote to memory of 3992	4348	{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe	cmd.exe
PID 376 wrote to memory of 4944	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
PID 376 wrote to memory of 4944	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
PID 376 wrote to memory of 4944	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
PID 376 wrote to memory of 2160	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	cmd.exe
PID 376 wrote to memory of 2160	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	cmd.exe
PID 376 wrote to memory of 2160	376	{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe	cmd.exe
PID 4944 wrote to memory of 2444	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
PID 4944 wrote to memory of 2444	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
PID 4944 wrote to memory of 2444	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
PID 4944 wrote to memory of 4844	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	cmd.exe
PID 4944 wrote to memory of 4844	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	cmd.exe
PID 4944 wrote to memory of 4844	4944	{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe	cmd.exe
PID 2444 wrote to memory of 1856	2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
PID 2444 wrote to memory of 1856	2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
PID 2444 wrote to memory of 1856	2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
PID 2444 wrote to memory of 4332	2444	{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_8213a2c675d9f27dde8949fcff8ee215_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
C:\Windows\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
C:\Windows\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61AC7~1.EXE > nul
4⤵
PID:5008

C:\Windows\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
C:\Windows\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
C:\Windows\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
C:\Windows\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
C:\Windows\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
C:\Windows\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
C:\Windows\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
C:\Windows\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
C:\Windows\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
C:\Windows\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe
C:\Windows\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe
13⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF3F~1.EXE > nul
13⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9ACE~1.EXE > nul
12⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{343F3~1.EXE > nul
11⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE2B~1.EXE > nul
10⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{035A1~1.EXE > nul
9⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35FAC~1.EXE > nul
8⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E6A5~1.EXE > nul
7⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1994~1.EXE > nul
6⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{12C4E~1.EXE > nul
5⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86EBF~1.EXE > nul
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035A1D33-C30D-4861-8E9D-B053A409B2B2}.exe
Filesize
180KB

MD5
20792c7d45e57deb6266b4d44e626c06

SHA1
5a42d4682315c161c82c8ffb2e9033336241e9e7

SHA256
ef01097e6c20e0867d6ffef1adf3891ae98fc48bb42dcd53ebd7c7292af3534d

SHA512
db487aac92824a45236f257edc178556d945780147df3d90a4295c2fc3d2204636ce40782c6d841e8bf173aa47695fb9f75e47ed9daddda73bf2c678bcb93544

Download Submit
C:\Windows\{12C4E42E-A8A4-46f8-BFA1-11E7B17329CE}.exe
Filesize
180KB

MD5
f31639f5543f9872b8e69c0d6d5c67d8

SHA1
c7b003c070218b5dc5077ce1187100ae933e0e16

SHA256
a822b0bd17169c7d98e1b13f03a350cc0eeb5b6f9552847d76048ed8b1f036bb

SHA512
3ef84a2ca34a381fbd7c1e2a5283f55569185ffb822dc71453a3167af51a19659c2113faa1814d6e6f9bf1783ac58433f6eef472e6c3db8fa212052a35507a61

Download Submit
C:\Windows\{2F4DB662-AE1F-463d-A932-45543134FF5C}.exe
Filesize
180KB

MD5
11a196c1797f911744e1ffa5f45e3735

SHA1
720cb62ab3662078f771d5682ba382e718a05240

SHA256
c461785f3e7cb142f8b8da16aba004d7ffc0eb952560a9cdcbaa417f54fc34c4

SHA512
e28a6adaa2ac146ab6f042133deee8dd20a5fb6da595ae141d3f2e3f80ffdb3c0e2fa513fdf424105c8761d9e2f7ddcd0d7f2096a706a16dddc394dd61aadbce

Download Submit
C:\Windows\{343F35FA-E0BB-4fa3-877A-3881A90D00F1}.exe
Filesize
180KB

MD5
e623526c25cc65a385ca0f0295d882b9

SHA1
7468ef3bb23f673a03b68f48e6ceccdb3edd18e6

SHA256
9c334384349dad73bca65296364d6816813aed06715f278290d02bfa37ab159a

SHA512
a3d963ace3939d98351346c2c8163c192e74dedebedb939d0bfdc820d5422977eb6a5600cf10d5fed813a4945055f7efbb2b325f299e774bb8398b0d504381b9

Download Submit
C:\Windows\{35FAC471-FD0A-4603-B975-9923F83F199E}.exe
Filesize
180KB

MD5
672d6cee8e20d08ceaeb0412b9180ab8

SHA1
8fd7e6123e0ea358fbc09d0357eb6b5562bd8af7

SHA256
1a4db20fe4a9dd1a4364baae0d09f6fd96f76b817b4474110c0f19eda4df2f1b

SHA512
a98615cc841e4306ff592bb2f63c2c640867dee252ae62124f9f8e0b9aaddf2c34846d31d1943e56727aa74bc907975a4d16750f7595bae6ed8c90a0f8616e43

Download Submit
C:\Windows\{4E6A555C-02B4-4c33-8390-E3BFDCB19016}.exe
Filesize
180KB

MD5
a0c9a0a754a9a3f654a4aa42653f52ba

SHA1
95fd4b69fca967b0e556288c545ae14cdc6379f4

SHA256
8dff96816030da791c059caf5cf0fe37d5306fe52c792fa230f159cbda53853a

SHA512
87b88768f1937b13a0f3327c07e0e1edb37e618f0319ef1465b3eb0ef7bc0f221ed39df045dc25add54165fdc9d7c40dd1cfe46fac8879d5cc992f6ca0d2dde8

Download Submit
C:\Windows\{61AC7A91-7C0F-441f-B881-725BEA73EC4B}.exe
Filesize
180KB

MD5
de6cdae47a12647a48f576065f01ce23

SHA1
b9c3de904e5dad493f6991af85cbf47c6cbc5000

SHA256
cd0c60a77499466942ec77c49dbaa4e96ba8c92af27389c88a71163a7123c3a8

SHA512
c6a4ec8b57b3398141933dd7f85c5907d0f4803c60c2aee93c1ab95c86342a95414df52b672a4efd00de94bc775738926807e1ef3544dacea2b3147f10550a4d

Download Submit
C:\Windows\{7EF3F064-CCA9-4d7c-83BD-F82C65F11729}.exe
Filesize
180KB

MD5
1d163510dc234abc0aad5ad338bdb463

SHA1
5d8d2b23f83a037770c5d356b2c7f52508315c16

SHA256
179f3bd798ff328aac073dc546e12f36bd446556753c96ee9b107a8bc4e1fe41

SHA512
6952e31741b74286bd7c46540314551e3d47b574d2d0ff8b2bd661585257949ae748e11cf10f274d542f70a345f1b8e229cb9969db50eaf89b98643758263b95

Download Submit
C:\Windows\{86EBF6AD-3DE4-4cd9-B229-CE3C57D23877}.exe
Filesize
180KB

MD5
f83b1b1d5a3e9657d4a58666d08a77d5

SHA1
287123f0d493f1de6026353312449e61ccfa4a41

SHA256
4125eb76bff3bee65c55243d600a5465115dda1013dda91561945283c523dd0e

SHA512
2c06dbcdc70350de91d89b79f3deff3b2b7cfd255f1d56faba567668d199428432680d231f5cfdf41746703261e315f99f6b278143cec2d1a055f2a548817dc7

Download Submit
C:\Windows\{AFE2BDC0-CF30-48e6-9781-7B1E68BA171E}.exe
Filesize
180KB

MD5
0744dc612c7db7f2b6bb66d895b21fea

SHA1
7d2fbe145f20f97664d3f3056f349728b0d5e060

SHA256
b415df9ee8be96a9551cca8282d550652c9aa5b5c0ab22a5bcb495af2e3bac31

SHA512
b09fb5e4c39bea87c13d7dcd31e3e157880dde0a1514441695bd44fe1583a4d4f38422781f723ef9e34de8efa66ba125f789a9a3e29ec076b9a06ab027c61e94

Download Submit
C:\Windows\{B1994AC4-0DC4-4ca4-81A8-06FE20BD6C65}.exe
Filesize
180KB

MD5
22bef019ac9e7cc87da14ea460e7274a

SHA1
1f3db26356b1152dfc5de2099f706068a7a268ed

SHA256
147cd24f1fbdbf6d7defa3437a5a4105ce000fe0c773a17c1ddb8d841cec66db

SHA512
683a2430ceec75b9f3a3819ed8fd8f4042a83bab0141e5417985e7464dbab8f73d9a3e45aa35b5a14b0264ad49b00d0ec242ee09e8c396a9166c341d2a17b625

Download Submit
C:\Windows\{C9ACE401-9175-40aa-A627-62A8CBBA605E}.exe
Filesize
180KB

MD5
29a142ccbf9d6cee4158f4b6c510f1c1

SHA1
8ef4c33491b8819592a2d9e2896e0976e79e91d8

SHA256
05dc64e6fc29f931b8a57b3c1325b450dc7d4a2bdd58a24828aa971cf68c8986

SHA512
175631959f27131a96f3cc51362e29577d7b2d4942506b82698fc8ce371cc6d08386dbf0805318b30a39a7d95b5dae9b10ceace53fc2c96208deb90f898169ae

Download Submit