2ece83ea80366c0bf0d14ae38c174e1e9ac549d08107cd622d6a462866c0401a

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
Size

180KB
MD5

aae45d2cff1caed60c2275d4aca689c0
SHA1

ae879eb54cfa52b587fe5409294cdc5d2e455779
SHA256

2ece83ea80366c0bf0d14ae38c174e1e9ac549d08107cd622d6a462866c0401a
SHA512

a0c33514fe44ca13254ca1ba529b91c8cbf956f9966aece41629fea0119e2ce93823cd5f6030f5cdc655e42c29bb4109fd2e422f5995e3cbdffa5fa5f8ceaea8
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGCl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{08631513-52A4-402d-861E-9F5357C61E40}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe{B74F063B-FED8-4d23-BB7F-27E895615222}.exe{08631513-52A4-402d-861E-9F5357C61E40}.exe{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}\stubpath = "C:\\Windows\\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe"	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56F1A353-901B-48ce-B4DD-6D5732D92952}	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}\stubpath = "C:\\Windows\\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe"	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08631513-52A4-402d-861E-9F5357C61E40}	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00DD664B-84B4-491a-B5B5-56A6DB065374}	{08631513-52A4-402d-861E-9F5357C61E40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}\stubpath = "C:\\Windows\\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe"	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A830FE51-A55A-4375-A6A6-330BA4DED753}\stubpath = "C:\\Windows\\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe"	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74F063B-FED8-4d23-BB7F-27E895615222}\stubpath = "C:\\Windows\\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe"	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00DD664B-84B4-491a-B5B5-56A6DB065374}\stubpath = "C:\\Windows\\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe"	{08631513-52A4-402d-861E-9F5357C61E40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}\stubpath = "C:\\Windows\\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe"	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08631513-52A4-402d-861E-9F5357C61E40}\stubpath = "C:\\Windows\\{08631513-52A4-402d-861E-9F5357C61E40}.exe"	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56F1A353-901B-48ce-B4DD-6D5732D92952}\stubpath = "C:\\Windows\\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe"	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}\stubpath = "C:\\Windows\\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe"	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A830FE51-A55A-4375-A6A6-330BA4DED753}	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}\stubpath = "C:\\Windows\\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe"	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}\stubpath = "C:\\Windows\\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe"	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74F063B-FED8-4d23-BB7F-27E895615222}	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe

Executes dropped EXE 12 IoCs

Processes:

{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe{B74F063B-FED8-4d23-BB7F-27E895615222}.exe{08631513-52A4-402d-861E-9F5357C61E40}.exe{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe

pid	process
1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
320	{08631513-52A4-402d-861E-9F5357C61E40}.exe
3520	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
2664	{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe

Drops file in Windows directory 12 IoCs

Processes:

{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe{B74F063B-FED8-4d23-BB7F-27E895615222}.exe{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe{08631513-52A4-402d-861E-9F5357C61E40}.exe{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe

description	ioc	process
File created	C:\Windows\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
File created	C:\Windows\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
File created	C:\Windows\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
File created	C:\Windows\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
File created	C:\Windows\{08631513-52A4-402d-861E-9F5357C61E40}.exe	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
File created	C:\Windows\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
File created	C:\Windows\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
File created	C:\Windows\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
File created	C:\Windows\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
File created	C:\Windows\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe	{08631513-52A4-402d-861E-9F5357C61E40}.exe
File created	C:\Windows\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
File created	C:\Windows\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe{B74F063B-FED8-4d23-BB7F-27E895615222}.exe{08631513-52A4-402d-861E-9F5357C61E40}.exe{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
Token: SeIncBasePriorityPrivilege	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
Token: SeIncBasePriorityPrivilege	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
Token: SeIncBasePriorityPrivilege	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
Token: SeIncBasePriorityPrivilege	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
Token: SeIncBasePriorityPrivilege	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
Token: SeIncBasePriorityPrivilege	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
Token: SeIncBasePriorityPrivilege	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
Token: SeIncBasePriorityPrivilege	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
Token: SeIncBasePriorityPrivilege	320	{08631513-52A4-402d-861E-9F5357C61E40}.exe
Token: SeIncBasePriorityPrivilege	3520	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4112 wrote to memory of 1100	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
PID 4112 wrote to memory of 1100	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
PID 4112 wrote to memory of 1100	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
PID 4112 wrote to memory of 2320	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	cmd.exe
PID 4112 wrote to memory of 2320	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	cmd.exe
PID 4112 wrote to memory of 2320	4112	2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe	cmd.exe
PID 1100 wrote to memory of 4160	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
PID 1100 wrote to memory of 4160	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
PID 1100 wrote to memory of 4160	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
PID 1100 wrote to memory of 4892	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	cmd.exe
PID 1100 wrote to memory of 4892	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	cmd.exe
PID 1100 wrote to memory of 4892	1100	{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe	cmd.exe
PID 4160 wrote to memory of 3976	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
PID 4160 wrote to memory of 3976	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
PID 4160 wrote to memory of 3976	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
PID 4160 wrote to memory of 3892	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	cmd.exe
PID 4160 wrote to memory of 3892	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	cmd.exe
PID 4160 wrote to memory of 3892	4160	{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe	cmd.exe
PID 3976 wrote to memory of 1856	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
PID 3976 wrote to memory of 1856	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
PID 3976 wrote to memory of 1856	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
PID 3976 wrote to memory of 984	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	cmd.exe
PID 3976 wrote to memory of 984	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	cmd.exe
PID 3976 wrote to memory of 984	3976	{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe	cmd.exe
PID 1856 wrote to memory of 2656	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
PID 1856 wrote to memory of 2656	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
PID 1856 wrote to memory of 2656	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
PID 1856 wrote to memory of 4484	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	cmd.exe
PID 1856 wrote to memory of 4484	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	cmd.exe
PID 1856 wrote to memory of 4484	1856	{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe	cmd.exe
PID 2656 wrote to memory of 1844	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
PID 2656 wrote to memory of 1844	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
PID 2656 wrote to memory of 1844	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
PID 2656 wrote to memory of 3080	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	cmd.exe
PID 2656 wrote to memory of 3080	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	cmd.exe
PID 2656 wrote to memory of 3080	2656	{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe	cmd.exe
PID 1844 wrote to memory of 4536	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
PID 1844 wrote to memory of 4536	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
PID 1844 wrote to memory of 4536	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
PID 1844 wrote to memory of 2876	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	cmd.exe
PID 1844 wrote to memory of 2876	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	cmd.exe
PID 1844 wrote to memory of 2876	1844	{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe	cmd.exe
PID 4536 wrote to memory of 5068	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
PID 4536 wrote to memory of 5068	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
PID 4536 wrote to memory of 5068	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
PID 4536 wrote to memory of 2188	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	cmd.exe
PID 4536 wrote to memory of 2188	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	cmd.exe
PID 4536 wrote to memory of 2188	4536	{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe	cmd.exe
PID 5068 wrote to memory of 1752	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
PID 5068 wrote to memory of 1752	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
PID 5068 wrote to memory of 1752	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
PID 5068 wrote to memory of 4832	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	cmd.exe
PID 5068 wrote to memory of 4832	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	cmd.exe
PID 5068 wrote to memory of 4832	5068	{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe	cmd.exe
PID 1752 wrote to memory of 320	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	{08631513-52A4-402d-861E-9F5357C61E40}.exe
PID 1752 wrote to memory of 320	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	{08631513-52A4-402d-861E-9F5357C61E40}.exe
PID 1752 wrote to memory of 320	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	{08631513-52A4-402d-861E-9F5357C61E40}.exe
PID 1752 wrote to memory of 2028	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	cmd.exe
PID 1752 wrote to memory of 2028	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	cmd.exe
PID 1752 wrote to memory of 2028	1752	{B74F063B-FED8-4d23-BB7F-27E895615222}.exe	cmd.exe
PID 320 wrote to memory of 3520	320	{08631513-52A4-402d-861E-9F5357C61E40}.exe	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
PID 320 wrote to memory of 3520	320	{08631513-52A4-402d-861E-9F5357C61E40}.exe	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
PID 320 wrote to memory of 3520	320	{08631513-52A4-402d-861E-9F5357C61E40}.exe	{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
PID 320 wrote to memory of 3156	320	{08631513-52A4-402d-861E-9F5357C61E40}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_aae45d2cff1caed60c2275d4aca689c0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
C:\Windows\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
C:\Windows\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEEC8~1.EXE > nul
4⤵
PID:3892

C:\Windows\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
C:\Windows\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
C:\Windows\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
C:\Windows\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
C:\Windows\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
C:\Windows\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
C:\Windows\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
C:\Windows\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\{08631513-52A4-402d-861E-9F5357C61E40}.exe
C:\Windows\{08631513-52A4-402d-861E-9F5357C61E40}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
C:\Windows\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe
C:\Windows\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe
13⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00DD6~1.EXE > nul
13⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08631~1.EXE > nul
12⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B74F0~1.EXE > nul
11⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{037A3~1.EXE > nul
10⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B86~1.EXE > nul
9⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A830F~1.EXE > nul
8⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0CE~1.EXE > nul
7⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6EBD~1.EXE > nul
6⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56F1A~1.EXE > nul
5⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCB7~1.EXE > nul
3⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00DD664B-84B4-491a-B5B5-56A6DB065374}.exe

Filesize
180KB

MD5
942fee81e514b1ef4bd6394c5ddf0bf8

SHA1
e26a3105f1656a4b273ac9eb948e6cc18050fba8

SHA256
798477f3a39a1d16f5941fc40126130465ae27914890d214f6ea860bac9bb7e5

SHA512
150432014f32d2899f90a5e5bb64410b72f51778c46398984d4b3a1979d6691a07b9b08baf8646290900005e9a890604858739505fafd65da89c478076e7872b

Download Submit
C:\Windows\{037A3E04-7FE5-474e-9687-E1FA3CA73A64}.exe

Filesize
180KB

MD5
f4768fbdf3d2e462fb2838ae3eaa8629

SHA1
cd0135de729bba5ead148b6fbf58760004d837fa

SHA256
fddf5e26787aa83e5fad337633ece895e9e782b11d23a98c456dad0edd1a644e

SHA512
2b5037c200ee05af05339c3c15b2c98cc873a17af9512b5e2e87d54d08621be63cb1ddd985e16e2a77e514da6d0ff84702be8c9e41d49686da13ebb4908ebdd5

Download Submit
C:\Windows\{08631513-52A4-402d-861E-9F5357C61E40}.exe

Filesize
180KB

MD5
625bbac9a0bdb2a00d1baf46bdcfb8ff

SHA1
0d06768026b50a44a6e6713207c6ec918a0af0d0

SHA256
a3a88cc144bee0fbed9bb4903c357115111e6e8489384d32e0e29bfe28be4215

SHA512
42c5716ae5a75580ce1c50d133f6800bb8b7508bd3e7342f4122e657e2bb471fa714c329efd0acb439ce138dd9b0e82bde143fe3648097d358c7fb76828fed22

Download Submit
C:\Windows\{56F1A353-901B-48ce-B4DD-6D5732D92952}.exe

Filesize
180KB

MD5
be2207a9aa58e29b6736dbe00089e76e

SHA1
e34b6c061d2f762f1085082e1ed1c4ef0027843a

SHA256
0693ad50b027a12259984d76e758928c8cbfd01faf03f4a9740e851714138463

SHA512
47a054afa5169ab15014464a3a846598aff09afab45a807aef5a3deb8b1e4f204e9428f0a677c03b3fe1630fb72ef710595886dd007019b937015698d449337f

Download Submit
C:\Windows\{A830FE51-A55A-4375-A6A6-330BA4DED753}.exe

Filesize
180KB

MD5
1e27b1805e59eb294428433fec0ab22b

SHA1
3fa984075cc401e3c707b0e6c7ab28f151d65cbd

SHA256
2e2e419e7c5694c067555e07832c227e886bd239d1162c703a8460c19aa599a0

SHA512
c1e5249c2d9dbf393173b64edd7bb95b8c7d93a651e70e3dab25437b254fe2a6dd332f66ed542d3905cadbe8b7db0f2516aa4d663f7c06511ba146cd4bc9c19e

Download Submit
C:\Windows\{B74F063B-FED8-4d23-BB7F-27E895615222}.exe

Filesize
180KB

MD5
7d30be5ae508af80fd185dfb24733c10

SHA1
928e790a430c555424f57e5cb2abed00b50d49a7

SHA256
68ceb3d3125d85dba06d7d28246d659051bf56b14c9b8699ed33cbff5ca5b99e

SHA512
0d5dedd88c541752c1c5c1f7ddce59c482145b1590354c68eda6521aee7a627414bcad58b6123c8f04063a4e749eea75d668c74f914a87e4782c3aec3dfa2b60

Download Submit
C:\Windows\{B9B86436-7304-4311-9C4C-A3B2B7CCC7C0}.exe

Filesize
180KB

MD5
8165dbd6e53708a1f1d49ae54b13fe27

SHA1
dcdfeabfc1412f31078539233bf73489233a3949

SHA256
dbbb5c8c79cd800c6a882e2b57c09105e664e54b9ae30eec22701753e57c69d8

SHA512
4ca44e7ae09c40ce9d11a73993dd3a019965b9439ad0e3cfe787c4c6035890bc8c4a93941eb18dde6a6acdc1b1d2ae176406943f3be29a04face135be55f5c59

Download Submit
C:\Windows\{BDE2C9D5-31C6-4043-AA30-06FE80076FAA}.exe

Filesize
180KB

MD5
8da5e9cbe7e67e29a8df7c6af9348a65

SHA1
36ba5b633e10a7b374d39ab7f28b6e5c71bbdf40

SHA256
6dfe1e2f165c62e390838926eaeea39e82cc080cee0457cc4bd090e8da62436b

SHA512
99cd852c573950c2d82ff0b006cd01218da1142d93072add2d78e5abe306bf37d7de50f3f76ac19d1a98f321a4399025f0d0f76006c3ccf48265234820d299da

Download Submit
C:\Windows\{CEEC86C0-1DA6-4093-B87F-9A1A8F98EFDA}.exe

Filesize
180KB

MD5
b87a69cb34b5987a15933a161a3ed791

SHA1
47745e8e91dcd303e1a345c789c4319deeae0551

SHA256
ae913b8bfda48af98b3113483c6f764b3629693177699b979a1c39e41e38f31e

SHA512
9fc05f2758fcb78e5efda5043abf23e2f81bb49f48dc85c616a6a7e67a7bc29b743b687c033b0f4b3946785607212e55e94964fedf076741a942f934185befc9

Download Submit
C:\Windows\{D6EBDB7B-61C3-4816-AA9E-A23CA006A86B}.exe

Filesize
180KB

MD5
424c4c193d4e6e1b032288f3b25a1be1

SHA1
6216fc9f04728e0d7b96aeb6f67d6239169a8e4a

SHA256
bba89ab4e7bc3d05e169f18fedaa790952e8a14eef75d3d4a0cb7755e38ceca0

SHA512
c5c4bf10beffdeb94b9a20028c490efe8d7e7d4fe2375cc7dce20eb5428f8d52ae58230327a6c923b0d37893fbae7856010a54a9aee00c195a46706eb0300625

Download Submit
C:\Windows\{DFCB7CD8-34D0-4cce-A4A6-4D0F068256E5}.exe

Filesize
180KB

MD5
505439e1281625301a27f34ba60b5688

SHA1
2f55498705c258dd194176549463aa3cc2253d9d

SHA256
423bcb53dfee204dd020a860938ef86f947b73a047e7a7ff17c7f574b19a2c40

SHA512
45612dd583a3be0f39edf5abc341427286130533eb95f9e56ac20bb9c7858df787087509cb0a3ed86c3ca38827930fe354cb8897baa58c9b6fccf7ca9d35eabe

Download Submit
C:\Windows\{EE0CE317-BC2A-43d0-B2AD-4AA2CF2B7A87}.exe

Filesize
180KB

MD5
df4c14582216d4e92cd308d33a5e7d3f

SHA1
576ed55508d76ed22c80d92f4519029181651f59

SHA256
77dc6fa4f8fcc0756955f426a86b0b673052280bf0212fee11a290d5e31e66ec

SHA512
61fcb35bb9d2423a9a93fee6d200a095c8b6c3078d2d9613692dad5f5ed891af90dd6fc498ca0af21ecc27ee524917356bdeeb0126d337259291adeb48168759

Download Submit