6dbe641ca7f0e3fd18696d620aecdb8859713719b7533fd4c910e76bb0897c23

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
Size

380KB
MD5

ac150528fe65b63041f0f868aa7661ca
SHA1

dde2304ffd5f0cf59d16a0b72bdf9919f28f68f1
SHA256

6dbe641ca7f0e3fd18696d620aecdb8859713719b7533fd4c910e76bb0897c23
SHA512

e8737f664edba7e6ec9b9093e686145e7c856a49ad98f9a914e0f5e0a17bd34ac3f0b93ed5abbc922e8d05477b497d2c71c235ad4ddd14931584b40a4869e6bf
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGul7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2821370B-94E8-4436-891A-F487DA680553}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe{2821370B-94E8-4436-891A-F487DA680553}.exe{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}\stubpath = "C:\\Windows\\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe"	{2821370B-94E8-4436-891A-F487DA680553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}\stubpath = "C:\\Windows\\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe"	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}	{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A0383F-8DB2-457b-B6A7-503962A120A8}	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2821370B-94E8-4436-891A-F487DA680553}	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2821370B-94E8-4436-891A-F487DA680553}\stubpath = "C:\\Windows\\{2821370B-94E8-4436-891A-F487DA680553}.exe"	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23A93BE-537C-4114-812B-F30E0AC5C73E}	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23A93BE-537C-4114-812B-F30E0AC5C73E}\stubpath = "C:\\Windows\\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe"	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}	{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}\stubpath = "C:\\Windows\\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe"	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}\stubpath = "C:\\Windows\\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe"	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}\stubpath = "C:\\Windows\\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe"	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}	{2821370B-94E8-4436-891A-F487DA680553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8677936F-FA25-4f10-A942-DBEEBC36B59C}\stubpath = "C:\\Windows\\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe"	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A0383F-8DB2-457b-B6A7-503962A120A8}\stubpath = "C:\\Windows\\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe"	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8677936F-FA25-4f10-A942-DBEEBC36B59C}	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}\stubpath = "C:\\Windows\\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe"	{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}\stubpath = "C:\\Windows\\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe"	{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2756 cmd.exe

pid	process
2756	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe{2821370B-94E8-4436-891A-F487DA680553}.exe{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe

pid	process
2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
1020	{2821370B-94E8-4436-891A-F487DA680553}.exe
2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
2836	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
948	{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
2128	{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe
2940	{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe

Drops file in Windows directory 11 IoCs

Processes:

{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe{2821370B-94E8-4436-891A-F487DA680553}.exe{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

description	ioc	process
File created	C:\Windows\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
File created	C:\Windows\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
File created	C:\Windows\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
File created	C:\Windows\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
File created	C:\Windows\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
File created	C:\Windows\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
File created	C:\Windows\{2821370B-94E8-4436-891A-F487DA680553}.exe	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
File created	C:\Windows\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	{2821370B-94E8-4436-891A-F487DA680553}.exe
File created	C:\Windows\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
File created	C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe	{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
File created	C:\Windows\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe	{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe{2821370B-94E8-4436-891A-F487DA680553}.exe{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
Token: SeIncBasePriorityPrivilege	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
Token: SeIncBasePriorityPrivilege	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
Token: SeIncBasePriorityPrivilege	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
Token: SeIncBasePriorityPrivilege	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe
Token: SeIncBasePriorityPrivilege	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
Token: SeIncBasePriorityPrivilege	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
Token: SeIncBasePriorityPrivilege	2836	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
Token: SeIncBasePriorityPrivilege	948	{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
Token: SeIncBasePriorityPrivilege	2128	{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2088 wrote to memory of 2316	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
PID 2088 wrote to memory of 2316	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
PID 2088 wrote to memory of 2316	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
PID 2088 wrote to memory of 2316	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
PID 2088 wrote to memory of 2756	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	cmd.exe
PID 2088 wrote to memory of 2756	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	cmd.exe
PID 2088 wrote to memory of 2756	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	cmd.exe
PID 2088 wrote to memory of 2756	2088	2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe	cmd.exe
PID 2316 wrote to memory of 2840	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
PID 2316 wrote to memory of 2840	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
PID 2316 wrote to memory of 2840	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
PID 2316 wrote to memory of 2840	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
PID 2316 wrote to memory of 2776	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	cmd.exe
PID 2316 wrote to memory of 2776	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	cmd.exe
PID 2316 wrote to memory of 2776	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	cmd.exe
PID 2316 wrote to memory of 2776	2316	{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe	cmd.exe
PID 2840 wrote to memory of 3008	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
PID 2840 wrote to memory of 3008	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
PID 2840 wrote to memory of 3008	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
PID 2840 wrote to memory of 3008	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
PID 2840 wrote to memory of 2176	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	cmd.exe
PID 2840 wrote to memory of 2176	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	cmd.exe
PID 2840 wrote to memory of 2176	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	cmd.exe
PID 2840 wrote to memory of 2176	2840	{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe	cmd.exe
PID 3008 wrote to memory of 572	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
PID 3008 wrote to memory of 572	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
PID 3008 wrote to memory of 572	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
PID 3008 wrote to memory of 572	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
PID 3008 wrote to memory of 1184	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	cmd.exe
PID 3008 wrote to memory of 1184	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	cmd.exe
PID 3008 wrote to memory of 1184	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	cmd.exe
PID 3008 wrote to memory of 1184	3008	{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe	cmd.exe
PID 572 wrote to memory of 1020	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	{2821370B-94E8-4436-891A-F487DA680553}.exe
PID 572 wrote to memory of 1020	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	{2821370B-94E8-4436-891A-F487DA680553}.exe
PID 572 wrote to memory of 1020	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	{2821370B-94E8-4436-891A-F487DA680553}.exe
PID 572 wrote to memory of 1020	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	{2821370B-94E8-4436-891A-F487DA680553}.exe
PID 572 wrote to memory of 2904	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	cmd.exe
PID 572 wrote to memory of 2904	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	cmd.exe
PID 572 wrote to memory of 2904	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	cmd.exe
PID 572 wrote to memory of 2904	572	{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe	cmd.exe
PID 1020 wrote to memory of 2608	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
PID 1020 wrote to memory of 2608	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
PID 1020 wrote to memory of 2608	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
PID 1020 wrote to memory of 2608	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
PID 1020 wrote to memory of 2528	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	cmd.exe
PID 1020 wrote to memory of 2528	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	cmd.exe
PID 1020 wrote to memory of 2528	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	cmd.exe
PID 1020 wrote to memory of 2528	1020	{2821370B-94E8-4436-891A-F487DA680553}.exe	cmd.exe
PID 2608 wrote to memory of 1152	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
PID 2608 wrote to memory of 1152	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
PID 2608 wrote to memory of 1152	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
PID 2608 wrote to memory of 1152	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
PID 2608 wrote to memory of 1492	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	cmd.exe
PID 2608 wrote to memory of 1492	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	cmd.exe
PID 2608 wrote to memory of 1492	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	cmd.exe
PID 2608 wrote to memory of 1492	2608	{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe	cmd.exe
PID 1152 wrote to memory of 2836	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
PID 1152 wrote to memory of 2836	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
PID 1152 wrote to memory of 2836	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
PID 1152 wrote to memory of 2836	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
PID 1152 wrote to memory of 2716	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	cmd.exe
PID 1152 wrote to memory of 2716	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	cmd.exe
PID 1152 wrote to memory of 2716	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	cmd.exe
PID 1152 wrote to memory of 2716	1152	{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ac150528fe65b63041f0f868aa7661ca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
C:\Windows\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
C:\Windows\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
C:\Windows\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
C:\Windows\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F7D9~1.EXE > nul
6⤵
PID:2904

C:\Windows\{2821370B-94E8-4436-891A-F487DA680553}.exe
C:\Windows\{2821370B-94E8-4436-891A-F487DA680553}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
C:\Windows\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FE56D~1.EXE > nul
8⤵
PID:1492

C:\Windows\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
C:\Windows\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
C:\Windows\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86779~1.EXE > nul
10⤵
PID:2636

C:\Windows\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
C:\Windows\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5707~1.EXE > nul
11⤵
PID:3068

C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe
C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F492~1.EXE > nul
12⤵
PID:2372

C:\Windows\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe
C:\Windows\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe
12⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E23A9~1.EXE > nul
9⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28213~1.EXE > nul
7⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43A03~1.EXE > nul
5⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B19~1.EXE > nul
4⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BFBA0~1.EXE > nul
3⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2821370B-94E8-4436-891A-F487DA680553}.exe

Filesize
380KB

MD5
8177ef7eee8119c7cc3b6cc89431742f

SHA1
ddcfac9775e11e887b25927de21fd1b1dca5a9b6

SHA256
1cacf14b1e2cf25c099d605b95192370739445fedfbae55bb183b9cfdf6020cb

SHA512
3691e0127010e28f1c7daddb02dbbe061257898402939d5bf1b1d850467277679c5151d2385124e7e0b413cf1f9a07de72ca51b4156cffca25d956a3230b61b7

Download Submit
C:\Windows\{2F7D9FA3-4FB1-4547-90EC-64BE63CA65BA}.exe

Filesize
380KB

MD5
2e64c50dd9433902bca444ddac9f18e7

SHA1
6059182572c7e3b6725d9330e66104d3e4b8f445

SHA256
e1114c7225480bb8fb426e14683cf45d97d9ef32821cdfcd03c1c168588df616

SHA512
1d543e017c727152ea32a2e8765102efdeace9512780efb716e2a3c6b806099a71b5fa8ba0ad4919a356a94ca0e13498863f30ba0faa46a2650b93e8eb2552b5

Download Submit
C:\Windows\{41A8EE70-8B27-44d8-A3D2-D933C58E2C15}.exe

Filesize
380KB

MD5
f102714a0a117c8563e1d3ba34e89c1c

SHA1
c1d38cc95415f374a7d864462fc287ac6a21fe20

SHA256
1d55e40daa9c60eec686e68f467581be56378cade96fd1da71814ae0843e23a5

SHA512
52d58ba9b3664c85dff83743911078b56593ada5b0338a5dc6714426981d975add8c94e007376db091e5cfa9de3892bb245954476d74b80e6a3400ccb5d08b27

Download Submit
C:\Windows\{43A0383F-8DB2-457b-B6A7-503962A120A8}.exe

Filesize
380KB

MD5
23a0e5664f86f53df6f37604e1bdfc29

SHA1
d728d0ad22527aa69dbd1266e40b7d8f89c28bd8

SHA256
a3c0ccb33ceac47a5d16188c5866864d053e16dd344b04bf6ca044f9ea122954

SHA512
435a0002b05b291c4708726e142a4d81e205d3d9710580b9e0c46238423c8d486369bc411b8deb8663d3f10cad71cefa52be6e2a1578c0c8e66c13fe0c651ec5

Download Submit
C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

Filesize
380KB

MD5
c1f819be3bbbcec1bb155dc08471aa1c

SHA1
cd7e7ed2e5b80565d3f147ed77cc3c3f005e834f

SHA256
6d4ab3fe427af14024406b0df465d72517d794feab748024d1857dd02417786d

SHA512
f4f7b44861b3da22fcd975afbfd8673bb959376656d0d729e0a4114e9a87df307c882aadcaf7b2c10045958e4c0a00ea205a5c8fd95513a7b0f063d1e11bb7e6

Download Submit
C:\Windows\{6F492F97-63CB-4c8c-91A2-6D0C0ED78680}.exe

Filesize
146KB

MD5
23f8c7393d8af19f54805226af0138c7

SHA1
4819073d3e7d30ba387f3e5ec1f0d286e1fcf651

SHA256
16f1ca37c81760f70b2beab71dd5a1f165981ee7c97e537996bb5f95b537c3dd

SHA512
a1465ddcd813da5835b6bd58a0354e538fa6089c9ac4317ad735a56320b0d22a7b3cf43acb1f0ac5dbdbc086ea588e775db6e6f433421c776d8f98e12ec0efde

Download Submit
C:\Windows\{8677936F-FA25-4f10-A942-DBEEBC36B59C}.exe

Filesize
380KB

MD5
31f447cd4c92136b71c349d5e9c3e061

SHA1
fc9e6bcb0a4fe08aa24584aadd22be187747caa6

SHA256
f076b79f1865fccbddc7cb0f81e07a79ac2e173731b4cb34fda3a86469e9d12f

SHA512
2e8579f55ef7e81cae9d53224387be38657f8d570214984b38352a4a33423a28c5a7f20cedbcafcdbe7cc7563548311bed150359899c5d23234da4c6249f870a

Download Submit
C:\Windows\{A57075AC-CCDB-40a7-AB89-1E283C4C2671}.exe

Filesize
380KB

MD5
4897d858e7fe885c9ea25b3b05f1034a

SHA1
9c3ed3262b75e80647c224578040f705b005e1d3

SHA256
3fdd1072226e33a73607308c04a9856c2ec826666984307705720216f6d2ef8c

SHA512
14fa038dc4fa10f97cd33f96d1f2043aff4721ea051373cdcb2cfda830f66c8455f8dc07de522964580cf5d537eca0df24756b78e2b9546809ae47818314e4f0

Download Submit
C:\Windows\{BFBA0B16-6D41-4859-94E7-E9D8D4F35340}.exe

Filesize
380KB

MD5
2727a6f9a852f73fac7ac6137b9fe77d

SHA1
cf73e1ba493e2adad4c3319563ca1039530d14ee

SHA256
89230aaeca89b78fa20ef55dc9566fc6248953af965772bde09cea3b41dfad03

SHA512
f2850c794d78b8867e0ebbfa3691ad0b37d1ea473fe184103732ae43d63920149d1d3b4db806c57d7bb5af23ddc75247ec9bd6704c87fa8869da70206ca768cd

Download Submit
C:\Windows\{E23A93BE-537C-4114-812B-F30E0AC5C73E}.exe

Filesize
380KB

MD5
dcc04b4a3a56dcc833b40c421c5e8327

SHA1
f5a24b6bc508c7632741117eb628e11049b1d844

SHA256
0f3c0499e83d469a2d139f6a6c272cfd3be24928febff6afbfeea5498775dc42

SHA512
5124475e7a748f6dd501139c8dbdf52a62cf5b28bc8be7fadd02621cf431db112d3a78ea3556f8ea3d190d208067423d067ecf12cdcb4c23787afd122e421cab

Download Submit
C:\Windows\{F3B191DE-6044-4c81-9F25-F462DBF47DC1}.exe

Filesize
380KB

MD5
b4d8cc15c38d9ea34f81b2c9520649ad

SHA1
8bac0348847f00181d0d13937af5ccb60e79177e

SHA256
b05eb2cca53100cd2bdef3539c07030a88f9a94671817fd129e3167465539bb0

SHA512
ee55072feaf72c46f35ff5c79b1b3f6a9ac311a97e4e068ef3ae8500dd8fa571bd8a84c909e01d7210f8d82914a273fb7be5644bf69a72d89ae6eefa5c089452

Download Submit
C:\Windows\{FE56DF69-FB60-4921-9D52-79D6B5EB5182}.exe

Filesize
380KB

MD5
6ce4e3aa5250e12f35c36a9503a4fdce

SHA1
e0697fee17547ee5cd0f41156b6bb038538cd509

SHA256
ec7b5a0a30f4c8f0f7cc28bbb5086523524d710a449da9126209aa40bd8adddf

SHA512
df417c89f5538c0f3eebd08af150d9d2897ab2082a475bd5fd969a2275aaabfcb6e20a43a6d45cce66fb0cd26e8c895e270e6863bc507ae37bae11ae715222c3

Download Submit