d74c9b9e40f432e631b7dd623eb5195680242079fa0abfb2d34d3c15d91e615f

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Size

168KB
MD5

ce91d0c905bccaba39047e0175c6b6cf
SHA1

a3f82237a9838a73f60542f1c5fef3fbc41111e4
SHA256

d74c9b9e40f432e631b7dd623eb5195680242079fa0abfb2d34d3c15d91e615f
SHA512

cffde8743d59216a2988ef01044139ad08740c99574e79cb71a3840a87df9d7bdedd15ee0122b86920a1e2b16832e45a1b0af871d4c278fda03ffe44014c9842
SSDEEP

1536:1EGh0oVlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{30E4F62A-0675-4264-B950-945C98EC020E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe{4F9847B4-BC43-4037-907B-801AC38693D3}.exe{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}\stubpath = "C:\\Windows\\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe"	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E4F62A-0675-4264-B950-945C98EC020E}	{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}\stubpath = "C:\\Windows\\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe"	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F9847B4-BC43-4037-907B-801AC38693D3}\stubpath = "C:\\Windows\\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe"	{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E4F62A-0675-4264-B950-945C98EC020E}\stubpath = "C:\\Windows\\{30E4F62A-0675-4264-B950-945C98EC020E}.exe"	{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AE05B6-2BE5-47ab-95E0-52717B675D38}	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AE05B6-2BE5-47ab-95E0-52717B675D38}\stubpath = "C:\\Windows\\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe"	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F9847B4-BC43-4037-907B-801AC38693D3}	{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}\stubpath = "C:\\Windows\\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe"	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{421FBC1F-EDB5-443c-A188-EE44C635F847}	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}\stubpath = "C:\\Windows\\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe"	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}\stubpath = "C:\\Windows\\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe"	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C4FD0E-E1FE-455d-95DC-855052738201}	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C4FD0E-E1FE-455d-95DC-855052738201}\stubpath = "C:\\Windows\\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe"	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}\stubpath = "C:\\Windows\\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe"	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{421FBC1F-EDB5-443c-A188-EE44C635F847}\stubpath = "C:\\Windows\\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe"	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2612 cmd.exe

pid	process
2612	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe{4F9847B4-BC43-4037-907B-801AC38693D3}.exe{30E4F62A-0675-4264-B950-945C98EC020E}.exe

pid	process
3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
1084	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
1904	{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
2316	{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
2080	{30E4F62A-0675-4264-B950-945C98EC020E}.exe

Drops file in Windows directory 11 IoCs

Processes:

{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe{4F9847B4-BC43-4037-907B-801AC38693D3}.exe{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe

description	ioc	process
File created	C:\Windows\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
File created	C:\Windows\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
File created	C:\Windows\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
File created	C:\Windows\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
File created	C:\Windows\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
File created	C:\Windows\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
File created	C:\Windows\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe	{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
File created	C:\Windows\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
File created	C:\Windows\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
File created	C:\Windows\{30E4F62A-0675-4264-B950-945C98EC020E}.exe	{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
File created	C:\Windows\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe{4F9847B4-BC43-4037-907B-801AC38693D3}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
Token: SeIncBasePriorityPrivilege	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
Token: SeIncBasePriorityPrivilege	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
Token: SeIncBasePriorityPrivilege	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
Token: SeIncBasePriorityPrivilege	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
Token: SeIncBasePriorityPrivilege	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
Token: SeIncBasePriorityPrivilege	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
Token: SeIncBasePriorityPrivilege	1084	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
Token: SeIncBasePriorityPrivilege	1904	{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
Token: SeIncBasePriorityPrivilege	2316	{4F9847B4-BC43-4037-907B-801AC38693D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2104 wrote to memory of 3032	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
PID 2104 wrote to memory of 3032	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
PID 2104 wrote to memory of 3032	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
PID 2104 wrote to memory of 3032	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
PID 2104 wrote to memory of 2612	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 2104 wrote to memory of 2612	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 2104 wrote to memory of 2612	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 2104 wrote to memory of 2612	2104	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 3032 wrote to memory of 2716	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
PID 3032 wrote to memory of 2716	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
PID 3032 wrote to memory of 2716	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
PID 3032 wrote to memory of 2716	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
PID 3032 wrote to memory of 2608	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	cmd.exe
PID 3032 wrote to memory of 2608	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	cmd.exe
PID 3032 wrote to memory of 2608	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	cmd.exe
PID 3032 wrote to memory of 2608	3032	{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe	cmd.exe
PID 2716 wrote to memory of 2960	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
PID 2716 wrote to memory of 2960	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
PID 2716 wrote to memory of 2960	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
PID 2716 wrote to memory of 2960	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
PID 2716 wrote to memory of 2176	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	cmd.exe
PID 2716 wrote to memory of 2176	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	cmd.exe
PID 2716 wrote to memory of 2176	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	cmd.exe
PID 2716 wrote to memory of 2176	2716	{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe	cmd.exe
PID 2960 wrote to memory of 1520	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
PID 2960 wrote to memory of 1520	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
PID 2960 wrote to memory of 1520	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
PID 2960 wrote to memory of 1520	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
PID 2960 wrote to memory of 568	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	cmd.exe
PID 2960 wrote to memory of 568	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	cmd.exe
PID 2960 wrote to memory of 568	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	cmd.exe
PID 2960 wrote to memory of 568	2960	{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe	cmd.exe
PID 1520 wrote to memory of 1356	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
PID 1520 wrote to memory of 1356	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
PID 1520 wrote to memory of 1356	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
PID 1520 wrote to memory of 1356	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
PID 1520 wrote to memory of 2836	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe	cmd.exe
PID 1356 wrote to memory of 2132	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
PID 1356 wrote to memory of 2132	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
PID 1356 wrote to memory of 2132	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
PID 1356 wrote to memory of 2132	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
PID 1356 wrote to memory of 1972	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	cmd.exe
PID 1356 wrote to memory of 1972	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	cmd.exe
PID 1356 wrote to memory of 1972	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	cmd.exe
PID 1356 wrote to memory of 1972	1356	{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe	cmd.exe
PID 2132 wrote to memory of 2664	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
PID 2132 wrote to memory of 2664	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
PID 2132 wrote to memory of 2664	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
PID 2132 wrote to memory of 2664	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
PID 2132 wrote to memory of 2764	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	cmd.exe
PID 2132 wrote to memory of 2764	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	cmd.exe
PID 2132 wrote to memory of 2764	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	cmd.exe
PID 2132 wrote to memory of 2764	2132	{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe	cmd.exe
PID 2664 wrote to memory of 1084	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
PID 2664 wrote to memory of 1084	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
PID 2664 wrote to memory of 1084	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
PID 2664 wrote to memory of 1084	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
PID 2664 wrote to memory of 2760	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	cmd.exe
PID 2664 wrote to memory of 2760	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	cmd.exe
PID 2664 wrote to memory of 2760	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	cmd.exe
PID 2664 wrote to memory of 2760	2664	{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
C:\Windows\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
C:\Windows\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
C:\Windows\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
C:\Windows\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
C:\Windows\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
C:\Windows\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
C:\Windows\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
C:\Windows\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
C:\Windows\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
C:\Windows\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\{30E4F62A-0675-4264-B950-945C98EC020E}.exe
C:\Windows\{30E4F62A-0675-4264-B950-945C98EC020E}.exe
12⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F984~1.EXE > nul
12⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{421FB~1.EXE > nul
11⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C149~1.EXE > nul
10⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{11AE0~1.EXE > nul
9⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F683A~1.EXE > nul
8⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E765~1.EXE > nul
7⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47BDF~1.EXE > nul
6⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C4F~1.EXE > nul
5⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1812~1.EXE > nul
4⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B6052~1.EXE > nul
3⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11AE05B6-2BE5-47ab-95E0-52717B675D38}.exe

Filesize
168KB

MD5
db16272fbb86d52bd496a84e1eaf83ad

SHA1
eae5927b71de78b939734559c6890a47fc6434e0

SHA256
55ea48be6d9c45921fb50e5d0cd77b1c3c5cdaca06a92a0f0d301e7fc2b90d7e

SHA512
ad7244778605d2fe896e100c8d5faa795ed5174ae5e5dbe6aab04183f0700e1b2992c9ad8571ff539d8ac48070673ec974defab6109122fc184efb59f0abf775

Download Submit
C:\Windows\{30E4F62A-0675-4264-B950-945C98EC020E}.exe

Filesize
168KB

MD5
0d9905e874375729dc4040b6b6c351b3

SHA1
26a06b0488fb417b67c7bc1341c0a20983a31621

SHA256
6f91d4f30a4262ffdc660a558315917f6a2a7da4bf2e08b1822f59527dd5b14a

SHA512
4a594f3a1efd697e0778fbc9eaa02fc7a59442ada53867b818e8d3c96aad36fc98a91fd461ccc390f09bdc8c8ffd91ae3b6c10bc08a5696d3137ca3d2d019a0b

Download Submit
C:\Windows\{421FBC1F-EDB5-443c-A188-EE44C635F847}.exe

Filesize
168KB

MD5
78963c6a310b1a09654844991ce4575a

SHA1
b485bf8c17caf740bf332e4ff3c7f2f2e5dc3e07

SHA256
577a8d20f8ed5f0fbee45a466a7e790c2586658b76e76fc289462751db4a14eb

SHA512
816354f029c5468efdaaf437d73171c7cf17350f1319a604c2df93c2d4c6fcfdc72e257323b5533fcc5ed8ada06707e837cdbcc8c54373f605a478498b02b891

Download Submit
C:\Windows\{47BDFE32-7C4E-4980-83A2-05CE05E8AD8B}.exe

Filesize
168KB

MD5
5964ea80ce6a9571705e4a86eb18c09c

SHA1
99279bedeb553877f849725bdeac1aa229badc49

SHA256
ae34f64004418a68a21b8c9270cc6b571b020de8ce65d325f494c5b899417d87

SHA512
0aa14dea3a16060db2607dd6474875d29735262db9c6d33d0a3a6fd2799946621150b4a8a3bbdfcc1426f7dd6302b6b15f9ef7eed8266eb41bec051349bab429

Download Submit
C:\Windows\{4C149CAF-58C2-4d67-AC5C-89F46D5723DD}.exe

Filesize
168KB

MD5
0990c1403d9d23e6db42cd8d7cb7788c

SHA1
ce57717773bf360ee7341a153fcc2cf36f9e2210

SHA256
07806bc953a5c4b8372639767cfec2ff130f0cb260708c8a8cb7aa96a4d2da45

SHA512
30871cfd543e2dd94db5b909a78760de60831e31b72d59f75de3ded4f75dc8d5acf31934672bffdb907ff68f73e85e33b53d565697d1fa5c8b3b2e62fb467930

Download Submit
C:\Windows\{4E765B3C-7FCB-4b02-8362-1277E45BAAEA}.exe

Filesize
168KB

MD5
e243fdb59d62ef7d193a7002b5b47b02

SHA1
6dc8e59be203df1fab68d7f118e0a64b72d4b10b

SHA256
31fc4c767fc711219612c978e8b09702e5d0123d02897cebdbb8ce262e4cd6cd

SHA512
7c9b6a317c48586f4db4e45f0ea10be47f78b2f28c29f2099e88c6e9488e1016056ed27083a7e268cf8e435910932ebf94743b0d8b5f80f906e98bc899f56247

Download Submit
C:\Windows\{4F9847B4-BC43-4037-907B-801AC38693D3}.exe

Filesize
168KB

MD5
15f58e64b0a1fc2f479ca74b55b4aa19

SHA1
6d4265aeaac04c9c4daccbf094c9a4c03632178f

SHA256
668c939ced654ce60c16697b26e05093383305b42fa956afcac69e969d1e745c

SHA512
a7193d9a49647a455e4e4062a096f58d4c320c05e67fb035009524d5399e0717618d2a6a191d2d29ded388b40a61fc7f59e814395c49e83fe2085543a528b096

Download Submit
C:\Windows\{A1812ED7-2F28-4cdf-989A-D544FC8E5C4F}.exe

Filesize
168KB

MD5
32e98cc749ede9297681a3c3b29a9545

SHA1
569a07639df836fd475429c2b3c734d113c4f186

SHA256
faf792dc5c4e3f075074a2fc239de3fcd11b78f5000505967de6d88006c426ec

SHA512
89d4fd9737d4c33712aa97d37fab6a779e0067748e534fffeb1b27846d7e96a729bd6b73c3e23a09d63d4249191ccac6632444dd7c8e10f822b578846d78725b

Download Submit
C:\Windows\{B1C4FD0E-E1FE-455d-95DC-855052738201}.exe

Filesize
168KB

MD5
3ca1676667ef849026376ed3a4140a4d

SHA1
6ef3b38c6285ff8216ebc61723b764084136490f

SHA256
94ccc4627f60fa5425135ed58a8a8e2bfa5e7e072eab521eaa830cd2b50933bd

SHA512
82af282c2ba93f2678ed5784fb97ea0ba221c74272caffbb8eb0a6df1612e03b481809725224c6585b55bb13d2f6246609f0caa23edce37a695cf3f9e1213139

Download Submit
C:\Windows\{B6052A84-8B05-4f04-9E16-B5BB966B9D45}.exe

Filesize
168KB

MD5
6795054f36fe7fe037909053aad251a1

SHA1
723a62f11bf5e319184de8e3e8c6cddeb8b49335

SHA256
41bfcff430be33c3716e08d0ed4118a63e7a5544bd312ed480c9cb152eeec412

SHA512
9432ba9ad78f9a4184ea3a3f4aabfbbb36d0ea07190b2ccc7e05340e5af6df0aab0fa81669e8b5a0000458cbd71d870347d3153092a6dd1892e76917e917c498

Download Submit
C:\Windows\{F683A9CA-B8A5-413f-BB99-A695C4C59BFE}.exe

Filesize
168KB

MD5
72dbd8fc624244fc2f90450e93bfb939

SHA1
d16f38dccfe3f1afcddb60c9ba1d717e146cf92c

SHA256
c15a4583ae0b141d52f15ab485cf3283d3a72b985cac6fdfd4ae9c62a8af113b

SHA512
881c536cc40aebe12b018d2481cc1e2e2ce448aa0c7ed31ad5228416891ab2d974dfb37fe2a511dbc1fdac3b1bb4908810cb5caac15a9fa788feb5b0b1480914

Download Submit