0aaa3248f1accdc3ddb86274b9306c420fc143fb01583ea6e6f8499302260cc7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
Size

216KB
MD5

6ea662178e68cbc0d41cad8835251e7e
SHA1

b759874a2bf2bfba2a06901880a4b439aa610876
SHA256

0aaa3248f1accdc3ddb86274b9306c420fc143fb01583ea6e6f8499302260cc7
SHA512

33410822191a5c96382bc9a9ef1e79f9815d0c9cdb1afb9b3751ebe8f9c2ce10abc331b9e0b232eae21771f142f09e441dc1e09a026d3b3b0284d4087ce9e21c
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{266988D9-8169-4e93-9923-062259DC12EF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{95424C85-3C5E-43b7-86EE-28683B498783}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe{266988D9-8169-4e93-9923-062259DC12EF}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3AD5C6-EC90-4781-83AD-462FDC721531}\stubpath = "C:\\Windows\\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe"	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{523B092D-F6F8-45c6-B580-A081A3BC165C}\stubpath = "C:\\Windows\\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe"	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}\stubpath = "C:\\Windows\\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe"	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{266988D9-8169-4e93-9923-062259DC12EF}	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3708E3C4-1D8F-4d89-B486-437B6D642158}\stubpath = "C:\\Windows\\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe"	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95424C85-3C5E-43b7-86EE-28683B498783}\stubpath = "C:\\Windows\\{95424C85-3C5E-43b7-86EE-28683B498783}.exe"	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3AD5C6-EC90-4781-83AD-462FDC721531}	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A427F14-D02A-4983-A1C5-B5367D110E5C}	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{266988D9-8169-4e93-9923-062259DC12EF}\stubpath = "C:\\Windows\\{266988D9-8169-4e93-9923-062259DC12EF}.exe"	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB776F4-6ECC-4658-8E34-964A8765125F}	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB776F4-6ECC-4658-8E34-964A8765125F}\stubpath = "C:\\Windows\\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe"	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}\stubpath = "C:\\Windows\\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe"	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}\stubpath = "C:\\Windows\\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe"	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3708E3C4-1D8F-4d89-B486-437B6D642158}	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95424C85-3C5E-43b7-86EE-28683B498783}	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{523B092D-F6F8-45c6-B580-A081A3BC165C}	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}\stubpath = "C:\\Windows\\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe"	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A427F14-D02A-4983-A1C5-B5367D110E5C}\stubpath = "C:\\Windows\\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe"	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}	{266988D9-8169-4e93-9923-062259DC12EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}\stubpath = "C:\\Windows\\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe"	{266988D9-8169-4e93-9923-062259DC12EF}.exe

Executes dropped EXE 12 IoCs

Processes:

{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe{266988D9-8169-4e93-9923-062259DC12EF}.exe{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe{95424C85-3C5E-43b7-86EE-28683B498783}.exe

pid	process
1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe
4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
3300	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
1108	{95424C85-3C5E-43b7-86EE-28683B498783}.exe

Drops file in Windows directory 12 IoCs

Processes:

{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe{266988D9-8169-4e93-9923-062259DC12EF}.exe{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe

description	ioc	process
File created	C:\Windows\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
File created	C:\Windows\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
File created	C:\Windows\{266988D9-8169-4e93-9923-062259DC12EF}.exe	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
File created	C:\Windows\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	{266988D9-8169-4e93-9923-062259DC12EF}.exe
File created	C:\Windows\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
File created	C:\Windows\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
File created	C:\Windows\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
File created	C:\Windows\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
File created	C:\Windows\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
File created	C:\Windows\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
File created	C:\Windows\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
File created	C:\Windows\{95424C85-3C5E-43b7-86EE-28683B498783}.exe	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe{266988D9-8169-4e93-9923-062259DC12EF}.exe{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
Token: SeIncBasePriorityPrivilege	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
Token: SeIncBasePriorityPrivilege	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
Token: SeIncBasePriorityPrivilege	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
Token: SeIncBasePriorityPrivilege	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
Token: SeIncBasePriorityPrivilege	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
Token: SeIncBasePriorityPrivilege	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
Token: SeIncBasePriorityPrivilege	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
Token: SeIncBasePriorityPrivilege	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe
Token: SeIncBasePriorityPrivilege	4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
Token: SeIncBasePriorityPrivilege	3300	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 5072 wrote to memory of 1388	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
PID 5072 wrote to memory of 1388	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
PID 5072 wrote to memory of 1388	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
PID 5072 wrote to memory of 3192	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	cmd.exe
PID 5072 wrote to memory of 3192	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	cmd.exe
PID 5072 wrote to memory of 3192	5072	2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe	cmd.exe
PID 1388 wrote to memory of 2508	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
PID 1388 wrote to memory of 2508	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
PID 1388 wrote to memory of 2508	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
PID 1388 wrote to memory of 3744	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	cmd.exe
PID 1388 wrote to memory of 3744	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	cmd.exe
PID 1388 wrote to memory of 3744	1388	{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe	cmd.exe
PID 2508 wrote to memory of 4472	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
PID 2508 wrote to memory of 4472	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
PID 2508 wrote to memory of 4472	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
PID 2508 wrote to memory of 448	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	cmd.exe
PID 2508 wrote to memory of 448	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	cmd.exe
PID 2508 wrote to memory of 448	2508	{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe	cmd.exe
PID 4472 wrote to memory of 3568	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
PID 4472 wrote to memory of 3568	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
PID 4472 wrote to memory of 3568	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
PID 4472 wrote to memory of 816	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	cmd.exe
PID 4472 wrote to memory of 816	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	cmd.exe
PID 4472 wrote to memory of 816	4472	{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe	cmd.exe
PID 3568 wrote to memory of 2336	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
PID 3568 wrote to memory of 2336	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
PID 3568 wrote to memory of 2336	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
PID 3568 wrote to memory of 740	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	cmd.exe
PID 3568 wrote to memory of 740	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	cmd.exe
PID 3568 wrote to memory of 740	3568	{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe	cmd.exe
PID 2336 wrote to memory of 2208	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
PID 2336 wrote to memory of 2208	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
PID 2336 wrote to memory of 2208	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
PID 2336 wrote to memory of 4272	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	cmd.exe
PID 2336 wrote to memory of 4272	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	cmd.exe
PID 2336 wrote to memory of 4272	2336	{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe	cmd.exe
PID 2208 wrote to memory of 3096	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
PID 2208 wrote to memory of 3096	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
PID 2208 wrote to memory of 3096	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
PID 2208 wrote to memory of 2636	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	cmd.exe
PID 2208 wrote to memory of 2636	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	cmd.exe
PID 2208 wrote to memory of 2636	2208	{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe	cmd.exe
PID 3096 wrote to memory of 3184	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
PID 3096 wrote to memory of 3184	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
PID 3096 wrote to memory of 3184	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
PID 3096 wrote to memory of 2404	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	cmd.exe
PID 3096 wrote to memory of 2404	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	cmd.exe
PID 3096 wrote to memory of 2404	3096	{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe	cmd.exe
PID 3184 wrote to memory of 4652	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	{266988D9-8169-4e93-9923-062259DC12EF}.exe
PID 3184 wrote to memory of 4652	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	{266988D9-8169-4e93-9923-062259DC12EF}.exe
PID 3184 wrote to memory of 4652	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	{266988D9-8169-4e93-9923-062259DC12EF}.exe
PID 3184 wrote to memory of 2664	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	cmd.exe
PID 3184 wrote to memory of 2664	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	cmd.exe
PID 3184 wrote to memory of 2664	3184	{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe	cmd.exe
PID 4652 wrote to memory of 4128	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
PID 4652 wrote to memory of 4128	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
PID 4652 wrote to memory of 4128	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
PID 4652 wrote to memory of 376	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	cmd.exe
PID 4652 wrote to memory of 376	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	cmd.exe
PID 4652 wrote to memory of 376	4652	{266988D9-8169-4e93-9923-062259DC12EF}.exe	cmd.exe
PID 4128 wrote to memory of 3300	4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
PID 4128 wrote to memory of 3300	4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
PID 4128 wrote to memory of 3300	4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
PID 4128 wrote to memory of 2124	4128	{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_6ea662178e68cbc0d41cad8835251e7e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
C:\Windows\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
C:\Windows\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
C:\Windows\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
C:\Windows\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
C:\Windows\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
C:\Windows\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
C:\Windows\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
C:\Windows\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\{266988D9-8169-4e93-9923-062259DC12EF}.exe
C:\Windows\{266988D9-8169-4e93-9923-062259DC12EF}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
C:\Windows\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
C:\Windows\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\{95424C85-3C5E-43b7-86EE-28683B498783}.exe
C:\Windows\{95424C85-3C5E-43b7-86EE-28683B498783}.exe
13⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3708E~1.EXE > nul
13⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{01E60~1.EXE > nul
12⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26698~1.EXE > nul
11⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{818B7~1.EXE > nul
10⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5EE6A~1.EXE > nul
9⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B5C83~1.EXE > nul
8⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB77~1.EXE > nul
7⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A427~1.EXE > nul
6⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64A3E~1.EXE > nul
5⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{523B0~1.EXE > nul
4⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB3AD~1.EXE > nul
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01E60386-5CBB-4074-8D8B-CF83ECC4D006}.exe
Filesize
216KB

MD5
a49de3b465c17ab8f174431427c8116e

SHA1
67fe3d24839a34d09226e057fc19b784d3e58e10

SHA256
99ee0eb612ff05129352e428e3037648704a701f1fe6ccad52ddf1092520fae4

SHA512
6da5d165e0d8506413679c307904f77e84e6aa97e57be9342bae7eed234b1c010a09bb38f9c58ad7321c136c6c0679c9dbdc77b7ce9dc43a63a2ad141770cced

Download Submit
C:\Windows\{266988D9-8169-4e93-9923-062259DC12EF}.exe
Filesize
216KB

MD5
ff118f8210388df5fc5e9bdde7f7e1c1

SHA1
8e3f1c7ec78102ac311a785ce43f585b051ae020

SHA256
e941a515e11ede811b26cf3f4142b6c74b0ba04e5f8f3c9487421b92764ab125

SHA512
9162067214b6bb1ddf7d12539254e923c44ab9e181ee0ee08ce65d99d9ddd6314f331bedf99c6fba81b17f352e44c548169b9931ba392b5f189a619478b11438

Download Submit
C:\Windows\{3708E3C4-1D8F-4d89-B486-437B6D642158}.exe
Filesize
216KB

MD5
edeb827652dc5f2c3571cf333fe33e28

SHA1
f95160e30e7adf5ca0d98ce82f8a27a7549a8288

SHA256
709ab31405f5cd916ae9e6fe04db1ca2e7d7495e515e0f1b9c87a58da633f271

SHA512
8f0bd5e51def6684741618bcc3c6f0f4720a6f36cbc7e0670a8301909839769ddad604de2b96b10fbcb39d14e4021a4079a9dfe65d9f8911a92e33d1e0da6962

Download Submit
C:\Windows\{523B092D-F6F8-45c6-B580-A081A3BC165C}.exe
Filesize
216KB

MD5
b0d2c7c24e6faf50c3dad0723defd93a

SHA1
0e3580e4af8600daca23165b5a0565e3165100d4

SHA256
19f2b8cae03d777ad2c390be0ec52b0aba4fc32dfeb152508cafca6fd84dad17

SHA512
16cee8d2992becb8e346dae62245808d7f8b31ebf7082549c69a57a82838f180f0f287f5b793d0d426d80922261510c25f7e6cfc00f830a038a8ec468291eb43

Download Submit
C:\Windows\{5EE6A7BB-EBB4-4f19-8611-919512AA9E07}.exe
Filesize
216KB

MD5
0056585ef23e6486c7ef88e0a14de656

SHA1
f6db00c753b4906895f122fc12b27d59ecb8f3eb

SHA256
e38d01e51b1ad3eca568f73558442d7715a114e9d62aaae17778ef1690d70c04

SHA512
f46055e51b951b4effb06406578197640f5e5b9634f37625fb86d23153c318a19d574f95fb43c5cddbc7894274eb0cb55e5f28f226b37a1175d5459502808e4d

Download Submit
C:\Windows\{64A3EB9A-91E2-440f-9814-80F7B6DFA3A1}.exe
Filesize
216KB

MD5
54009691a5fe5493a93de5158b1ac00d

SHA1
d00d73b56fc16eabf7002a2a09e2eb9556847506

SHA256
5d913feee3b5606c5a28ffce7e7268b63bad03a6e5a17813cb6e5ccb97888215

SHA512
41fff6c8b08e54657df9cb8dca819b2017a867ae3625fc8a7eaea6ad7a341c486e6660b7f329892a50f931c19e0cdd897e3fcc9b33b1f650da2e04e6e237fa82

Download Submit
C:\Windows\{818B71DC-5807-43a3-B7F2-E8EEB36187CF}.exe
Filesize
216KB

MD5
9a6444c8f54e74f9afa345ede4fa2fcd

SHA1
bbb205629ea768ec0d00b4f0fc716098d3c92252

SHA256
d9d3865fc797bd094731763ac0a52ef9f09138d10c8c48d3077765ee32442c4a

SHA512
75e010b84470cb714f7a0de6a296e2ac33914a4f4a82f776084df35808e8aa130a67b20ccf7e7efa93964dad336ca25f98e97fda6af5efbd3047d374d6a14f20

Download Submit
C:\Windows\{8A427F14-D02A-4983-A1C5-B5367D110E5C}.exe
Filesize
216KB

MD5
0bcd052750cb78920245094725ccda6d

SHA1
7e49ac482dcef6f7c881c540520a7a941ff7711f

SHA256
4b575ccb8ae21ff4a86b3b97db1abfe0e594f5368adec6488a419a67da85bd15

SHA512
599eba29414c5a3b571e6dabab667f15b969b9e7ede1328cce3ca859bbde60959bbaa036d88fa631ba8265769788b3c019e0d637843799d89f68d137def197e6

Download Submit
C:\Windows\{95424C85-3C5E-43b7-86EE-28683B498783}.exe
Filesize
216KB

MD5
4cb7ec6e18eb95c665ab4261fbf02af2

SHA1
e1ca44879a1cb65161f6d8dc5b21c75a23aaade3

SHA256
47461efe75222a6f7f7cef0468ff9ba2c717ee183b6d0846e74861183553e3b0

SHA512
e1ec2dc8307a4d8d06cf19cfbe56d534daefacdeef2560035cec495a680b551102a431dec1d53aa09f7d88523c8ce668732a0a93b0beb8787316263f490d6e9b

Download Submit
C:\Windows\{B5C833FB-D2C6-4c32-9A03-0B4B5EC34B82}.exe
Filesize
216KB

MD5
07c25bc9ff755e224e2628e478f9f6ef

SHA1
ea14dc1bcdb42777fe47c4925079ce88a55d4dba

SHA256
6d582f3a8c5a359f46d494eb6b44d50ecd2ade34c1da648f297b6231dd5b66eb

SHA512
ee6ce59f541c6f364b1262de116b18e5347ff2e06f3ab727e0425e870cdf46b678ddd21ee6a665cf5235c127bfad80d6d0bb36c814ea19c7ec630d0b9e2b689a

Download Submit
C:\Windows\{BB3AD5C6-EC90-4781-83AD-462FDC721531}.exe
Filesize
216KB

MD5
7994028ae2172cb487b2d1c5e096730a

SHA1
6b9359ba16821d104486e1a146d799619d1df5b9

SHA256
fbefdf9f58777252b40d6aca78b8b3d6b4c5b864e0f17391f1e6ac7bc7853612

SHA512
e9ad93800d6a9fa73edb6efe954a7f7b1b49f54c933268f1aea5e8ca6994164e0c932e359485cdbe0f4c92f7fc9d1805961efb3a7090fe5f9ca76919ed96eb72

Download Submit
C:\Windows\{EBB776F4-6ECC-4658-8E34-964A8765125F}.exe
Filesize
216KB

MD5
68296513568d73025c2630af10987a20

SHA1
3ee667eca6e4ba96a73ae9f8f6e7c5d4edcb70c6

SHA256
f916930b40e6a94f6086c824b6f9a52d98dc2df8203ae1d2ca43627be37eaf01

SHA512
0839ead908687dc648adf3f5c5f35ecabc1be087551b34b880ca32d37523d36a3ea5986d9775b252a5afdf405b56fb97477d8fada4922890d49be66f6d733813

Download Submit