ce6bab3ba47a7b6f5b33ea349c8decdd50ed76465b7234ca0f8276762f6acc2e

Analysis

max time kernel
149s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Size

408KB
MD5

01f6ebaff4bf8f0ef17677f45e31501f
SHA1

3662ede85a29195cf1876a8641fda9400906bf3e
SHA256

ce6bab3ba47a7b6f5b33ea349c8decdd50ed76465b7234ca0f8276762f6acc2e
SHA512

0ef8aed1094cddff916ff566d9ec8efaec426e305afdf235a5cb071d81227af0e72d16b21bb37eb873da679f944228d5899710429bb9d6279068e4391b534514
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGSldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{03C62655-1914-4ad0-A063-771C394CF525}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe{03C62655-1914-4ad0-A063-771C394CF525}.exe{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}\stubpath = "C:\\Windows\\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe"	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C62655-1914-4ad0-A063-771C394CF525}	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C62655-1914-4ad0-A063-771C394CF525}\stubpath = "C:\\Windows\\{03C62655-1914-4ad0-A063-771C394CF525}.exe"	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}\stubpath = "C:\\Windows\\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe"	{03C62655-1914-4ad0-A063-771C394CF525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1905ED-6217-4e19-919B-0AA0FF267E33}	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C5C928-8039-40a7-A8AA-5C384FF76052}	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}\stubpath = "C:\\Windows\\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe"	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}\stubpath = "C:\\Windows\\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe"	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{614BCA3E-230B-4ba2-A233-9A0384A7952E}\stubpath = "C:\\Windows\\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe"	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1905ED-6217-4e19-919B-0AA0FF267E33}\stubpath = "C:\\Windows\\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe"	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}\stubpath = "C:\\Windows\\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe"	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{614BCA3E-230B-4ba2-A233-9A0384A7952E}	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}\stubpath = "C:\\Windows\\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe"	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C5C928-8039-40a7-A8AA-5C384FF76052}\stubpath = "C:\\Windows\\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe"	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}\stubpath = "C:\\Windows\\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe"	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}	{03C62655-1914-4ad0-A063-771C394CF525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}\stubpath = "C:\\Windows\\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe"	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe

Executes dropped EXE 12 IoCs

Processes:

{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe{03C62655-1914-4ad0-A063-771C394CF525}.exe{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe

pid	process
4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe
4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
3768	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
3056	{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe

Drops file in Windows directory 12 IoCs

Processes:

{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe{03C62655-1914-4ad0-A063-771C394CF525}.exe{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe

description	ioc	process
File created	C:\Windows\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
File created	C:\Windows\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
File created	C:\Windows\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
File created	C:\Windows\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
File created	C:\Windows\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
File created	C:\Windows\{03C62655-1914-4ad0-A063-771C394CF525}.exe	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
File created	C:\Windows\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	{03C62655-1914-4ad0-A063-771C394CF525}.exe
File created	C:\Windows\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
File created	C:\Windows\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
File created	C:\Windows\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
File created	C:\Windows\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
File created	C:\Windows\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe{03C62655-1914-4ad0-A063-771C394CF525}.exe{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
Token: SeIncBasePriorityPrivilege	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
Token: SeIncBasePriorityPrivilege	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
Token: SeIncBasePriorityPrivilege	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
Token: SeIncBasePriorityPrivilege	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
Token: SeIncBasePriorityPrivilege	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
Token: SeIncBasePriorityPrivilege	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe
Token: SeIncBasePriorityPrivilege	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
Token: SeIncBasePriorityPrivilege	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
Token: SeIncBasePriorityPrivilege	1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
Token: SeIncBasePriorityPrivilege	3768	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2632 wrote to memory of 4812	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
PID 2632 wrote to memory of 4812	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
PID 2632 wrote to memory of 4812	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
PID 2632 wrote to memory of 3580	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 2632 wrote to memory of 3580	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 2632 wrote to memory of 3580	2632	2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe	cmd.exe
PID 4812 wrote to memory of 3200	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
PID 4812 wrote to memory of 3200	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
PID 4812 wrote to memory of 3200	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
PID 4812 wrote to memory of 3208	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	cmd.exe
PID 4812 wrote to memory of 3208	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	cmd.exe
PID 4812 wrote to memory of 3208	4812	{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe	cmd.exe
PID 3200 wrote to memory of 3172	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
PID 3200 wrote to memory of 3172	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
PID 3200 wrote to memory of 3172	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
PID 3200 wrote to memory of 2284	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	cmd.exe
PID 3200 wrote to memory of 2284	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	cmd.exe
PID 3200 wrote to memory of 2284	3200	{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe	cmd.exe
PID 3172 wrote to memory of 1952	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
PID 3172 wrote to memory of 1952	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
PID 3172 wrote to memory of 1952	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
PID 3172 wrote to memory of 1260	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	cmd.exe
PID 3172 wrote to memory of 1260	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	cmd.exe
PID 3172 wrote to memory of 1260	3172	{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe	cmd.exe
PID 1952 wrote to memory of 2752	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
PID 1952 wrote to memory of 2752	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
PID 1952 wrote to memory of 2752	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
PID 1952 wrote to memory of 3600	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	cmd.exe
PID 1952 wrote to memory of 3600	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	cmd.exe
PID 1952 wrote to memory of 3600	1952	{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe	cmd.exe
PID 2752 wrote to memory of 4684	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
PID 2752 wrote to memory of 4684	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
PID 2752 wrote to memory of 4684	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
PID 2752 wrote to memory of 4616	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	cmd.exe
PID 2752 wrote to memory of 4616	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	cmd.exe
PID 2752 wrote to memory of 4616	2752	{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe	cmd.exe
PID 4684 wrote to memory of 2648	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	{03C62655-1914-4ad0-A063-771C394CF525}.exe
PID 4684 wrote to memory of 2648	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	{03C62655-1914-4ad0-A063-771C394CF525}.exe
PID 4684 wrote to memory of 2648	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	{03C62655-1914-4ad0-A063-771C394CF525}.exe
PID 4684 wrote to memory of 4672	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	cmd.exe
PID 4684 wrote to memory of 4672	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	cmd.exe
PID 4684 wrote to memory of 4672	4684	{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe	cmd.exe
PID 2648 wrote to memory of 4448	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
PID 2648 wrote to memory of 4448	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
PID 2648 wrote to memory of 4448	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
PID 2648 wrote to memory of 4644	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	cmd.exe
PID 2648 wrote to memory of 4644	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	cmd.exe
PID 2648 wrote to memory of 4644	2648	{03C62655-1914-4ad0-A063-771C394CF525}.exe	cmd.exe
PID 4448 wrote to memory of 3452	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
PID 4448 wrote to memory of 3452	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
PID 4448 wrote to memory of 3452	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
PID 4448 wrote to memory of 4428	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	cmd.exe
PID 4448 wrote to memory of 4428	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	cmd.exe
PID 4448 wrote to memory of 4428	4448	{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe	cmd.exe
PID 3452 wrote to memory of 1652	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
PID 3452 wrote to memory of 1652	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
PID 3452 wrote to memory of 1652	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
PID 3452 wrote to memory of 4560	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	cmd.exe
PID 3452 wrote to memory of 4560	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	cmd.exe
PID 3452 wrote to memory of 4560	3452	{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe	cmd.exe
PID 1652 wrote to memory of 3768	1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
PID 1652 wrote to memory of 3768	1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
PID 1652 wrote to memory of 3768	1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
PID 1652 wrote to memory of 3480	1652	{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_01f6ebaff4bf8f0ef17677f45e31501f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
C:\Windows\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
C:\Windows\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
C:\Windows\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
C:\Windows\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
C:\Windows\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
C:\Windows\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\{03C62655-1914-4ad0-A063-771C394CF525}.exe
C:\Windows\{03C62655-1914-4ad0-A063-771C394CF525}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
C:\Windows\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
C:\Windows\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
C:\Windows\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
C:\Windows\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe
C:\Windows\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe
13⤵
- Executes dropped EXE
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0ACF3~1.EXE > nul
13⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CA190~1.EXE > nul
12⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9BFB6~1.EXE > nul
11⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86FCA~1.EXE > nul
10⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{03C62~1.EXE > nul
9⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{614BC~1.EXE > nul
8⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{92CE3~1.EXE > nul
7⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDCE~1.EXE > nul
6⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F664E~1.EXE > nul
5⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BA5~1.EXE > nul
4⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EFA0~1.EXE > nul
3⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03C62655-1914-4ad0-A063-771C394CF525}.exe
Filesize
408KB

MD5
87c2b6e94d68adbb7b3d14b2f42b6021

SHA1
6f0ab375d9653067a97c00d536d9c7388c17738a

SHA256
534a6c52f2c566b49bc06e1eddc373b48802a914c57aa7ce8b8709dc7cf78b00

SHA512
8dcf304e62ef9e4f2dbc4b70ca7d48f682bf53e44980f8029e1ac597144616bce215ba0c961b17bf74e133c6be0baff810166edc760dc675b55260225fb6c2ef

Download Submit
C:\Windows\{0ACF309F-4AF6-4dc1-BBEE-9B8105E5A08D}.exe
Filesize
408KB

MD5
8b0b7a6870374a4e6826a7394e75f2a8

SHA1
4bd0c2b39fcb975bd59585adf04372435b3e175b

SHA256
75430ebd94e0c27e16b7017d983f6074c63009ab71e7fe220c8e01d5c112da6a

SHA512
0c29a8c1b62334e7a67fd2725861d50b31b36023f2fffb222a08a91bf83fd4e31c9930b0c61eefca355af782d6d572eb745233c5de693871dfc95b81a3a7fd18

Download Submit
C:\Windows\{1EFA002C-38EE-43d1-8141-86D873C4FA1B}.exe
Filesize
408KB

MD5
b60dc322471566b8b5d754defafbb63b

SHA1
2fc7e91c097b52cda6139befca7b9134569b5e82

SHA256
352ffcd531386a29becd087ab45001fdcbea793071c98a0392f00708639869fb

SHA512
0edea6a28f5c0b47a2294328cc78b8a738c1fd717e7ccb8a1cf932a6bc9fcbe3cca17e4311031bfaa014b081f5e318a5e6b4e68ae6b53fe30d342cd25238fd9a

Download Submit
C:\Windows\{614BCA3E-230B-4ba2-A233-9A0384A7952E}.exe
Filesize
408KB

MD5
9a1f76186f1ee8e09afcd48572bcd489

SHA1
b050c195f363d6a05f8d918e327ecda69b95ba9a

SHA256
293d547d97448e0277ac21b999ed843acf17aedcf0fecff6c0d16498ac210c6b

SHA512
b730c472a5c2d5e6eaecfa0437348a7a62c12cd35a5aaad1758410c55e9cefb3c4dbb7ab176ad3593e3e449549aba6949cee49b3ce8a4c08f02f91da146fef00

Download Submit
C:\Windows\{86FCA23E-F672-46cd-8FAC-4DD93E28B3BC}.exe
Filesize
408KB

MD5
0ef544437a7231c188ccf6131c15ec84

SHA1
284877091919155d13c883e76eff3a3542115ef2

SHA256
776b600971008914da4eac5bf8cfb9e5e5eb5ed911a7e21dfe523e44e86ff3a7

SHA512
4f661e9ddffb448de43a51e82493097333f7e62f3562778100e6d6a23aeba77b1f1f533393108133f3feaa04f1f2b064c90765679e3d814801ceef9d56282828

Download Submit
C:\Windows\{91C5C928-8039-40a7-A8AA-5C384FF76052}.exe
Filesize
408KB

MD5
5648d985f5db4d8338869d6881f9b465

SHA1
71909e29a23f766f79e3e884e23fb9da5b0fa506

SHA256
940f51ae4ba3d55172feb81257b868e732771a6f0aedb8a48ee544e9b7560b55

SHA512
8456e4a989bde279ea025d1057e6175144605dabe86a79939e6d9309ff43adac79dc57bf62241b9b2b24489afa8e6648d84338263e187f6674cc008d24eb665c

Download Submit
C:\Windows\{92CE31B3-B901-4e8c-8FFC-7EB952D79782}.exe
Filesize
408KB

MD5
607efba17d91627b1513932037985512

SHA1
6474036cb26fc3b8d400ce040dfed7cefaf89ca5

SHA256
546162c76dfc96cb1b226dcb82e457115e7eff8a2965bd02ef7fa12daa186eaa

SHA512
70ee8c77ef56cca035f14b4241e9392b0fc8185debbdfb2581abc90ba82aa20b43c19c47b1d082806137b79c432a51937d1350ee5d2e44b9d495f4ea336a61fb

Download Submit
C:\Windows\{9BFB665A-2E7A-43f1-8B6E-C82EDBD18712}.exe
Filesize
408KB

MD5
affe3fb1be42254976e7eb15cad9d4d9

SHA1
8150c9693d4730c3dea5aafb540612413f974083

SHA256
c352020050b073c8c5139825920a54fddd87e61be507d50b0f455a7a11fff1b2

SHA512
ae1c23f2c5010d308d267f863701c7291fe9febd3ef15b8ebfa5245512d9f9bc77310dc669f9a3165877d3abc725bdee2f3aea071a40de9ce715887d287372e4

Download Submit
C:\Windows\{CA1905ED-6217-4e19-919B-0AA0FF267E33}.exe
Filesize
408KB

MD5
ac27a3bf2de8fa73ed40c8d579bb8ea6

SHA1
aa73e2a60f582c55e6186e6163c58ac745b45d10

SHA256
52be853b99fce11be9ed452ce9f721f1acb4043bf5d5573d69a2f56bcc578c73

SHA512
377dc7eb048eb6fc37d9bf01cccc2e78563196fbeb467d23bd72023434fc320bef308f017e28769a51927dcc24da315a71e3cb70729db52af02c4b5cbbb20201

Download Submit
C:\Windows\{DDDCEB41-164E-4867-A52F-CC7D7F08C261}.exe
Filesize
408KB

MD5
2d411c7043ab899b11d167fe6e6889ec

SHA1
4efc684e54c02ba14a5c8fceea4534d744f630fc

SHA256
01ab8cf4afc808982e789ccce0410e815bb5993a992f087a9d809ff3bd1514c9

SHA512
cf7409fb99b30953fadaacd1bd4110a72afd18572c35179baac1775d319615a211c52d592b1787b0ec534652c44958296cd740830b7388401ed8396a8cf62166

Download Submit
C:\Windows\{E8BA5F82-DF1C-43ab-A362-4042A11C59DE}.exe
Filesize
408KB

MD5
eb8d088bbba41e7b4ed14ebbb502f92f

SHA1
a2eeb736d3f73d56d1b85edb1cfd6589a081368b

SHA256
65b29317e21e5819cb57a502d5350a83b9769b21e3fcd967d3e78a9945017847

SHA512
826ceda9ba47805f1bfce20b8ea65ae4bd3b7d956000924ed9bf4dd5b5b30eeac32c150a1cfc9b0d0ab52590c5d4c74759f732c6933ce117a42de6d901989f73

Download Submit
C:\Windows\{F664E010-F02F-4a7f-AEA6-22E0A216D21B}.exe
Filesize
408KB

MD5
45dfc17357aefb110dfb0c69904672cf

SHA1
5625a7945e39aada60c2c6813321d6000eb59b4c

SHA256
a4c3e73ea9e475dde52217eecbc92e67624b7d0f2358d935a07a2c92e2e6d792

SHA512
8b84789056f8185c3e5b8749b28e421e0ac825768b3133040a3d12d5cb9a106cf75637f7f426248633b6382c3db31200951d32d4388d8d546c562e007f250c19

Download Submit