7d52c64a7e326da3b005dba3ccf086d1fde2f675afcd720e6211d3c79dff48db

Analysis

max time kernel
149s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Size

204KB
MD5

300b31c407d9de737e7ccfe92c86c794
SHA1

4593def138e0ea2958e3d8e4eb38b3588284e81a
SHA256

7d52c64a7e326da3b005dba3ccf086d1fde2f675afcd720e6211d3c79dff48db
SHA512

2080c96be1195c8b42a9868edde571d72e205e8f838f91abf8d55b10411a49cb1cf201c5f96b8cad2665ea8059cbafc5eaf51067d19a256f1cb96537897f8e93
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe{1193A47F-FA2A-46cc-9731-061A07087E15}.exe{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}\stubpath = "C:\\Windows\\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe"	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C394786-6A3E-4434-92BB-2F35BC77FA80}\stubpath = "C:\\Windows\\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe"	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7792C9B6-A97F-4e2b-AB80-070B398448BD}	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7792C9B6-A97F-4e2b-AB80-070B398448BD}\stubpath = "C:\\Windows\\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe"	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C69D99E9-9001-472d-808F-CDE79E374FF3}	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C69D99E9-9001-472d-808F-CDE79E374FF3}\stubpath = "C:\\Windows\\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe"	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{173FB696-49CF-427f-B1E8-5C345AC75D6C}\stubpath = "C:\\Windows\\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe"	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{382446AD-6741-4a68-B046-1CAB641DFE2D}\stubpath = "C:\\Windows\\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe"	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{232EBCB8-0624-4f90-924E-D807CAC6072D}\stubpath = "C:\\Windows\\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe"	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C394786-6A3E-4434-92BB-2F35BC77FA80}	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}\stubpath = "C:\\Windows\\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe"	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{823C69BE-02C8-4d88-82F9-4678458B64E6}	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1193A47F-FA2A-46cc-9731-061A07087E15}	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1193A47F-FA2A-46cc-9731-061A07087E15}\stubpath = "C:\\Windows\\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe"	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{382446AD-6741-4a68-B046-1CAB641DFE2D}	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{823C69BE-02C8-4d88-82F9-4678458B64E6}\stubpath = "C:\\Windows\\{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe"	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}\stubpath = "C:\\Windows\\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe"	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{232EBCB8-0624-4f90-924E-D807CAC6072D}	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}\stubpath = "C:\\Windows\\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe"	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{173FB696-49CF-427f-B1E8-5C345AC75D6C}	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe

Executes dropped EXE 11 IoCs

Processes:

{1193A47F-FA2A-46cc-9731-061A07087E15}.exe{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe

pid	process
2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
4632	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
1012	{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe{1193A47F-FA2A-46cc-9731-061A07087E15}.exe{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe

description	ioc	process
File created	C:\Windows\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
File created	C:\Windows\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
File created	C:\Windows\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
File created	C:\Windows\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
File created	C:\Windows\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
File created	C:\Windows\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
File created	C:\Windows\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
File created	C:\Windows\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
File created	C:\Windows\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
File created	C:\Windows\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
File created	C:\Windows\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe{1193A47F-FA2A-46cc-9731-061A07087E15}.exe{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
Token: SeIncBasePriorityPrivilege	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
Token: SeIncBasePriorityPrivilege	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
Token: SeIncBasePriorityPrivilege	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
Token: SeIncBasePriorityPrivilege	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
Token: SeIncBasePriorityPrivilege	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
Token: SeIncBasePriorityPrivilege	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
Token: SeIncBasePriorityPrivilege	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
Token: SeIncBasePriorityPrivilege	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
Token: SeIncBasePriorityPrivilege	3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3916 wrote to memory of 2524	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
PID 3916 wrote to memory of 2524	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
PID 3916 wrote to memory of 2524	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
PID 3916 wrote to memory of 2428	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 3916 wrote to memory of 2428	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 3916 wrote to memory of 2428	3916	2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe	cmd.exe
PID 2524 wrote to memory of 3664	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
PID 2524 wrote to memory of 3664	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
PID 2524 wrote to memory of 3664	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
PID 2524 wrote to memory of 3952	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	cmd.exe
PID 2524 wrote to memory of 3952	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	cmd.exe
PID 2524 wrote to memory of 3952	2524	{1193A47F-FA2A-46cc-9731-061A07087E15}.exe	cmd.exe
PID 3664 wrote to memory of 4424	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
PID 3664 wrote to memory of 4424	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
PID 3664 wrote to memory of 4424	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
PID 3664 wrote to memory of 4600	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	cmd.exe
PID 3664 wrote to memory of 4600	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	cmd.exe
PID 3664 wrote to memory of 4600	3664	{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe	cmd.exe
PID 4424 wrote to memory of 3408	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
PID 4424 wrote to memory of 3408	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
PID 4424 wrote to memory of 3408	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
PID 4424 wrote to memory of 2844	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	cmd.exe
PID 4424 wrote to memory of 2844	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	cmd.exe
PID 4424 wrote to memory of 2844	4424	{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe	cmd.exe
PID 3408 wrote to memory of 4560	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
PID 3408 wrote to memory of 4560	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
PID 3408 wrote to memory of 4560	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
PID 3408 wrote to memory of 2432	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	cmd.exe
PID 3408 wrote to memory of 2432	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	cmd.exe
PID 3408 wrote to memory of 2432	3408	{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe	cmd.exe
PID 4560 wrote to memory of 1536	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
PID 4560 wrote to memory of 1536	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
PID 4560 wrote to memory of 1536	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
PID 4560 wrote to memory of 2824	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	cmd.exe
PID 4560 wrote to memory of 2824	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	cmd.exe
PID 4560 wrote to memory of 2824	4560	{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe	cmd.exe
PID 1536 wrote to memory of 4960	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
PID 1536 wrote to memory of 4960	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
PID 1536 wrote to memory of 4960	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
PID 1536 wrote to memory of 4100	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	cmd.exe
PID 1536 wrote to memory of 4100	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	cmd.exe
PID 1536 wrote to memory of 4100	1536	{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe	cmd.exe
PID 4960 wrote to memory of 4632	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
PID 4960 wrote to memory of 4632	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
PID 4960 wrote to memory of 4632	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
PID 4960 wrote to memory of 4480	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	cmd.exe
PID 4960 wrote to memory of 4480	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	cmd.exe
PID 4960 wrote to memory of 4480	4960	{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe	cmd.exe
PID 2592 wrote to memory of 2428	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
PID 2592 wrote to memory of 2428	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
PID 2592 wrote to memory of 2428	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
PID 2592 wrote to memory of 4404	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	cmd.exe
PID 2592 wrote to memory of 4404	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	cmd.exe
PID 2592 wrote to memory of 4404	2592	{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe	cmd.exe
PID 2428 wrote to memory of 3000	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
PID 2428 wrote to memory of 3000	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
PID 2428 wrote to memory of 3000	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
PID 2428 wrote to memory of 2820	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	cmd.exe
PID 2428 wrote to memory of 2820	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	cmd.exe
PID 2428 wrote to memory of 2820	2428	{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe	cmd.exe
PID 3000 wrote to memory of 1012	3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
PID 3000 wrote to memory of 1012	3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
PID 3000 wrote to memory of 1012	3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
PID 3000 wrote to memory of 2768	3000	{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_300b31c407d9de737e7ccfe92c86c794_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
C:\Windows\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
C:\Windows\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
C:\Windows\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
C:\Windows\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
C:\Windows\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
C:\Windows\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
C:\Windows\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
C:\Windows\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:4632

C:\Windows\{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
C:\Windows\{823C69BE-02C8-4d88-82F9-4678458B64E6}.exe
10⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
C:\Windows\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
C:\Windows\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
C:\Windows\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
13⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C69D9~1.EXE > nul
13⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7792C~1.EXE > nul
12⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{823C6~1.EXE > nul
11⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{44F93~1.EXE > nul
10⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C394~1.EXE > nul
9⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4F12~1.EXE > nul
8⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{232EB~1.EXE > nul
7⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5DC~1.EXE > nul
6⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{38244~1.EXE > nul
5⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C1F~1.EXE > nul
4⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1193A~1.EXE > nul
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1193A47F-FA2A-46cc-9731-061A07087E15}.exe
Filesize
204KB

MD5
bae47066a8b566f35ff9016b09ee8eb3

SHA1
95c8a6889c66c81b8fae7451f896faae6d107ba8

SHA256
cb8f06365cb74d676ea3b4ad2d7290c02e102a93c78494ab4624f5be51a23a7d

SHA512
3386665a27d93140fd2522f44111c119510d35d1c01aae6d8a7ad8d674e87d6829283bc49315f0f6ea13a3f9369a364191acea174c17fafbd70b7da784e8b241

Download Submit
C:\Windows\{173FB696-49CF-427f-B1E8-5C345AC75D6C}.exe
Filesize
204KB

MD5
d7e6644fcc618d329c4184881a770fd0

SHA1
786259be959038330a9199ba1c919482a76f7088

SHA256
5a28c8dc95505176fab0eabd2a033d0286ed920b886045ebc1e23f9323789e96

SHA512
ce4e52ccb450316afcd6aa41404cf2f30dfc31e1d9cc35c74cd791df10f63c8c9ed6e85c811fbe8e9799ce9d7fc2be1e81c59afcf9bdc334bab3128eb47af721

Download Submit
C:\Windows\{232EBCB8-0624-4f90-924E-D807CAC6072D}.exe
Filesize
204KB

MD5
07fe77e3903af789efda02e364ff7d42

SHA1
05013f24e8aca1aadffc3a8f1305b5c8e4f6bd54

SHA256
0723e9a7d288209eada255365e21ead943f7ec607e338852f2bd8069e98105a6

SHA512
d9d9d60671c87eb74ed954d7936c9b89fd840d6f6b25071d4d9800004534ab7ea2a460c67387ec0139cc39f5c1b29b949ba0d684fe3a36f00c49dfd6b3229448

Download Submit
C:\Windows\{382446AD-6741-4a68-B046-1CAB641DFE2D}.exe
Filesize
204KB

MD5
bdfc3e88452001d33b0bb0bd5bf75175

SHA1
d924d0960c8ecdd7f1e6df76757ee2c4de58ea7a

SHA256
a474ee57a6941bf20280466a1e29a853d912758e38e78da01f2d8dc2b0772f56

SHA512
03f4b2545887b4abd79399dded52baceaec811195c1ea21497787f4282109fc859930d2578e3a006c043675b5114ee53e956b439d324562d6179b78280bdd28b

Download Submit
C:\Windows\{44F93E7C-0502-4ae4-BDA6-6A601A0E808B}.exe
Filesize
204KB

MD5
bd3153b309ba110d8cefab7039060b7a

SHA1
d2ffb7ef3e1c68e66c26f89ca1e3ee630fc40afa

SHA256
28558498c384276fba4c5512c0fa7aa5732775c8e7a5611e2ac01f9856cfc02a

SHA512
e788391c8f845ddef607461798a38b44c956f47e851813a170b638c1635d13981c5a193e695d23ef4cecc86e68b557ec2202f08339743cf6ac6aa9058592ec25

Download Submit
C:\Windows\{7792C9B6-A97F-4e2b-AB80-070B398448BD}.exe
Filesize
204KB

MD5
20734cb0517c8f398da26a29fe7bfb5c

SHA1
cb325e06bfb5ccea152fff3ccec5f3d760478326

SHA256
f715e00ae8ac549124cd5b361f9ed735ed426efc1013f360ddd3b069dae18e04

SHA512
f9907c17ef14b0f91b6e8e0a2f43e7e4646f509d959732f87a829cb9ce5b947bef49de06e2a83fe027145cc4601d62071639849e432f0012afdbfd5574a42f68

Download Submit
C:\Windows\{7B5DC801-9BBD-4752-A70A-A9C4EC420C3A}.exe
Filesize
204KB

MD5
603a04d768cd7f8ee7b2e25015a80e63

SHA1
bfef678a04702d62ddea3e29687b28f65b40e562

SHA256
ca927d2f6e79cb41f48be3ee7d0c3e3eec6c2b7f630b1d18be58b48f35ad880f

SHA512
f85f6759fb43e4fe38c79948696a50e2bcf1f671cc407a503e3cd089a67f7d0d0c24c3c0c40bb775388f09eb371e9f8ad975b4355147a5080690a2d115fc477e

Download Submit
C:\Windows\{9C394786-6A3E-4434-92BB-2F35BC77FA80}.exe
Filesize
204KB

MD5
6086238291cc07676d6f207bb0e081d2

SHA1
a7d259b16b8df42eaf2d83127f650a1beefa0a01

SHA256
7bc88e89886d3b1414acac2dc235f9eeefe73ae8a1042464ae130999d46dcf6c

SHA512
408078d522d76c89f206c124730b9b07d46616f676cf96296bb52f9cad5878a6e7323b13908e4f7367942afbd93441d977bee6616e79c038e52571a29badd50c

Download Submit
C:\Windows\{B7C1FB1D-6E1C-48dc-894E-46EEA9B8CC9A}.exe
Filesize
204KB

MD5
01f61caac20febf187d817cfbf2cb547

SHA1
84b367031c2d6923bdc834aa4e2bc795ece72100

SHA256
ab96d11f8f0652fce811e8fc32bd60445f995d06cc05c67bd1111e6ce64be21b

SHA512
1a567814a15993a81ffe6f04d4b60ae7fcac5f4c55fad28bade6dac7f2186cafa726171af01ff05ba34582b0a5229f68216aded17ea88c93b6ed28b3e2014b6e

Download Submit
C:\Windows\{C69D99E9-9001-472d-808F-CDE79E374FF3}.exe
Filesize
204KB

MD5
40e593b91908de51a27ce2a7c067fbed

SHA1
35227e9856a878e7c1abcf76577a07a2f6634f67

SHA256
9c820a8c0aeb703e70f7b0043a35639a8bb9f79131f58afc4df929319c4e40a3

SHA512
168d8ac29cde95e7b5bc825babcad518b893cad1e91440784e2477e7e49ce966a344b117ba208028733e5e8c243c7379017cad27feadfd89caf0c8d06300b979

Download Submit
C:\Windows\{D4F12417-6326-4ac2-9C45-DBBD6C451D63}.exe
Filesize
204KB

MD5
19b56e6e3551b8a80df6fd7a73152ff3

SHA1
173ae4afcca81dc13527d94390e9e91f50f1fe7c

SHA256
720a68e60af7b80784d9fabb102d5b3d005afafa4ab4139fef87ccf784381ac1

SHA512
b997814ef3e82f7697ae732d7f19942f50c14d1159cfe16ad63a94fb567dd86289c7a1e8d2f8478d11ae2ff67051de7ac105f27c546accff272f8e2128353d0c

Download Submit