0ed038ddd9478e825662f32d8e4be7505ae4c574867bb4bcaf356333e692918e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Size

197KB
MD5

3828e76af810dc84052a5d4e7732ed6e
SHA1

45f2e7588f93d12770c74a09d69ba99864b0a8b7
SHA256

0ed038ddd9478e825662f32d8e4be7505ae4c574867bb4bcaf356333e692918e
SHA512

c00bd08c2e92b2e11a6f5a42246ac6b07ada9f368d9aff4c5405c2f3b6662e196defbc6b4ccc3e8462578e21ac397204ae9241b5548d1da92a933f6d6c0e43e2
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGylEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{419A0961-3F96-4851-ACCE-191C38E7A416}.exe{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe{D042D631-6635-46f7-BCB8-41330F230B9E}.exe{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}\stubpath = "C:\\Windows\\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe"	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}\stubpath = "C:\\Windows\\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe"	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D042D631-6635-46f7-BCB8-41330F230B9E}\stubpath = "C:\\Windows\\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe"	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}\stubpath = "C:\\Windows\\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe"	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A8C61B-F283-473b-AFDC-5278F46BE382}	{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{536E84B2-F878-4349-86F2-BC710ABBAB2C}	{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{536E84B2-F878-4349-86F2-BC710ABBAB2C}\stubpath = "C:\\Windows\\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe"	{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A8C61B-F283-473b-AFDC-5278F46BE382}\stubpath = "C:\\Windows\\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe"	{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419A0961-3F96-4851-ACCE-191C38E7A416}\stubpath = "C:\\Windows\\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe"	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7266922E-1C76-4249-9F33-3B9165AFC72E}	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7266922E-1C76-4249-9F33-3B9165AFC72E}\stubpath = "C:\\Windows\\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe"	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D042D631-6635-46f7-BCB8-41330F230B9E}	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419A0961-3F96-4851-ACCE-191C38E7A416}	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}\stubpath = "C:\\Windows\\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe"	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}\stubpath = "C:\\Windows\\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe"	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}\stubpath = "C:\\Windows\\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe"	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1912 cmd.exe

pid	process
1912	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{419A0961-3F96-4851-ACCE-191C38E7A416}.exe{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe{D042D631-6635-46f7-BCB8-41330F230B9E}.exe{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe

pid	process
1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
2880	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
1760	{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
1612	{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
792	{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe{D042D631-6635-46f7-BCB8-41330F230B9E}.exe2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{419A0961-3F96-4851-ACCE-191C38E7A416}.exe{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe

description	ioc	process
File created	C:\Windows\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
File created	C:\Windows\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe	{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
File created	C:\Windows\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
File created	C:\Windows\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
File created	C:\Windows\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
File created	C:\Windows\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
File created	C:\Windows\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
File created	C:\Windows\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe	{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
File created	C:\Windows\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
File created	C:\Windows\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
File created	C:\Windows\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{419A0961-3F96-4851-ACCE-191C38E7A416}.exe{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe{D042D631-6635-46f7-BCB8-41330F230B9E}.exe{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
Token: SeIncBasePriorityPrivilege	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
Token: SeIncBasePriorityPrivilege	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
Token: SeIncBasePriorityPrivilege	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
Token: SeIncBasePriorityPrivilege	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
Token: SeIncBasePriorityPrivilege	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
Token: SeIncBasePriorityPrivilege	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
Token: SeIncBasePriorityPrivilege	2880	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
Token: SeIncBasePriorityPrivilege	1760	{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
Token: SeIncBasePriorityPrivilege	1612	{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1800 wrote to memory of 1788	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
PID 1800 wrote to memory of 1788	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
PID 1800 wrote to memory of 1788	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
PID 1800 wrote to memory of 1788	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
PID 1800 wrote to memory of 1912	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 1800 wrote to memory of 1912	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 1800 wrote to memory of 1912	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 1800 wrote to memory of 1912	1800	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 1788 wrote to memory of 2636	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
PID 1788 wrote to memory of 2636	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
PID 1788 wrote to memory of 2636	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
PID 1788 wrote to memory of 2636	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
PID 1788 wrote to memory of 2652	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	cmd.exe
PID 1788 wrote to memory of 2652	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	cmd.exe
PID 1788 wrote to memory of 2652	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	cmd.exe
PID 1788 wrote to memory of 2652	1788	{419A0961-3F96-4851-ACCE-191C38E7A416}.exe	cmd.exe
PID 2636 wrote to memory of 2540	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
PID 2636 wrote to memory of 2540	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
PID 2636 wrote to memory of 2540	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
PID 2636 wrote to memory of 2540	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
PID 2636 wrote to memory of 2684	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	cmd.exe
PID 2636 wrote to memory of 2684	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	cmd.exe
PID 2636 wrote to memory of 2684	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	cmd.exe
PID 2636 wrote to memory of 2684	2636	{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe	cmd.exe
PID 2540 wrote to memory of 2592	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
PID 2540 wrote to memory of 2592	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
PID 2540 wrote to memory of 2592	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
PID 2540 wrote to memory of 2592	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
PID 2540 wrote to memory of 2900	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe	cmd.exe
PID 2592 wrote to memory of 2412	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
PID 2592 wrote to memory of 2412	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
PID 2592 wrote to memory of 2412	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
PID 2592 wrote to memory of 2412	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
PID 2592 wrote to memory of 2700	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	cmd.exe
PID 2592 wrote to memory of 2700	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	cmd.exe
PID 2592 wrote to memory of 2700	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	cmd.exe
PID 2592 wrote to memory of 2700	2592	{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe	cmd.exe
PID 2412 wrote to memory of 920	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
PID 2412 wrote to memory of 920	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
PID 2412 wrote to memory of 920	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
PID 2412 wrote to memory of 920	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
PID 2412 wrote to memory of 1860	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	cmd.exe
PID 2412 wrote to memory of 1860	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	cmd.exe
PID 2412 wrote to memory of 1860	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	cmd.exe
PID 2412 wrote to memory of 1860	2412	{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe	cmd.exe
PID 920 wrote to memory of 2252	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
PID 920 wrote to memory of 2252	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
PID 920 wrote to memory of 2252	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
PID 920 wrote to memory of 2252	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
PID 920 wrote to memory of 2320	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	cmd.exe
PID 920 wrote to memory of 2320	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	cmd.exe
PID 920 wrote to memory of 2320	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	cmd.exe
PID 920 wrote to memory of 2320	920	{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe	cmd.exe
PID 2252 wrote to memory of 2880	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
PID 2252 wrote to memory of 2880	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
PID 2252 wrote to memory of 2880	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
PID 2252 wrote to memory of 2880	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
PID 2252 wrote to memory of 1652	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	cmd.exe
PID 2252 wrote to memory of 1652	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	cmd.exe
PID 2252 wrote to memory of 1652	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	cmd.exe
PID 2252 wrote to memory of 1652	2252	{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
  C:\Windows\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
    C:\Windows\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
      C:\Windows\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
        
        C:\Windows\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
        
        C:\Windows\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
        
        C:\Windows\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
        
        C:\Windows\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
        
        C:\Windows\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
        
        C:\Windows\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
        
        C:\Windows\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe
        
        C:\Windows\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe
        12⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A8C~1.EXE > nul
        12⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D042D~1.EXE > nul
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7045F~1.EXE > nul
        10⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C54B~1.EXE > nul
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E198~1.EXE > nul
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4AE~1.EXE > nul
        7⤵
        
        PID:1860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72669~1.EXE > nul
        6⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8534~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A91B2~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{419A0~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E1981CE-DDB2-4a2e-BA38-71C197DD4C13}.exe

Filesize
197KB

MD5
5bf3955d9ca13ba332c209ff90a39815

SHA1
e75a7fa6758748ee1b2d28ffa0bc799bf26ea526

SHA256
473e8c0b899befa0b0414a954c6ccb45902c990ee5acf54265f779438a427fb5

SHA512
53fe92136c5dc4d1ab6704733022cfdd81f7c077fb071bf4d9e7f87926aa4ccc562d4dc19e469b31fa793794971143b551f8f1a103afa863d122c650615736d1

Download Submit
C:\Windows\{419A0961-3F96-4851-ACCE-191C38E7A416}.exe

Filesize
197KB

MD5
5ed8253d1490a024db6db38d92783e38

SHA1
84c7f0ec1fa0733c98d3f3d02184ec6d37ba2eb3

SHA256
47b7945ab90106d0eefa9434d81c6fb33bcb427081896bea3e9e4e61e4f44039

SHA512
7c70d6d5779b98d7fff78956ebc91393ee21f89af8a406edb9c483e4d2984f6d1078a3c3069842cd61b418fdecd5520cea12ada321ed46a08ef6adf6bfcdff1e

Download Submit
C:\Windows\{536E84B2-F878-4349-86F2-BC710ABBAB2C}.exe

Filesize
197KB

MD5
36c8fa090e5d18d4519688b89d862ffd

SHA1
f288cb9354c7e716c8171b162c587d06f0165365

SHA256
192b8970bfa2769bbef3ee3b3f4b7b7577765d868163b4285341ccab672254cb

SHA512
edd62f6efe29b625c1b4b2f9e1342c8f7751e18c7e2cd87fabdf9809b13f24a37576e4edf35bbb2aa421b0054c2548fbc54e6735b069d2198a3d8d73d923cf9b

Download Submit
C:\Windows\{7045F0BB-430C-4a19-9C85-8EDB411CF0A4}.exe

Filesize
197KB

MD5
6089e508c3ba63b8636c40af6f1369df

SHA1
0d1cb2e827a0344710cdd9ad642e7e4e871ce63c

SHA256
042258df5b59f5f36f50dc94ce82555ff4e27aa762bbc8c3ced6bd22036fcfa9

SHA512
33b98e02644c97148146bc1676aaf4b09c769296122466d281a6c32688a0ff756bcaa4fd450a60bfae9ff71b749d593ac307d740521dfde5d623a66e415a951e

Download Submit
C:\Windows\{7266922E-1C76-4249-9F33-3B9165AFC72E}.exe

Filesize
197KB

MD5
f982ccac78452de7c1d48b2d2b58f8b2

SHA1
b08f3a76622ffb6a9daa1af8de1ce38fe003c4cd

SHA256
b0406b2395487e1e63930d8466fae1e360c2b7369ec51f65d888889dfb1ed466

SHA512
a3b8584bd6342f4214cf60590fc106dbd277f39ee60d42b9a71760f497688f82d794fc76a047c69981fa231b4a75cf0194990461e848dade0c3f31bdda4ca708

Download Submit
C:\Windows\{7C54B5CD-803C-4439-A2FB-74EFECAEF61D}.exe

Filesize
197KB

MD5
bb496af17cc2f81342618dfd18662424

SHA1
71e1002131f51982ea41bc8955ee0389c29b09cf

SHA256
dd26c2e2348cef3f916885e1e718b56655f1402e78faaaf1629a5bd9fa0279ed

SHA512
b66f9973fabb8445b92a5e1fbdb885a1b2400f353023428ef45ba090b585b4de4d22ff184ef9d83c535a10ddd56dae5cfce22ef7c8ecece4e7dcb73ea95c4006

Download Submit
C:\Windows\{97A8C61B-F283-473b-AFDC-5278F46BE382}.exe

Filesize
197KB

MD5
a70568cad76e7cd57c74868dde9b1a83

SHA1
c5f9a9f761d4e748edb5e154476064633dc43cfe

SHA256
fd94e876fa2310c6e601d3f2d56dc90c270d4d471d434ea3aec10a89e5b26f70

SHA512
bd9a8f2efe977e61cd0b107990904d731d46933359898edfd5c2bec9f8866e66c93a0f7b4a1a6d112c0d575ed7641d4a82b4e55ab15e81cd30d79271a8086f1f

Download Submit
C:\Windows\{A91B22BE-1A50-4c84-8B38-C40A7FF8CCEA}.exe

Filesize
197KB

MD5
338f700193cf3d43e66db678090eeb63

SHA1
f2f216c7ad72200eed565b0913fd9b9bf3720ed6

SHA256
b94139a6a6882233c28cbf204649272bb348a747f420dd5f89a608fd1b803105

SHA512
1e5e31475e6608f1538c3fcece69e9192718ddc00f5e0dc764735c1ed303baa7c0640313a15c6826c8bc155a5f2bd620cdbf26bf6d6b2e98f70c8edc6a9cc9c7

Download Submit
C:\Windows\{B8534BE4-F446-478b-B8E6-E79DE53EB72F}.exe

Filesize
197KB

MD5
be2b56038556902da353352ed43a4276

SHA1
d1c4e6977b549ac14c99659bd6cb123c417a9b9e

SHA256
f031151cf4ae821a670dccce7ee931ef490177dfc3cc2782487e2eb1d6ddd062

SHA512
ca758d4e23227673136fdbed21443dc6b42a9570eff2b0a5261eeb8413a239bfee75154b83447659ce2565e846ffda8a650bc7b08ed5bf06bb260c9353a16000

Download Submit
C:\Windows\{D042D631-6635-46f7-BCB8-41330F230B9E}.exe

Filesize
197KB

MD5
452090aeb93cd9fb020b0b93939fc9c8

SHA1
b390164c78d27f3f24f849e81b58471894b5b00e

SHA256
73d12390de1dcec04c091326e05ff10cd4f9767307f2ff9418e25cd4468ba35e

SHA512
1377c76c0213d96ef9e0adcfb0ca759e4c33e27b1f18272a10aa612563c695c569a137587dee107bca4a3f079593407c7eb56a1d140131928a3cc560da6b5cfd

Download Submit
C:\Windows\{EE4AEB03-722C-4e1f-8393-4F75C41F8CA1}.exe

Filesize
197KB

MD5
ca934aa1dca212522ad79cf92b354684

SHA1
aa5994c2fe6089789ce5fe80f438713bd6e7e3e0

SHA256
2ca99ecc6a8c551fb75f6b235512b343ae5dde0e1f4dd896953a8be300ccb520

SHA512
1c638a48331c4833c5a809f10939a9ef4bc316641b4ea3c9ea0d05f64748039dba567550ed51b1cdc0ec5fc0ab5c9a7095a8eb8974b7396e28633739c7293df7

Download Submit