0ed038ddd9478e825662f32d8e4be7505ae4c574867bb4bcaf356333e692918e

Analysis

max time kernel
149s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Size

197KB
MD5

3828e76af810dc84052a5d4e7732ed6e
SHA1

45f2e7588f93d12770c74a09d69ba99864b0a8b7
SHA256

0ed038ddd9478e825662f32d8e4be7505ae4c574867bb4bcaf356333e692918e
SHA512

c00bd08c2e92b2e11a6f5a42246ac6b07ada9f368d9aff4c5405c2f3b6662e196defbc6b4ccc3e8462578e21ac397204ae9241b5548d1da92a933f6d6c0e43e2
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGylEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74623187-E499-4dad-A106-DCEEC735CE80}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{74623187-E499-4dad-A106-DCEEC735CE80}.exe{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372E75EA-CF86-47b5-B3FF-E126020C1B69}\stubpath = "C:\\Windows\\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe"	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}\stubpath = "C:\\Windows\\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe"	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4D3C6B-F863-42a1-9840-37497B22355A}	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}\stubpath = "C:\\Windows\\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe"	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74623187-E499-4dad-A106-DCEEC735CE80}\stubpath = "C:\\Windows\\{74623187-E499-4dad-A106-DCEEC735CE80}.exe"	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DFFAF8-F6CC-4125-AB95-A155A8186526}\stubpath = "C:\\Windows\\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe"	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}\stubpath = "C:\\Windows\\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe"	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311C6C9F-9B40-46d8-87E0-92E503F59A75}\stubpath = "C:\\Windows\\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe"	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}\stubpath = "C:\\Windows\\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe"	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95DFFAF8-F6CC-4125-AB95-A155A8186526}	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}\stubpath = "C:\\Windows\\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe"	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}\stubpath = "C:\\Windows\\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe"	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311C6C9F-9B40-46d8-87E0-92E503F59A75}	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4D3C6B-F863-42a1-9840-37497B22355A}\stubpath = "C:\\Windows\\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe"	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}\stubpath = "C:\\Windows\\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe"	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74623187-E499-4dad-A106-DCEEC735CE80}	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372E75EA-CF86-47b5-B3FF-E126020C1B69}	{74623187-E499-4dad-A106-DCEEC735CE80}.exe

Executes dropped EXE 12 IoCs

Processes:

{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe{74623187-E499-4dad-A106-DCEEC735CE80}.exe{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe

pid	process
4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
828	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
4952	{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe

Drops file in Windows directory 12 IoCs

Processes:

{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe{74623187-E499-4dad-A106-DCEEC735CE80}.exe2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe

description	ioc	process
File created	C:\Windows\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
File created	C:\Windows\{74623187-E499-4dad-A106-DCEEC735CE80}.exe	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
File created	C:\Windows\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
File created	C:\Windows\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
File created	C:\Windows\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
File created	C:\Windows\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
File created	C:\Windows\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
File created	C:\Windows\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
File created	C:\Windows\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
File created	C:\Windows\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
File created	C:\Windows\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
File created	C:\Windows\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe{74623187-E499-4dad-A106-DCEEC735CE80}.exe{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
Token: SeIncBasePriorityPrivilege	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
Token: SeIncBasePriorityPrivilege	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
Token: SeIncBasePriorityPrivilege	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
Token: SeIncBasePriorityPrivilege	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
Token: SeIncBasePriorityPrivilege	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
Token: SeIncBasePriorityPrivilege	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
Token: SeIncBasePriorityPrivilege	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
Token: SeIncBasePriorityPrivilege	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
Token: SeIncBasePriorityPrivilege	4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
Token: SeIncBasePriorityPrivilege	828	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4064 wrote to memory of 4940	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
PID 4064 wrote to memory of 4940	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
PID 4064 wrote to memory of 4940	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
PID 4064 wrote to memory of 4504	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 4064 wrote to memory of 4504	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 4064 wrote to memory of 4504	4064	2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe	cmd.exe
PID 4940 wrote to memory of 4932	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
PID 4940 wrote to memory of 4932	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
PID 4940 wrote to memory of 4932	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
PID 4940 wrote to memory of 4752	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	cmd.exe
PID 4940 wrote to memory of 4752	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	cmd.exe
PID 4940 wrote to memory of 4752	4940	{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe	cmd.exe
PID 4932 wrote to memory of 4764	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
PID 4932 wrote to memory of 4764	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
PID 4932 wrote to memory of 4764	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
PID 4932 wrote to memory of 2304	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	cmd.exe
PID 4932 wrote to memory of 2304	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	cmd.exe
PID 4932 wrote to memory of 2304	4932	{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe	cmd.exe
PID 4764 wrote to memory of 4076	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
PID 4764 wrote to memory of 4076	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
PID 4764 wrote to memory of 4076	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
PID 4764 wrote to memory of 5000	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	cmd.exe
PID 4764 wrote to memory of 5000	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	cmd.exe
PID 4764 wrote to memory of 5000	4764	{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe	cmd.exe
PID 4076 wrote to memory of 3204	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
PID 4076 wrote to memory of 3204	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
PID 4076 wrote to memory of 3204	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
PID 4076 wrote to memory of 5108	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	cmd.exe
PID 4076 wrote to memory of 5108	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	cmd.exe
PID 4076 wrote to memory of 5108	4076	{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe	cmd.exe
PID 3204 wrote to memory of 4120	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
PID 3204 wrote to memory of 4120	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
PID 3204 wrote to memory of 4120	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
PID 3204 wrote to memory of 2400	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	cmd.exe
PID 3204 wrote to memory of 2400	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	cmd.exe
PID 3204 wrote to memory of 2400	3204	{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe	cmd.exe
PID 4120 wrote to memory of 4916	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
PID 4120 wrote to memory of 4916	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
PID 4120 wrote to memory of 4916	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
PID 4120 wrote to memory of 3544	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	cmd.exe
PID 4120 wrote to memory of 3544	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	cmd.exe
PID 4120 wrote to memory of 3544	4120	{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe	cmd.exe
PID 4916 wrote to memory of 4100	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
PID 4916 wrote to memory of 4100	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
PID 4916 wrote to memory of 4100	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
PID 4916 wrote to memory of 4072	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	cmd.exe
PID 4916 wrote to memory of 4072	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	cmd.exe
PID 4916 wrote to memory of 4072	4916	{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe	cmd.exe
PID 4100 wrote to memory of 4720	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
PID 4100 wrote to memory of 4720	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
PID 4100 wrote to memory of 4720	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	{74623187-E499-4dad-A106-DCEEC735CE80}.exe
PID 4100 wrote to memory of 4588	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	cmd.exe
PID 4100 wrote to memory of 4588	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	cmd.exe
PID 4100 wrote to memory of 4588	4100	{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe	cmd.exe
PID 4720 wrote to memory of 4540	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
PID 4720 wrote to memory of 4540	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
PID 4720 wrote to memory of 4540	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
PID 4720 wrote to memory of 3180	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	cmd.exe
PID 4720 wrote to memory of 3180	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	cmd.exe
PID 4720 wrote to memory of 3180	4720	{74623187-E499-4dad-A106-DCEEC735CE80}.exe	cmd.exe
PID 4540 wrote to memory of 828	4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
PID 4540 wrote to memory of 828	4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
PID 4540 wrote to memory of 828	4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
PID 4540 wrote to memory of 2704	4540	{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_3828e76af810dc84052a5d4e7732ed6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
  C:\Windows\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
    C:\Windows\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
      C:\Windows\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
        
        C:\Windows\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
        
        C:\Windows\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
        
        C:\Windows\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
        
        C:\Windows\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
        
        C:\Windows\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{74623187-E499-4dad-A106-DCEEC735CE80}.exe
        
        C:\Windows\{74623187-E499-4dad-A106-DCEEC735CE80}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
        
        C:\Windows\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
        
        C:\Windows\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe
        
        C:\Windows\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe
        13⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72BC8~1.EXE > nul
        13⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{372E7~1.EXE > nul
        12⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74623~1.EXE > nul
        11⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0184~1.EXE > nul
        10⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95DFF~1.EXE > nul
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAEE4~1.EXE > nul
        8⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{081C1~1.EXE > nul
        7⤵
        
        PID:2400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4D3~1.EXE > nul
        6⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{311C6~1.EXE > nul
        5⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0638B~1.EXE > nul
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A5FC~1.EXE > nul
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0638BE67-8D0F-4163-B3CA-B4E347D43E6E}.exe

Filesize
197KB

MD5
446068bc73909597e2da6f670ede6734

SHA1
596926aefd33f7f0c5e110f93f11dd8cae0b3dab

SHA256
f1174a20453e8eb25dc1b6ea68f15ac600ab98d0d6448960b191164f08799bbe

SHA512
e57116722c8aef13d9730a49064290c23a1cd80f06f857dc56fd72022ec486c9dddbc148d99eba356dc30aa1d307ba6c92ea62b94323e56238ea7ee0bce709cc

Download Submit
C:\Windows\{081C1A21-A916-4fd1-A993-B4ECD8FFAF61}.exe

Filesize
197KB

MD5
283f855b620ac48d610b18c1cfa1f150

SHA1
629970dd6fedcc39a296fc0112cb88eb165634d5

SHA256
6044219819b19bf7de695e25f7586e1f87466e30df5717ef7dac8c999fa2841e

SHA512
0d105904a7b83f717059ef227bd01490087849942f513a7bf6d203aaf39b57cf619558e79167eaed104f979ec60370d9d6f16de4c103a9db262f5b4804a924c2

Download Submit
C:\Windows\{311C6C9F-9B40-46d8-87E0-92E503F59A75}.exe

Filesize
197KB

MD5
c8b9a153d0173219d92cb22f78292f1a

SHA1
58f28753e014e003b7be377434f56f735665d2c6

SHA256
0457912d3d76611079222991feb9f40138fdc55ca5b5ecdb9396fabfec94c585

SHA512
e561c70504d1f000c52f0e820d3e52f37edc9861f3c09d5c17d4428079c84153703980a8ef1d24c3f7cbce4645cee52f7b9fdecf4b944a680ac688e2e0bfb079

Download Submit
C:\Windows\{372E75EA-CF86-47b5-B3FF-E126020C1B69}.exe

Filesize
197KB

MD5
1e1964865ce1ddaa004e0270e02eb4f1

SHA1
ccaece0b5e6f75c556ac172ae1500bf7dba6fd7f

SHA256
eed287e308d2fac21605a37f0e76a3ebd97410fe9e4c08090fde7c35da3ab0a9

SHA512
df9886fa9927f15c5820470b23301bed228ae3b1e2ac508f86e6340fd481f07262cc4d8636d6f806a74313d83dc2e6116e3a279157e60742c39c55cc119ea69b

Download Submit
C:\Windows\{654BFE2C-B1C3-4c30-8CCF-9A1D9384CF84}.exe

Filesize
197KB

MD5
99c208004289020065fe6c56719185a6

SHA1
8083b566254bf397987332432a2e3e590a1c4028

SHA256
5bdec5d03d33ce8e67ae2d9a4b78b44bb2f7359d4e65c1f8878f5fb8d436c32e

SHA512
89cc9dfd1dd34763359ae0cd0d2b048aaeb632ceb2b11303910f6520b39f402de5e28513aa7bd9125ed20a0206b209158ffa19dfc99892bcab9ce4e1ce8466c4

Download Submit
C:\Windows\{6E4D3C6B-F863-42a1-9840-37497B22355A}.exe

Filesize
197KB

MD5
b21ebf318a79f4f29411252f13e474ab

SHA1
95eb22884a6a22af68c2663eaa1764933c69b9c5

SHA256
8bf4aa6a0b9fb70b0e1480cd890a9ed642135446b0bb9aa6a48cdd28fdf9b62a

SHA512
4d88847e21cb8ab24a5fc5707d17d818381c0a378be8d74165f4cb22a9b6120825e7dbf39f00d155f3fa4ef6356754e1b214077f7956c2087b4ae0c6cd911301

Download Submit
C:\Windows\{72BC861C-04BE-49c5-A708-6CC90CDAB91E}.exe

Filesize
197KB

MD5
f872621c6672ab483271d184fc932b27

SHA1
15f7a81bd36c4c2c2db9a91e15310a6646e12071

SHA256
cde3ee93f2f0f25133dce1d5a85928c4297ff8a9f73bfcfcd6381796b95a8ead

SHA512
18bc8760bf960fdcb3da68d3ffad569e4c4294de08d042cb3452c227d334cd75a3088d3fbd677067e9f70d2c91a1de37738e208bfaa5dc74b6af9d19da228816

Download Submit
C:\Windows\{74623187-E499-4dad-A106-DCEEC735CE80}.exe

Filesize
197KB

MD5
0687124601cd22fb1572dfd8034781c0

SHA1
fb5c5d3adc3b8131862ac6fcf4aa49c5f423e6b7

SHA256
70e9cfb5d1bdf360fcda188d4e625e1c4eca76369418744e3482236abf67d4f3

SHA512
466a426096ae83d7f7c8259d9953c0554501192f04d5104074c6228e2b70a9181bfd50876e18e00c2571fae41b10ab3ed0f871449e2f23bc415e3cff7cb52504

Download Submit
C:\Windows\{7A5FC5AB-7909-490d-9C7C-583B8668D6CB}.exe

Filesize
197KB

MD5
f3dc579d338e0a9a0b7b3b391fca552a

SHA1
0e1195d3eba7392b3c0c68a74de930d9d5fdd1eb

SHA256
819371ee81b394f2de47d4abaf3a683fc805c22193405f8f7d119301c270d90e

SHA512
b0f8ce18365d3eaff130b77231ef1acc172d41ba1de650dc2df74a803e4acd00d4cb12f4aa377217d171a38a479d9bb6b926913ee90a3021fdfd6b72f2f0b138

Download Submit
C:\Windows\{95DFFAF8-F6CC-4125-AB95-A155A8186526}.exe

Filesize
197KB

MD5
eba2de462a6eb24d48afc59f8968ae3e

SHA1
70ffcabcf9f127ea0cb16b1fedc5635cc5ab998a

SHA256
466e56b9511d5bb13f8966ed0749373d32f49abd6e7c15bb021dff778ed90012

SHA512
0dfef8f61a2939187f328136bf27fcbe9f8e44df0b432b90d9a1abbc47939a65f828ceee3414cd8a1c85f235d1a0ece0a93a783f58065e4157d14baae86f6683

Download Submit
C:\Windows\{C01842AD-0F2D-4f71-929D-67E63FD14D1F}.exe

Filesize
197KB

MD5
2412b0607a69783afce02a6b418fd3c3

SHA1
47aa37196c84c1daefafd0a90c9d2db3998efbd4

SHA256
2267a5b4466f42d9bddc976a855b489727cfdb8bd00fe7eeff6e9ff92578de2f

SHA512
640048d648435fd44f54e2b6c5c21cb4f941a642fb58ff1b13aa7cd176ac7cd5c11e7ee8502e53b686b89e97016d5523fae3ea6d480791375121f4bc9a4b2362

Download Submit
C:\Windows\{DAEE4BE7-E1B4-4818-A37E-1E538F00C60A}.exe

Filesize
197KB

MD5
431a06030303bfa1b061bce581adf107

SHA1
e9bd08db19aff67fad9b5a9d1f2cb20cd3a4a3a9

SHA256
4029953f2bd69da6507a0a7db9f7447c02ddd57f768aac3ca2b172ae08a8700c

SHA512
15dda7971cf71700b0bea83e6d2c76fd85ce862b3fe6d8784254bc916edad4774c5d7522f15e7874b633d7b9161a1d9437a1593fa02d572475d8d5a16d485cfc

Download Submit