348aed7ababcf46e2edbb63cd09164bbde1a308e050f4b8adf2591c9f3c2eb91

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Size

408KB
MD5

5bff720a0d116999389eed5fa08da62d
SHA1

448bef2748b57b67e8f73c2645e82c140a951af3
SHA256

348aed7ababcf46e2edbb63cd09164bbde1a308e050f4b8adf2591c9f3c2eb91
SHA512

74cd906385c4f7e418f6973e0695e98906b018b22c4b1eab5006a33099cba403957ad30afb1bc69f47a5b8db957b3978f1d650e43045b86d25531d1550c9048a
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGWldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}\stubpath = "C:\\Windows\\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe"	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}\stubpath = "C:\\Windows\\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe"	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}\stubpath = "C:\\Windows\\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe"	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C256782-7CA9-4f55-8A16-9C72652A60E0}	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6973E782-A205-4baa-B476-D8971A6C8B5A}\stubpath = "C:\\Windows\\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe"	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}\stubpath = "C:\\Windows\\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe"	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C256782-7CA9-4f55-8A16-9C72652A60E0}\stubpath = "C:\\Windows\\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe"	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}\stubpath = "C:\\Windows\\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe"	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DC0A26-B91C-4480-9AC8-20C484AD9697}\stubpath = "C:\\Windows\\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe"	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9D77C6-56BD-475c-85A9-0B93B232A457}	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9D77C6-56BD-475c-85A9-0B93B232A457}\stubpath = "C:\\Windows\\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe"	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}\stubpath = "C:\\Windows\\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe"	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6973E782-A205-4baa-B476-D8971A6C8B5A}	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}\stubpath = "C:\\Windows\\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe"	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DC0A26-B91C-4480-9AC8-20C484AD9697}	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}\stubpath = "C:\\Windows\\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe"	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe

Executes dropped EXE 12 IoCs

Processes:

{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe

pid	process
4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
5080	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
4416	{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe

Drops file in Windows directory 12 IoCs

Processes:

{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe

description	ioc	process
File created	C:\Windows\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
File created	C:\Windows\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
File created	C:\Windows\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
File created	C:\Windows\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
File created	C:\Windows\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
File created	C:\Windows\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
File created	C:\Windows\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
File created	C:\Windows\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
File created	C:\Windows\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
File created	C:\Windows\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
File created	C:\Windows\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
File created	C:\Windows\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
Token: SeIncBasePriorityPrivilege	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
Token: SeIncBasePriorityPrivilege	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
Token: SeIncBasePriorityPrivilege	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
Token: SeIncBasePriorityPrivilege	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
Token: SeIncBasePriorityPrivilege	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
Token: SeIncBasePriorityPrivilege	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
Token: SeIncBasePriorityPrivilege	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
Token: SeIncBasePriorityPrivilege	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
Token: SeIncBasePriorityPrivilege	4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
Token: SeIncBasePriorityPrivilege	5080	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 384 wrote to memory of 4232	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
PID 384 wrote to memory of 4232	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
PID 384 wrote to memory of 4232	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
PID 384 wrote to memory of 464	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 384 wrote to memory of 464	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 384 wrote to memory of 464	384	2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe	cmd.exe
PID 4232 wrote to memory of 412	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
PID 4232 wrote to memory of 412	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
PID 4232 wrote to memory of 412	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
PID 4232 wrote to memory of 5072	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	cmd.exe
PID 4232 wrote to memory of 5072	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	cmd.exe
PID 4232 wrote to memory of 5072	4232	{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe	cmd.exe
PID 412 wrote to memory of 4460	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
PID 412 wrote to memory of 4460	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
PID 412 wrote to memory of 4460	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
PID 412 wrote to memory of 4228	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	cmd.exe
PID 412 wrote to memory of 4228	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	cmd.exe
PID 412 wrote to memory of 4228	412	{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe	cmd.exe
PID 4460 wrote to memory of 4468	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
PID 4460 wrote to memory of 4468	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
PID 4460 wrote to memory of 4468	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
PID 4460 wrote to memory of 4736	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	cmd.exe
PID 4460 wrote to memory of 4736	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	cmd.exe
PID 4460 wrote to memory of 4736	4460	{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe	cmd.exe
PID 4468 wrote to memory of 4288	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
PID 4468 wrote to memory of 4288	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
PID 4468 wrote to memory of 4288	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
PID 4468 wrote to memory of 3800	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	cmd.exe
PID 4468 wrote to memory of 3800	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	cmd.exe
PID 4468 wrote to memory of 3800	4468	{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe	cmd.exe
PID 4288 wrote to memory of 4220	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
PID 4288 wrote to memory of 4220	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
PID 4288 wrote to memory of 4220	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
PID 4288 wrote to memory of 1748	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	cmd.exe
PID 4288 wrote to memory of 1748	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	cmd.exe
PID 4288 wrote to memory of 1748	4288	{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe	cmd.exe
PID 4220 wrote to memory of 4900	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
PID 4220 wrote to memory of 4900	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
PID 4220 wrote to memory of 4900	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
PID 4220 wrote to memory of 1684	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	cmd.exe
PID 4220 wrote to memory of 1684	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	cmd.exe
PID 4220 wrote to memory of 1684	4220	{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe	cmd.exe
PID 4900 wrote to memory of 4332	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
PID 4900 wrote to memory of 4332	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
PID 4900 wrote to memory of 4332	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
PID 4900 wrote to memory of 2496	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	cmd.exe
PID 4900 wrote to memory of 2496	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	cmd.exe
PID 4900 wrote to memory of 2496	4900	{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe	cmd.exe
PID 4332 wrote to memory of 3840	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
PID 4332 wrote to memory of 3840	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
PID 4332 wrote to memory of 3840	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
PID 4332 wrote to memory of 4280	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	cmd.exe
PID 4332 wrote to memory of 4280	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	cmd.exe
PID 4332 wrote to memory of 4280	4332	{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe	cmd.exe
PID 3840 wrote to memory of 4576	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
PID 3840 wrote to memory of 4576	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
PID 3840 wrote to memory of 4576	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
PID 3840 wrote to memory of 4028	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	cmd.exe
PID 3840 wrote to memory of 4028	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	cmd.exe
PID 3840 wrote to memory of 4028	3840	{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe	cmd.exe
PID 4576 wrote to memory of 5080	4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
PID 4576 wrote to memory of 5080	4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
PID 4576 wrote to memory of 5080	4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
PID 4576 wrote to memory of 3844	4576	{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_5bff720a0d116999389eed5fa08da62d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
C:\Windows\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
C:\Windows\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
C:\Windows\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
C:\Windows\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
C:\Windows\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
C:\Windows\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
C:\Windows\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
C:\Windows\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
C:\Windows\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
C:\Windows\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
C:\Windows\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe
C:\Windows\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe
13⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DB9D7~1.EXE > nul
13⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94DC0~1.EXE > nul
12⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3BCB9~1.EXE > nul
11⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00446~1.EXE > nul
10⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE34~1.EXE > nul
9⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{756AD~1.EXE > nul
8⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{63EE9~1.EXE > nul
7⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C7A8~1.EXE > nul
6⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6973E~1.EXE > nul
5⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35BA9~1.EXE > nul
4⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA4C0~1.EXE > nul
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:464

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00446FAE-2FF5-420f-9C9C-183C6A6A489E}.exe
Filesize
408KB

MD5
a113e9f0a8f62b5109655d5d7fac66c1

SHA1
599f79d62a5a08bea04e9ef711d2be409cafdf13

SHA256
1e0a82b482b55998c85959fd8a1a8c45607e158750a0573255a11435a194df05

SHA512
65ef5327d1e0ae5a42ea8f4b19f66d61d336807c41129166f53a8b0de7efbe494b6c3a888cb967d3cc5f0cb1f015579bfdfb563b89f73d5a61b75993ed289c64

Download Submit
C:\Windows\{0C7A8B72-23CD-4114-977D-E4587F9AAA81}.exe
Filesize
408KB

MD5
436a2c55b1690e089707a9b9f9fdcae0

SHA1
a551e2b51a6a6833fa9a1b977e06743df62b8c44

SHA256
1419b9b25f9836983e7a51888e9ebed7839ccd84681bed7a52276985c36d71e9

SHA512
015cba2964029ebd74d28dd0506553b5ff51d9b0dc0eccf7f772feffd7c67e8bcfcba02eb60b8d04953860154f132fc80385fba0f2efc0a20be130dc06992753

Download Submit
C:\Windows\{35BA9689-4AED-4e6c-B1E7-0CD9185DDEF1}.exe
Filesize
408KB

MD5
0e01453d042bc26738976ac5cc59a1ae

SHA1
c59bed6d5e4daed22bec0068c270634d92db76ec

SHA256
e20ad1ed394816a7b3e3719e0e8e2b08c043fff6a0430212a6b2039609cd7536

SHA512
ed591b4568a2b84a39f7e372a4a81cc1d3e75cc3a3c0a70a077df44b98d53e7c077c5a5548c255b9fe0fe44bc11d12266a39b2d0f7eb5c53037a3695ef438645

Download Submit
C:\Windows\{3BCB9458-BE98-4e0c-9C6A-0C66933BF382}.exe
Filesize
408KB

MD5
aff3eccfe9441a41e1bbadece14aa196

SHA1
37058a1e5be09cc53841ba5ee3770022f496e19c

SHA256
5ca3b465b9025e0626d980c56a38a0bc4dd640f0aa2f2aa2f1c0d6300d3113f0

SHA512
4fd9dfffd232f35fafbec31cc344f144a54fda4f66d472fbad4aab7948aabcbd90c325066d0332e378cc374ea7542d49895e86d6f596f260dadac1fc9c55c549

Download Submit
C:\Windows\{63EE92BA-E478-4260-AA33-E2FECDE7ABF3}.exe
Filesize
408KB

MD5
b3e8757e28ad67cc024ff4f47609e3e0

SHA1
a01bff6d419421bc6a83fcbe6d511a849506b034

SHA256
aef554f7c3e40b8568760a793b494cbd43fb64bd171189311ee13c6478b42d71

SHA512
7e93ee6f38b391817a982a1bfcfadd041c249501327119add1601530c8458ba769f793526b50807aa112848bc91fc820e746bc02383378304d2313a7a32bcad3

Download Submit
C:\Windows\{6973E782-A205-4baa-B476-D8971A6C8B5A}.exe
Filesize
408KB

MD5
e2322acf3e311639454b103dca189568

SHA1
e93a5c40d62193ef2bafc3a019cf8e98e233c11b

SHA256
e8c57a2abf15064fdbffa5111e85e9c93c4f10f744854ecc07709838a7ec271c

SHA512
c0fe25d511cbf38d2b8b62e7d59eb7545e2e2bc507bda868cdd4821c18eb080db56d5002308b6bb2e46bd298fe671320c422f16db222a13dc81e17f539c82565

Download Submit
C:\Windows\{6CE34E35-7EFB-4d74-9FE6-F7970DD7BE29}.exe
Filesize
408KB

MD5
7eccc6725a97a233d2719a4fbdfd34ca

SHA1
b2a1275ddf6e1d243d37087d7f1b2412ef2964ef

SHA256
66f82ecb03a40b46e887521c853a664ea98d1b89977ae60df155d6e21f65b37c

SHA512
2857e14ceb19d7b9e95c98857b2d085332a56f2b2ec617db9fd8abe9d23dc9addf338822c263646b5830718774b0a8de092d4e1b62fe2f8d16e04f0660d3027c

Download Submit
C:\Windows\{756AD94A-6C3B-4d0b-A83D-0EFF78693DC6}.exe
Filesize
408KB

MD5
bdd9ac05fb8d7ef2bfd2a52d5874845d

SHA1
7086a99233875b64116e021b9b4d17783328b91f

SHA256
73151ba029b6890f3f7b9ae17878b17a2f414e0d5f493ab641620d9089a7a05c

SHA512
1cfa23a879a079981986627173e98b391e72043a2959428877d17307c77e316fa6df9092cd9471578f9859fa287a48ae851ce9dbcb1550578b566a00afc16910

Download Submit
C:\Windows\{7C256782-7CA9-4f55-8A16-9C72652A60E0}.exe
Filesize
408KB

MD5
bd97ced27056d08be6666fef361f7eee

SHA1
247d9bb84d3b7e32dd1a48a27a17098c8cf94c61

SHA256
218efab59e92102bb71c5b6f0a944d90cd89b1288727c2a1b95c2a5904a5e513

SHA512
97a60f83ffb0fdabc6fb450ada39ca2c8f688a0e801bb54366d6f096dc4636440ef89a44559fecb1635988f78eb82ad0a2b773659545afdbc1892828f7b5e7e2

Download Submit
C:\Windows\{94DC0A26-B91C-4480-9AC8-20C484AD9697}.exe
Filesize
408KB

MD5
5dd90c136fd5be2081b2bc72344c84c3

SHA1
81350931860fa4242785ba8e0001558fa7c43cc5

SHA256
e902ca1ce54b3c226b24994585ad204529da0525866faa679e1ba64b5791c43c

SHA512
63b3bf7d08a784306149f0460b41759cfa700de1afa8db61aa5de6e8fc34f28ab12d2a01e71d18149183e360e2fc3beaabdec67fc6856515030943499b7cd5fd

Download Submit
C:\Windows\{DA4C0009-21FE-478e-869D-9FD2523C7EC8}.exe
Filesize
408KB

MD5
dbfeb036597501c19b7a9eaaad662ed5

SHA1
f6bcb8db2a9b2e1bae2a4a14a5a639e6384a2dc8

SHA256
f91c49ecbe6c611cb3b5f2dd67dc3ee86ec9ecba6c4dc018d728418882b893c6

SHA512
25f9318d674f2a86e1a0cc2558c265b5402162834fc5322799af7f882099860dd88dce9f59177e1a2645127aacd41a2692b369528b18981c614c25d615a77791

Download Submit
C:\Windows\{DB9D77C6-56BD-475c-85A9-0B93B232A457}.exe
Filesize
408KB

MD5
035edd2d502b32295d860f93e38c30c8

SHA1
b299a1f306e167cef1eaf2d06ca6a1623df66a26

SHA256
e6284c12012ec07d7c868d481c0322915ca8f62a859d2280b1564a6839980544

SHA512
7cf1b3231a054535991209ebf2487dfcdc095d02f87abab3954ecf60fbf0e48c29b1448a552acf4730d362406935158ed3598cbb6badf0ff74fd6a92fcbbe678

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads