c183d123b2330a79b5896051ae082e6e3b34e9f27c0275f17718d9b6f38ff094

Analysis

max time kernel
149s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Size

344KB
MD5

8ec1074d0c966760edd365860c93b42d
SHA1

4c9df09114993717e916be3462e3f6288f064adc
SHA256

c183d123b2330a79b5896051ae082e6e3b34e9f27c0275f17718d9b6f38ff094
SHA512

1eac1ef0720974a958e2a99d70bec42245840e2cfeccc5ffde7ca8477d38852aedf5c51d83d16fc75af90ca0d80a9924874092878a68c8a74e33933d6e747189
SSDEEP

3072:mEGh0oalEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3EA83818-4E22-4998-92F2-450A24991822}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{53B3F173-F678-4705-A991-064138B8507F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe{591FDE61-8501-4d67-A223-ED46A65B108B}.exe{23A379AD-86F4-4e81-A634-DD7A44194278}.exe2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe{53B3F173-F678-4705-A991-064138B8507F}.exe{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe{3EA83818-4E22-4998-92F2-450A24991822}.exe{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{591FDE61-8501-4d67-A223-ED46A65B108B}\stubpath = "C:\\Windows\\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe"	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}\stubpath = "C:\\Windows\\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe"	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}\stubpath = "C:\\Windows\\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe"	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66050E70-9DD0-4d73-B975-D22D80D13B4A}\stubpath = "C:\\Windows\\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe"	{53B3F173-F678-4705-A991-064138B8507F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}\stubpath = "C:\\Windows\\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe"	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A379AD-86F4-4e81-A634-DD7A44194278}	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}\stubpath = "C:\\Windows\\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe"	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53B3F173-F678-4705-A991-064138B8507F}	{3EA83818-4E22-4998-92F2-450A24991822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53B3F173-F678-4705-A991-064138B8507F}\stubpath = "C:\\Windows\\{53B3F173-F678-4705-A991-064138B8507F}.exe"	{3EA83818-4E22-4998-92F2-450A24991822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}\stubpath = "C:\\Windows\\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe"	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5969A876-03D8-44d6-AE46-01DD67D77F9B}\stubpath = "C:\\Windows\\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe"	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{591FDE61-8501-4d67-A223-ED46A65B108B}	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A379AD-86F4-4e81-A634-DD7A44194278}\stubpath = "C:\\Windows\\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe"	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5969A876-03D8-44d6-AE46-01DD67D77F9B}	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66050E70-9DD0-4d73-B975-D22D80D13B4A}	{53B3F173-F678-4705-A991-064138B8507F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}\stubpath = "C:\\Windows\\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe"	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA83818-4E22-4998-92F2-450A24991822}	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA83818-4E22-4998-92F2-450A24991822}\stubpath = "C:\\Windows\\{3EA83818-4E22-4998-92F2-450A24991822}.exe"	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe

Executes dropped EXE 12 IoCs

Processes:

{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe{591FDE61-8501-4d67-A223-ED46A65B108B}.exe{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe{3EA83818-4E22-4998-92F2-450A24991822}.exe{53B3F173-F678-4705-A991-064138B8507F}.exe{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe{23A379AD-86F4-4e81-A634-DD7A44194278}.exe{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe

pid	process
3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe
1820	{53B3F173-F678-4705-A991-064138B8507F}.exe
436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
4840	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
3480	{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe

Drops file in Windows directory 12 IoCs

Processes:

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe{53B3F173-F678-4705-A991-064138B8507F}.exe{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe{23A379AD-86F4-4e81-A634-DD7A44194278}.exe{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe{591FDE61-8501-4d67-A223-ED46A65B108B}.exe{3EA83818-4E22-4998-92F2-450A24991822}.exe{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe

description	ioc	process
File created	C:\Windows\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
File created	C:\Windows\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
File created	C:\Windows\{3EA83818-4E22-4998-92F2-450A24991822}.exe	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
File created	C:\Windows\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	{53B3F173-F678-4705-A991-064138B8507F}.exe
File created	C:\Windows\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
File created	C:\Windows\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
File created	C:\Windows\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
File created	C:\Windows\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
File created	C:\Windows\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
File created	C:\Windows\{53B3F173-F678-4705-A991-064138B8507F}.exe	{3EA83818-4E22-4998-92F2-450A24991822}.exe
File created	C:\Windows\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
File created	C:\Windows\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe{591FDE61-8501-4d67-A223-ED46A65B108B}.exe{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe{3EA83818-4E22-4998-92F2-450A24991822}.exe{53B3F173-F678-4705-A991-064138B8507F}.exe{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe{23A379AD-86F4-4e81-A634-DD7A44194278}.exe{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
Token: SeIncBasePriorityPrivilege	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
Token: SeIncBasePriorityPrivilege	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
Token: SeIncBasePriorityPrivilege	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
Token: SeIncBasePriorityPrivilege	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe
Token: SeIncBasePriorityPrivilege	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe
Token: SeIncBasePriorityPrivilege	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
Token: SeIncBasePriorityPrivilege	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
Token: SeIncBasePriorityPrivilege	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
Token: SeIncBasePriorityPrivilege	3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
Token: SeIncBasePriorityPrivilege	4840	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3352 wrote to memory of 3144	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
PID 3352 wrote to memory of 3144	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
PID 3352 wrote to memory of 3144	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
PID 3352 wrote to memory of 1648	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 3352 wrote to memory of 1648	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 3352 wrote to memory of 1648	3352	2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe	cmd.exe
PID 3144 wrote to memory of 812	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
PID 3144 wrote to memory of 812	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
PID 3144 wrote to memory of 812	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
PID 3144 wrote to memory of 972	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	cmd.exe
PID 3144 wrote to memory of 972	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	cmd.exe
PID 3144 wrote to memory of 972	3144	{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe	cmd.exe
PID 812 wrote to memory of 2520	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
PID 812 wrote to memory of 2520	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
PID 812 wrote to memory of 2520	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
PID 812 wrote to memory of 1192	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	cmd.exe
PID 812 wrote to memory of 1192	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	cmd.exe
PID 812 wrote to memory of 1192	812	{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe	cmd.exe
PID 2520 wrote to memory of 3044	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
PID 2520 wrote to memory of 3044	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
PID 2520 wrote to memory of 3044	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
PID 2520 wrote to memory of 1508	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	cmd.exe
PID 2520 wrote to memory of 1508	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	cmd.exe
PID 2520 wrote to memory of 1508	2520	{591FDE61-8501-4d67-A223-ED46A65B108B}.exe	cmd.exe
PID 3044 wrote to memory of 3208	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	{3EA83818-4E22-4998-92F2-450A24991822}.exe
PID 3044 wrote to memory of 3208	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	{3EA83818-4E22-4998-92F2-450A24991822}.exe
PID 3044 wrote to memory of 3208	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	{3EA83818-4E22-4998-92F2-450A24991822}.exe
PID 3044 wrote to memory of 984	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	cmd.exe
PID 3044 wrote to memory of 984	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	cmd.exe
PID 3044 wrote to memory of 984	3044	{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe	cmd.exe
PID 3208 wrote to memory of 1820	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	{53B3F173-F678-4705-A991-064138B8507F}.exe
PID 3208 wrote to memory of 1820	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	{53B3F173-F678-4705-A991-064138B8507F}.exe
PID 3208 wrote to memory of 1820	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	{53B3F173-F678-4705-A991-064138B8507F}.exe
PID 3208 wrote to memory of 3728	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	cmd.exe
PID 3208 wrote to memory of 3728	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	cmd.exe
PID 3208 wrote to memory of 3728	3208	{3EA83818-4E22-4998-92F2-450A24991822}.exe	cmd.exe
PID 1820 wrote to memory of 436	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
PID 1820 wrote to memory of 436	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
PID 1820 wrote to memory of 436	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
PID 1820 wrote to memory of 2396	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	cmd.exe
PID 1820 wrote to memory of 2396	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	cmd.exe
PID 1820 wrote to memory of 2396	1820	{53B3F173-F678-4705-A991-064138B8507F}.exe	cmd.exe
PID 436 wrote to memory of 4316	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
PID 436 wrote to memory of 4316	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
PID 436 wrote to memory of 4316	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
PID 436 wrote to memory of 4880	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	cmd.exe
PID 436 wrote to memory of 4880	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	cmd.exe
PID 436 wrote to memory of 4880	436	{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe	cmd.exe
PID 4316 wrote to memory of 4992	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
PID 4316 wrote to memory of 4992	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
PID 4316 wrote to memory of 4992	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
PID 4316 wrote to memory of 3792	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	cmd.exe
PID 4316 wrote to memory of 3792	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	cmd.exe
PID 4316 wrote to memory of 3792	4316	{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe	cmd.exe
PID 4992 wrote to memory of 3352	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
PID 4992 wrote to memory of 3352	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
PID 4992 wrote to memory of 3352	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
PID 4992 wrote to memory of 1648	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	cmd.exe
PID 4992 wrote to memory of 1648	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	cmd.exe
PID 4992 wrote to memory of 1648	4992	{23A379AD-86F4-4e81-A634-DD7A44194278}.exe	cmd.exe
PID 3352 wrote to memory of 4840	3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
PID 3352 wrote to memory of 4840	3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
PID 3352 wrote to memory of 4840	3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
PID 3352 wrote to memory of 1376	3352	{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8ec1074d0c966760edd365860c93b42d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
C:\Windows\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
C:\Windows\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
C:\Windows\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
C:\Windows\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\{3EA83818-4E22-4998-92F2-450A24991822}.exe
C:\Windows\{3EA83818-4E22-4998-92F2-450A24991822}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\{53B3F173-F678-4705-A991-064138B8507F}.exe
C:\Windows\{53B3F173-F678-4705-A991-064138B8507F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
C:\Windows\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
C:\Windows\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
C:\Windows\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
C:\Windows\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
C:\Windows\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe
C:\Windows\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe
13⤵
- Executes dropped EXE
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B48B5~1.EXE > nul
13⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28C13~1.EXE > nul
12⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23A37~1.EXE > nul
11⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F03F9~1.EXE > nul
10⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66050~1.EXE > nul
9⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53B3F~1.EXE > nul
8⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA83~1.EXE > nul
7⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CB966~1.EXE > nul
6⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{591FD~1.EXE > nul
5⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90DB4~1.EXE > nul
4⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{83FE6~1.EXE > nul
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23A379AD-86F4-4e81-A634-DD7A44194278}.exe
Filesize
344KB

MD5
41c3c0da2d620e4f65b16670cd015c79

SHA1
80eb726b82c55771bf7247664f8957c73a1730bc

SHA256
350bb410f22f283e2905d347f0c607b77a8837fb105b7833973a83d8d5428d49

SHA512
337d5f1f53492424809541e8a804e2d00d6051a214fad5c688dd559c7a8be562908e38a6c30627d05dfcfdddbee1a7b006f8feb5b660c4dfffa18b70e08e05c0

Download Submit
C:\Windows\{28C134EB-2F90-4b97-B71F-52BDFA3EBBD3}.exe
Filesize
344KB

MD5
ec2a2d709a73e9847f66d6547c321f29

SHA1
dc5126de51ed845c573a7de6540078a3a29d630d

SHA256
e054953da782bf4e48a2b4cd9459f3d9dd1a5cc8727486814151613479f52a1b

SHA512
258d54603863e74400a02133c27553288d1576a28f5292ceb707a6f5def55e486e1225e31cdaafbcd1232eeabbe7524a93e4a16992f32f8b7eb6bd50c02a79cc

Download Submit
C:\Windows\{3EA83818-4E22-4998-92F2-450A24991822}.exe
Filesize
344KB

MD5
83db6bf1fb659f6b6fcd1be6cb09a4a1

SHA1
caabeaab166cbecb3c7894eb1f823ddc12e192c4

SHA256
f9a6bb3f59c419461f65b6c64fa5cad3e9871a6810ccee4b696393c34db1611d

SHA512
273091571a4b9f9305e11b67a27110c7f43da04d85f2d326469caebc1b04874cbb736160f812b5fd1b79dcedac14dd22d4ffc920533ea1227b67dd44c98be62d

Download Submit
C:\Windows\{53B3F173-F678-4705-A991-064138B8507F}.exe
Filesize
344KB

MD5
3da540347929623c6eede9c02930aab2

SHA1
967e8061814395b6b3910ab871f08343c971cb71

SHA256
cc0cb58fde0520e8aa688717ef9fabdbb62c875c3a596057632de1d826ccf750

SHA512
5ab3853e8bf572016df4a5d2b27ba8b3df7555dbec35223591ba2c829e7f82c53145c1efb649a1becef4a370c3fbe8140a0bb0b9f86dc1d7dc29be9d09354933

Download Submit
C:\Windows\{591FDE61-8501-4d67-A223-ED46A65B108B}.exe
Filesize
344KB

MD5
1eb677d25dbc4cbf970d2f3023692bc4

SHA1
81576a6f0c6d19d6f166986103b73d9b366b845d

SHA256
79c0d9095059b680f94d437e52738524ae093607f81b9ea812b5bec82fcffda0

SHA512
e2b6c1800008774c7bfd695a4014c5879ae0d51a096ac2172bab556ff21ae63958ef74934e5b54864d36ebaeade26e3628767934cbc3656ebee9c585fca56cf9

Download Submit
C:\Windows\{5969A876-03D8-44d6-AE46-01DD67D77F9B}.exe
Filesize
344KB

MD5
50b60c6761a6f06dfc0f7c29cd3a571c

SHA1
d91b6f607a89c443b57acb08dd7acac2e9a0f9e0

SHA256
6e1328a9ead50ca035eac0db7928b89f7b2267080f411bfed9158cc83e432f95

SHA512
2de6f48fa697d3731635230cc656c07bf4cd4511b9a4b225f553f49c0eb5b3f7b47e6c59e8f832a5bfa48eb4d6dd77782154f9cee7d88b7023f7426fcffbc7d6

Download Submit
C:\Windows\{66050E70-9DD0-4d73-B975-D22D80D13B4A}.exe
Filesize
344KB

MD5
180e0d4306a4bfe259c050c76755a966

SHA1
f68b6d56f8cffe3c43eebc67e8ae050f5b5b3da4

SHA256
e2fd97992eb5622de624b821e8620b6b46f1aa5c3b0087dbb91dcdf59473df37

SHA512
9b448798092efd7eb7422dbe25943ce7c1c5f67e6dc16bd60ba295e581fdf6d390a5338a98613db74e34d5ce606e5ba1b476647cb659e522eed754a6f16c43f3

Download Submit
C:\Windows\{83FE6C53-C40D-454e-8BE4-0B7F954AD55A}.exe
Filesize
344KB

MD5
b4f1e72f4185623229cfc57447410a4b

SHA1
92950ea96128e7a55ca54710f4bd7bfd0353c563

SHA256
70b3ce7424a7c57c990ac338f7e1035237b3a749a0942abc23692fba2dbc99e5

SHA512
7cf357ccbf0298f3642d9b1e028decd05b83b4f7f2a3102ceb945b0978ee8d059368079ba0c243d4d91d07271fa71f129716aa73d6355a58f265baab0351a80a

Download Submit
C:\Windows\{90DB4621-889D-4ef1-8986-BF37E37E0D4E}.exe
Filesize
344KB

MD5
693e2a05aecd9bb3da66055aceb59333

SHA1
57ea09c4023c2598321c45bfea2caa6a827bfd5d

SHA256
b8797f3af5a68a95b9b875a4f1df22d546a4507222d155b361d81b8bc6e36330

SHA512
ae6ce85d7ed86f3773ca6608e3ae326b46856f7b03ff285a9a90b27002b86892ec72143e3cbd9db652e7529428d1a8472e96d53895f6a90ba3145141197aced1

Download Submit
C:\Windows\{B48B5697-625A-4a9c-ADAE-E2308A463ACE}.exe
Filesize
344KB

MD5
0e5c67daaaf804d7b1254e6b88aef7a3

SHA1
0b44162676f79001d3170f8c66dc0f30c7a2a55c

SHA256
4dbe1ff6b1e0da24423b6f59f45df91743b88068a623d5081d7d3706ad3be7ce

SHA512
2257460a2b8a0b3b7e59bb532e547be839563d618cdbfce389a789eb29aba6895387c274bb311508eb3b45adbb4c409e22fc5c1fb83ffcf2a2e810c832a20c2f

Download Submit
C:\Windows\{CB96642A-CDA2-4eaa-8BF5-BDDD7065B892}.exe
Filesize
344KB

MD5
edf37c69999a78e2a8835fda07cc1f79

SHA1
29cffafa4c210f245d75db158d34b9228a297895

SHA256
b1eec1e84f29ca3b29f0fcb8de8b1f0b8771e3b01c48e7cb2a8b1bed193e43a3

SHA512
c4eda74b2efdcc67e581d8ae17e73f224ced005de974cf5b2e4a98f4596c819ae02e917382a91dbaae285e687620e6187d0de39f1dbc4c9ac1d88fde7f9cb7b0

Download Submit
C:\Windows\{F03F94C3-5569-4f1a-8D50-3DD0AA7EA29A}.exe
Filesize
344KB

MD5
8efbb7cf96fea21f372202721b4c0890

SHA1
3f43ffbe89ff79c52544824158aaabeb5aace666

SHA256
f1b1ce8aa64e8fefab74d41cbfea85a585a656f82c7f8fec20e59b3684b3147d

SHA512
5f0935068eaf710a1e711e151c1cb3483c77a502d6873ce3f6ef412bb8f3f0b5fa6f48464f920c1173057c751dfd8e82a41c4c99b2842e35fd461ce6d87006df

Download Submit