10a9cb999ba12834fc841acd3948abb2dbfc6a546a9432c8b1b4baeb256958e3

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
Size

180KB
MD5

9def2537d5484c36bb131b6f00691b69
SHA1

4cee1ebcfb15b0e63d43cb24bdd559b967a0f48e
SHA256

10a9cb999ba12834fc841acd3948abb2dbfc6a546a9432c8b1b4baeb256958e3
SHA512

f2a68138d56c318e564c88ed53f3552c3cddfb8b0188e2eb360b5770d4997d3555993eaa801b454e003aedf9d22701f29dfe48c240321ff9aad3b6c30ec4c5d3
SSDEEP

3072:jEGh0oXlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGBl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{7B3EED53-28D2-4924-9635-A800F77505A5}.exe{486F4F7D-4C13-4351-B661-543607A2F98C}.exe{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8716C771-6EA7-4aae-89BB-899FD56E9F00}	{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}\stubpath = "C:\\Windows\\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe"	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}\stubpath = "C:\\Windows\\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe"	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3EED53-28D2-4924-9635-A800F77505A5}\stubpath = "C:\\Windows\\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe"	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486F4F7D-4C13-4351-B661-543607A2F98C}\stubpath = "C:\\Windows\\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe"	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}\stubpath = "C:\\Windows\\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe"	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}\stubpath = "C:\\Windows\\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe"	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}\stubpath = "C:\\Windows\\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe"	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}	{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}\stubpath = "C:\\Windows\\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe"	{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486F4F7D-4C13-4351-B661-543607A2F98C}	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}\stubpath = "C:\\Windows\\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe"	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8716C771-6EA7-4aae-89BB-899FD56E9F00}\stubpath = "C:\\Windows\\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe"	{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}\stubpath = "C:\\Windows\\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe"	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3EED53-28D2-4924-9635-A800F77505A5}	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2520 cmd.exe

pid	process
2520	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{486F4F7D-4C13-4351-B661-543607A2F98C}.exe{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe{7B3EED53-28D2-4924-9635-A800F77505A5}.exe{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe

pid	process
3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
764	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
2460	{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
2860	{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
2160	{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe{486F4F7D-4C13-4351-B661-543607A2F98C}.exe{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe{7B3EED53-28D2-4924-9635-A800F77505A5}.exe

description	ioc	process
File created	C:\Windows\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
File created	C:\Windows\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
File created	C:\Windows\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
File created	C:\Windows\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
File created	C:\Windows\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
File created	C:\Windows\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe	{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
File created	C:\Windows\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
File created	C:\Windows\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
File created	C:\Windows\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
File created	C:\Windows\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
File created	C:\Windows\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe	{7B3EED53-28D2-4924-9635-A800F77505A5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe{486F4F7D-4C13-4351-B661-543607A2F98C}.exe{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe{7B3EED53-28D2-4924-9635-A800F77505A5}.exe{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
Token: SeIncBasePriorityPrivilege	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
Token: SeIncBasePriorityPrivilege	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
Token: SeIncBasePriorityPrivilege	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
Token: SeIncBasePriorityPrivilege	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
Token: SeIncBasePriorityPrivilege	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
Token: SeIncBasePriorityPrivilege	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
Token: SeIncBasePriorityPrivilege	764	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
Token: SeIncBasePriorityPrivilege	2460	{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
Token: SeIncBasePriorityPrivilege	2860	{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2100 wrote to memory of 3068	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
PID 2100 wrote to memory of 3068	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
PID 2100 wrote to memory of 3068	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
PID 2100 wrote to memory of 3068	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
PID 2100 wrote to memory of 2520	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	cmd.exe
PID 2100 wrote to memory of 2520	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	cmd.exe
PID 2100 wrote to memory of 2520	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	cmd.exe
PID 2100 wrote to memory of 2520	2100	2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe	cmd.exe
PID 3068 wrote to memory of 2988	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
PID 3068 wrote to memory of 2988	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
PID 3068 wrote to memory of 2988	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
PID 3068 wrote to memory of 2988	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
PID 3068 wrote to memory of 2692	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	cmd.exe
PID 3068 wrote to memory of 2692	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	cmd.exe
PID 3068 wrote to memory of 2692	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	cmd.exe
PID 3068 wrote to memory of 2692	3068	{486F4F7D-4C13-4351-B661-543607A2F98C}.exe	cmd.exe
PID 2988 wrote to memory of 2536	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
PID 2988 wrote to memory of 2536	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
PID 2988 wrote to memory of 2536	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
PID 2988 wrote to memory of 2536	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
PID 2988 wrote to memory of 2672	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	cmd.exe
PID 2988 wrote to memory of 2672	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	cmd.exe
PID 2988 wrote to memory of 2672	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	cmd.exe
PID 2988 wrote to memory of 2672	2988	{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe	cmd.exe
PID 2536 wrote to memory of 856	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
PID 2536 wrote to memory of 856	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
PID 2536 wrote to memory of 856	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
PID 2536 wrote to memory of 856	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
PID 2536 wrote to memory of 2580	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	cmd.exe
PID 2536 wrote to memory of 2580	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	cmd.exe
PID 2536 wrote to memory of 2580	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	cmd.exe
PID 2536 wrote to memory of 2580	2536	{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe	cmd.exe
PID 856 wrote to memory of 2780	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
PID 856 wrote to memory of 2780	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
PID 856 wrote to memory of 2780	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
PID 856 wrote to memory of 2780	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
PID 856 wrote to memory of 2728	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	cmd.exe
PID 856 wrote to memory of 2728	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	cmd.exe
PID 856 wrote to memory of 2728	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	cmd.exe
PID 856 wrote to memory of 2728	856	{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe	cmd.exe
PID 2780 wrote to memory of 2252	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
PID 2780 wrote to memory of 2252	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
PID 2780 wrote to memory of 2252	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
PID 2780 wrote to memory of 2252	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
PID 2780 wrote to memory of 2288	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	cmd.exe
PID 2780 wrote to memory of 2288	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	cmd.exe
PID 2780 wrote to memory of 2288	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	cmd.exe
PID 2780 wrote to memory of 2288	2780	{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe	cmd.exe
PID 2252 wrote to memory of 2300	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
PID 2252 wrote to memory of 2300	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
PID 2252 wrote to memory of 2300	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
PID 2252 wrote to memory of 2300	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
PID 2252 wrote to memory of 2760	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	cmd.exe
PID 2252 wrote to memory of 2760	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	cmd.exe
PID 2252 wrote to memory of 2760	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	cmd.exe
PID 2252 wrote to memory of 2760	2252	{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe	cmd.exe
PID 2300 wrote to memory of 764	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
PID 2300 wrote to memory of 764	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
PID 2300 wrote to memory of 764	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
PID 2300 wrote to memory of 764	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
PID 2300 wrote to memory of 1712	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	cmd.exe
PID 2300 wrote to memory of 1712	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	cmd.exe
PID 2300 wrote to memory of 1712	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	cmd.exe
PID 2300 wrote to memory of 1712	2300	{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_9def2537d5484c36bb131b6f00691b69_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
C:\Windows\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
C:\Windows\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
C:\Windows\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
C:\Windows\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
C:\Windows\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
C:\Windows\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
C:\Windows\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
C:\Windows\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
C:\Windows\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
C:\Windows\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe
C:\Windows\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe
12⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8716C~1.EXE > nul
12⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B3EE~1.EXE > nul
11⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA17~1.EXE > nul
10⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2B8~1.EXE > nul
9⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79C8F~1.EXE > nul
8⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D19A~1.EXE > nul
7⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24056~1.EXE > nul
6⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CA24E~1.EXE > nul
5⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6C9~1.EXE > nul
4⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{486F4~1.EXE > nul
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24056AC1-AAB8-4cd0-9D45-63477F2380CD}.exe

Filesize
180KB

MD5
dd7c631bf68509672dda32cb698c1a94

SHA1
1089a341bde21ab1391b55d2ccc2e286263cb77b

SHA256
617f421d0f4f2e4f0136c0ae62930dd381fdb9aae09a6eec8e69edd4293cb600

SHA512
06c0242cd3cf5a87a05a3f8fd5818ed0404b830efbdbb81299057f0ab6cb3149d8c35f286ba2f31d9842d64990cdac3e34c7324c4efe6a5ad697f87aea1c2006

Download Submit
C:\Windows\{486F4F7D-4C13-4351-B661-543607A2F98C}.exe

Filesize
180KB

MD5
44ebaa6cb10338138481e125ad2119a4

SHA1
7e6358b9938a1fad4be9c2ecda499c9e760f2daa

SHA256
f19adbc8100c913e708bb7d72b9277e4caae00a5fb37b566ec5117da1d67e420

SHA512
11c9a26e0205a42a5158b7711c85132658d470e91dc1064d9f3f92439d0435eb284d8b8cf27847d78f40a9e2f8e533e8836bd2aebf3d18bfb1e6879c3a2e6e9d

Download Submit
C:\Windows\{78FC61FF-4A8A-4f5c-9BB9-C8F129A97B1C}.exe

Filesize
180KB

MD5
1cf969e200fe1ec4717f1739a2bb17ea

SHA1
853562fbd2518d2d94f0810fcf68ef47ed4d6baa

SHA256
358c566745378fd632bfa1554971bf34bcf3f5a2c333a6be659a823b9f478412

SHA512
88068f79fa9398dddab32b664a879fb9441f44ddcdcb5750eafaef18319dc65ed85531b769444785a27a4ed9308a301bc9dad19e90553fb78d8f6cde8c6acce3

Download Submit
C:\Windows\{79C8FBE2-F8F8-45b1-98EA-89C75D07A955}.exe

Filesize
180KB

MD5
77216fa044b023a5407d8fe6c1c3e8f2

SHA1
980af4fd8e5067f0e413feb42d59433bec088e9f

SHA256
46361a4350db2de26ce4f9f2d1c8460c4d9cb33fe6b28ccd9f684ba06c5ea3fa

SHA512
b06449f8cfb8d5465a44fb073f15134e78f6969087ea7ab965491a8a5ed391e63f4484285ca676b60541a20503df7e910a5dac47b53a8c95fc91d97f6d5241c5

Download Submit
C:\Windows\{7B3EED53-28D2-4924-9635-A800F77505A5}.exe

Filesize
180KB

MD5
bc3eec4be46c0b3e9446cc3d008e42ab

SHA1
e6c4988f03078793f74c4e816ae4e26597e0fd7c

SHA256
0fcdb8ebdf6a1ba08e269b2619ff0070613f28f158a9afe0d7fa9272c43f0563

SHA512
26fdc099fe726fbf6aa526ee41fc2c71fb61f1d45f1f3d1e2c0d6e740826ad2e29e90f917cdfeb787a6ab73878e369743b324d55a3f431afadbf708150463402

Download Submit
C:\Windows\{7D19A655-FC91-4ff9-96E9-DC44519E4F29}.exe

Filesize
180KB

MD5
1c90d94c5458d40435c051555505c10e

SHA1
f928f03d557177c1b4cef3688ee2ef20d4aeb3cb

SHA256
d7a5c895f123e27c54903ac5262494a0f6059dad1a11bd7467f439ec67b1ac25

SHA512
53642dd65487d7cd737cb2ae894cc19f53e2873a2c7318d51b4277a88b3d23ab504a6dc1ac07e1622ff3015c0536444ca1916545f093608d40ed5f5c56a3caac

Download Submit
C:\Windows\{8716C771-6EA7-4aae-89BB-899FD56E9F00}.exe

Filesize
180KB

MD5
0441ef2723a20afc82537192377de599

SHA1
25888f71ff53d665a6ad27c75000ff6e35fd6825

SHA256
dac6ec82ea23892225f9ea050eff65a89e790fddf516edbdedb4f94a8b0ee125

SHA512
52fe54f04cd4e02cd4a4f05f46143cf7449bacc7ca078b72dd4ccfedfcb1da375bc50dfc14fa15c22c9a90471419520b0b7172c8f5ca51d9798c9fc398c4a074

Download Submit
C:\Windows\{AE6C982E-DFEE-42fc-977A-187C5A7506CB}.exe

Filesize
180KB

MD5
7cf4a9b7a31a46bf2e07c48862e409cc

SHA1
1aa5a95fc6f187149b2a8547452e8bdfd72defae

SHA256
e9b973cb6e7810338c9e56c59982ce8d0c3fb7814948e92fba07a90d6372177f

SHA512
2307f5a8f1a7f325e4b28b5d8a3e5272afeccb924fc7c61867e8882b6b9cc8006af3548c54bca0d49edd430baeeb32798fbb0bf85d449b0fe8daafb885f87544

Download Submit
C:\Windows\{CA24E63E-611C-463f-B4C8-AA8E6A7386F3}.exe

Filesize
180KB

MD5
ac00ef361b2d2e7b8422ca72e8e6c514

SHA1
3114748df855a4fd4763685ac88a3ad8188b4078

SHA256
fd0b7769eadeb385b6be065bd2117c56d564c02d838ca37624f3832f92eddd3b

SHA512
3065e2ff452ca02ac6014291dde22d79649cb96310ad2af35e4673336c48f70f0d6e4b4062e47a0f393751ff88371e7ec35868cc7b6991da9910d29d41b49b2a

Download Submit
C:\Windows\{EBA17853-3CDC-43ee-8E14-35638CC8BC30}.exe

Filesize
180KB

MD5
b6489f27cf4ea067442d31f615c0f4e9

SHA1
4048bb4a9d2ebe986d3bd98e418c2ca54797e65c

SHA256
0cc5aec2b074692767f135db83aab576acee85e299ab10269b30e44ac80f7472

SHA512
bb2193510bc340f5cde673b321930ce67aa538c585597aa22c8a202a88571d6e00876c3f71d4bcee4b11245a644a786e91bc04b6dfc33ad0fabb11489a1dddb5

Download Submit
C:\Windows\{EC2B82B7-76B3-40fb-8C7C-9EB576EEA708}.exe

Filesize
180KB

MD5
da682e9fbb7c4d166459a8c4030f8aa5

SHA1
1d546cf27b7dcbeb9cacc17e0d3067437e7cbce4

SHA256
a35d63d32781ad16e04df3a3c9d941362ed3ba0663cbf5e701a55f28e1e4c3b8

SHA512
a42bf56d81f848dfa1db2ddbe99b6d448c9176abc5b341aadab0c01e205be1b716ded330d2bc835fbf31e1a5e39e1d182a5bfed48d93bb798e5374987c1fa268

Download Submit