5dc31b140a627a8191a3883ed171b137693f76cd3544942480d9304f551087e1

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Size

180KB
MD5

a77d647f9b70ef02833d0306d10ba5fd
SHA1

a85be9473ea65b2ceb6d8dda9e37c68b4094090a
SHA256

5dc31b140a627a8191a3883ed171b137693f76cd3544942480d9304f551087e1
SHA512

fc40e979ea70b8c93fdd49a31a30851c18e0e801602ecaa96b08133e3a53b8b841c63aaf2f779cb309d479a58a45f52bfb8bfff75b4732af1e7e1102274d0afa
SSDEEP

3072:jEGh0o0lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGGl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

Processes:

resource	yara_rule
C:\Windows\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C2601779-1A51-48bf-A037-21174D6361A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe{C2601779-1A51-48bf-A037-21174D6361A7}.exe{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4A2989A-A18E-4775-880F-16761F0C1E17}\stubpath = "C:\\Windows\\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe"	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}\stubpath = "C:\\Windows\\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe"	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893DA21C-68DA-4604-B27C-F88E0AEA2573}\stubpath = "C:\\Windows\\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe"	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}\stubpath = "C:\\Windows\\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe"	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}\stubpath = "C:\\Windows\\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe"	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2601779-1A51-48bf-A037-21174D6361A7}\stubpath = "C:\\Windows\\{C2601779-1A51-48bf-A037-21174D6361A7}.exe"	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4A2989A-A18E-4775-880F-16761F0C1E17}	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}\stubpath = "C:\\Windows\\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe"	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A231EE0-5DA7-435f-BD84-CDB107B80981}	{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}\stubpath = "C:\\Windows\\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe"	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893DA21C-68DA-4604-B27C-F88E0AEA2573}	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2601779-1A51-48bf-A037-21174D6361A7}	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}\stubpath = "C:\\Windows\\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe"	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A231EE0-5DA7-435f-BD84-CDB107B80981}\stubpath = "C:\\Windows\\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe"	{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1252 cmd.exe

pid	process
1252	cmd.exe

Executes dropped EXE 10 IoCs

Processes:

{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe{C2601779-1A51-48bf-A037-21174D6361A7}.exe{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe

pid	process
1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
2692	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
1836	{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe
3024	{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe

Drops file in Windows directory 10 IoCs

Processes:

{C2601779-1A51-48bf-A037-21174D6361A7}.exe{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe

description	ioc	process
File created	C:\Windows\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
File created	C:\Windows\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
File created	C:\Windows\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
File created	C:\Windows\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
File created	C:\Windows\{C2601779-1A51-48bf-A037-21174D6361A7}.exe	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
File created	C:\Windows\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe	{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe
File created	C:\Windows\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
File created	C:\Windows\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
File created	C:\Windows\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
File created	C:\Windows\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe{C2601779-1A51-48bf-A037-21174D6361A7}.exe{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
Token: SeIncBasePriorityPrivilege	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
Token: SeIncBasePriorityPrivilege	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
Token: SeIncBasePriorityPrivilege	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
Token: SeIncBasePriorityPrivilege	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
Token: SeIncBasePriorityPrivilege	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
Token: SeIncBasePriorityPrivilege	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
Token: SeIncBasePriorityPrivilege	2692	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
Token: SeIncBasePriorityPrivilege	1836	{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2240 wrote to memory of 1296	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
PID 2240 wrote to memory of 1296	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
PID 2240 wrote to memory of 1296	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
PID 2240 wrote to memory of 1296	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
PID 2240 wrote to memory of 1252	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 2240 wrote to memory of 1252	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 2240 wrote to memory of 1252	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 2240 wrote to memory of 1252	2240	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 1296 wrote to memory of 2248	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
PID 1296 wrote to memory of 2248	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
PID 1296 wrote to memory of 2248	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
PID 1296 wrote to memory of 2248	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
PID 1296 wrote to memory of 2352	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	cmd.exe
PID 1296 wrote to memory of 2352	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	cmd.exe
PID 1296 wrote to memory of 2352	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	cmd.exe
PID 1296 wrote to memory of 2352	1296	{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe	cmd.exe
PID 2248 wrote to memory of 576	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
PID 2248 wrote to memory of 576	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
PID 2248 wrote to memory of 576	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
PID 2248 wrote to memory of 576	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
PID 2248 wrote to memory of 704	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	cmd.exe
PID 2248 wrote to memory of 704	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	cmd.exe
PID 2248 wrote to memory of 704	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	cmd.exe
PID 2248 wrote to memory of 704	2248	{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe	cmd.exe
PID 576 wrote to memory of 1736	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
PID 576 wrote to memory of 1736	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
PID 576 wrote to memory of 1736	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
PID 576 wrote to memory of 1736	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
PID 576 wrote to memory of 564	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	cmd.exe
PID 576 wrote to memory of 564	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	cmd.exe
PID 576 wrote to memory of 564	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	cmd.exe
PID 576 wrote to memory of 564	576	{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe	cmd.exe
PID 1736 wrote to memory of 1772	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
PID 1736 wrote to memory of 1772	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
PID 1736 wrote to memory of 1772	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
PID 1736 wrote to memory of 1772	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
PID 1736 wrote to memory of 2616	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	cmd.exe
PID 1736 wrote to memory of 2616	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	cmd.exe
PID 1736 wrote to memory of 2616	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	cmd.exe
PID 1736 wrote to memory of 2616	1736	{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe	cmd.exe
PID 1772 wrote to memory of 1136	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
PID 1772 wrote to memory of 1136	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
PID 1772 wrote to memory of 1136	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
PID 1772 wrote to memory of 1136	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	{C2601779-1A51-48bf-A037-21174D6361A7}.exe
PID 1772 wrote to memory of 2828	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	cmd.exe
PID 1772 wrote to memory of 2828	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	cmd.exe
PID 1772 wrote to memory of 2828	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	cmd.exe
PID 1772 wrote to memory of 2828	1772	{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe	cmd.exe
PID 1136 wrote to memory of 2632	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
PID 1136 wrote to memory of 2632	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
PID 1136 wrote to memory of 2632	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
PID 1136 wrote to memory of 2632	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
PID 1136 wrote to memory of 2836	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	cmd.exe
PID 1136 wrote to memory of 2836	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	cmd.exe
PID 1136 wrote to memory of 2836	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	cmd.exe
PID 1136 wrote to memory of 2836	1136	{C2601779-1A51-48bf-A037-21174D6361A7}.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
PID 2632 wrote to memory of 2692	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
PID 2632 wrote to memory of 2692	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
PID 2632 wrote to memory of 2692	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
PID 2632 wrote to memory of 1868	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	cmd.exe
PID 2632 wrote to memory of 1868	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	cmd.exe
PID 2632 wrote to memory of 1868	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	cmd.exe
PID 2632 wrote to memory of 1868	2632	{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
C:\Windows\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
C:\Windows\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
C:\Windows\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
C:\Windows\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
C:\Windows\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\{C2601779-1A51-48bf-A037-21174D6361A7}.exe
C:\Windows\{C2601779-1A51-48bf-A037-21174D6361A7}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
C:\Windows\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
C:\Windows\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe
C:\Windows\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe
C:\Windows\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe
11⤵
- Executes dropped EXE
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28BDD~1.EXE > nul
11⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E4A29~1.EXE > nul
10⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8BA85~1.EXE > nul
9⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2601~1.EXE > nul
8⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{893DA~1.EXE > nul
7⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6AE~1.EXE > nul
6⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B5909~1.EXE > nul
5⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD98~1.EXE > nul
4⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6ED7~1.EXE > nul
3⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28BDDB5C-7599-41c6-B0BC-1B2B85F4A3A0}.exe

Filesize
180KB

MD5
826db8ab3afad1d3dd04edf1e61b4c41

SHA1
59e487ebe42ca9800a3eaefd6af529a5016a8495

SHA256
e3b4a7edf0960cf1b1b2d773c918f2d9b2265d27451824c8d5b5d87c371e2863

SHA512
2985da094fefc9a330b8192fc000b37c8ba0c4cb4a98b572ea3f6094bf40d41381fad3a80830e83455ffa058acdd7761f6cb3f69c51ce61ef7a76633d533a7e7

Download Submit
C:\Windows\{3A231EE0-5DA7-435f-BD84-CDB107B80981}.exe

Filesize
180KB

MD5
3f37dff7ae4d508342fac89eed392b64

SHA1
02b719b4a1e43c88565834d73540f4dd4f7f19e9

SHA256
8c29e09af575bebce6f1a495f70b13ae05c48dbc515e2dd252628d3001eec506

SHA512
81fdcfb1797b46bc1801acf5176bbe750a70e7751a10071e8d2decd13a41d2eec70fddafc64221e140d13f03fc25f8a7904d35e6b2160f4ccc01d86c5d72730e

Download Submit
C:\Windows\{6C6AEE55-E48E-414c-B1B1-02571C1E2B81}.exe

Filesize
180KB

MD5
f8ba3cadc0cb2aca3f1ed612b023884c

SHA1
43474079326c0d5248ed5579fb82f1916bd64f5d

SHA256
575c1071c59a216cb5914a3fc302dd9fb92a7c66d970e71f6e378ff1ef6e4919

SHA512
8a67901e953a9ad2ec7ea618f9c4ac7346708e37e4bea94935b9743b29f8a9d59d8ce9af0fb270ac7705ccec1eb920a79fe5e332e043d4ec0e81c216acc10386

Download Submit
C:\Windows\{893DA21C-68DA-4604-B27C-F88E0AEA2573}.exe

Filesize
180KB

MD5
07c32f9b159b460f624aa20cb09b8c8d

SHA1
2383962db866e367ee37a5ea7e69af9e84aaf606

SHA256
2b0c3018ebd2c95a54c1d207685fe0b19781189140bc40daae69418bea3cc6a3

SHA512
969ba7e990a5c78f7724522e776cae05e82bd7288a1ac9a190c304c458a7ae29da06d7fdc26d77ee41ae030a57812edb68de44edbd8959fb5eaa27faaac7f72f

Download Submit
C:\Windows\{8BA85BE4-CD5B-447a-936D-19FD094D9BEF}.exe

Filesize
180KB

MD5
6254eaf4278381474ab73fe7bb0784e5

SHA1
2ee67d97f04ec060e3420253074aff7d14e2432d

SHA256
474db67b23c7289cf89d60cb9c366b5bd87332bb7b68006c2a54d928e3884cd9

SHA512
432dfce05d1c3692c76c9515972cdf4f0c01806b0f17d23cae61836e198c68d78cb6475c86bea61accd107fbef26ca1a4fb2a43e6581d7d2fb028d3951a48953

Download Submit
C:\Windows\{B5909802-CC1C-4e1c-B7D7-6A198E7D9D50}.exe

Filesize
180KB

MD5
3f6e8daf922e72880b0403f11da9217c

SHA1
756a4f6a999f25517bda0936e85087426d3d7ec6

SHA256
2e14282cd8d8432dce4e820fa7d1766d1d94c2283ec314a4c46b8ea7c42d22d2

SHA512
998d5ea77ae27218ddf6ac9b372b665eb320fe18c077e6630ecb1fdb7d5830665866db2cc821bdae3f41df49e8e4234e6cf2f8acba67dfdd0f8f9e8e21dab9ed

Download Submit
C:\Windows\{C2601779-1A51-48bf-A037-21174D6361A7}.exe

Filesize
180KB

MD5
92225039b6f59e366d2518a6ac427651

SHA1
287ebcb6c6d1db0f0ad308a44f76d0fb32dde2e9

SHA256
52b18f691e71db4f024cff449f1531cdb3f2bc305df66d88a6bcf1e7446bb0bc

SHA512
b4a97cd5de89219a30f98e41770f57bb5802a4f376abf7b9ee674884a2ff35ef09b34834dcffff4690be49fed297ad1122fde83c3bfd674c5d3b2ae28b526dbd

Download Submit
C:\Windows\{D6ED77D9-4C6E-4f47-B3FB-7C17BCB18959}.exe

Filesize
180KB

MD5
26413b9e176c458bd5df5dd1b06f1130

SHA1
ebda2e814a022e71209318312b139d65cf053223

SHA256
6c1cea1a1a05aad650098a95a413e72bf3dae83584a62111cbd763b7640ff6da

SHA512
872c11cf1b7f29276a1f7c4cb5b1338c040824dd94e62fbdc7a681a050b6fe4972609e3ac1aa78a844216f42ad5abcd64a7971996af3ab97a62d3a4484ad4e22

Download Submit
C:\Windows\{E4A2989A-A18E-4775-880F-16761F0C1E17}.exe

Filesize
180KB

MD5
2ac3e112d26fd09df8c0c6a22f832808

SHA1
6ea3c181b37064ae44a5c0e61fd78084202664f7

SHA256
6af09b9787fe0e66c4975903f47aafc34162d47300225a4d1b88d295ff8f9f92

SHA512
6e988283dba30cc783017c2537409953dea7c699fd146ed37e9d15830a6dbd1b4a4136677789cfa862fd913c94b8fe3c5d12a299815692a5cad03c5baaf13cf7

Download Submit
C:\Windows\{EDD9801F-C35E-4b2c-B93A-0F3C64412200}.exe

Filesize
180KB

MD5
8dc826b94b50a7699c697e1b11f87462

SHA1
29e2fba3f93499db4aab014bbfa6726c78019bb5

SHA256
24c233aabaf65425b9a026ffd788f1c3034856eeda2368b04e7220cab47e6f63

SHA512
bd8e1d8ea075266e17ca4930b53c28d04c290f0f44d4aaa6fc64a367579b8c83ae3beb140a9ac6413936de503a743bf8e60f2eb58f67f6022c2cd7fd0de91036

Download Submit