5dc31b140a627a8191a3883ed171b137693f76cd3544942480d9304f551087e1

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Size

180KB
MD5

a77d647f9b70ef02833d0306d10ba5fd
SHA1

a85be9473ea65b2ceb6d8dda9e37c68b4094090a
SHA256

5dc31b140a627a8191a3883ed171b137693f76cd3544942480d9304f551087e1
SHA512

fc40e979ea70b8c93fdd49a31a30851c18e0e801602ecaa96b08133e3a53b8b841c63aaf2f779cb309d479a58a45f52bfb8bfff75b4732af1e7e1102274d0afa
SSDEEP

3072:jEGh0o0lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGGl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{551CA909-2122-4746-B1F9-9B521246186B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D93984A1-33BB-4539-B14C-E57506267775}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{551CA909-2122-4746-B1F9-9B521246186B}.exe{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe{D93984A1-33BB-4539-B14C-E57506267775}.exe{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926BD4EA-E8AF-413c-8F32-62584FD78C38}\stubpath = "C:\\Windows\\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe"	{551CA909-2122-4746-B1F9-9B521246186B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A99194-950A-4b72-86A8-66981C4CBC0B}	{D93984A1-33BB-4539-B14C-E57506267775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C071CBF8-0B25-4ae8-A44D-F34B88042005}\stubpath = "C:\\Windows\\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe"	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}\stubpath = "C:\\Windows\\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe"	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551CA909-2122-4746-B1F9-9B521246186B}	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}\stubpath = "C:\\Windows\\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe"	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D93984A1-33BB-4539-B14C-E57506267775}\stubpath = "C:\\Windows\\{D93984A1-33BB-4539-B14C-E57506267775}.exe"	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A99194-950A-4b72-86A8-66981C4CBC0B}\stubpath = "C:\\Windows\\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe"	{D93984A1-33BB-4539-B14C-E57506267775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF81896F-DE1D-4cd8-B797-4109625D93E4}\stubpath = "C:\\Windows\\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe"	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}\stubpath = "C:\\Windows\\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe"	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C071CBF8-0B25-4ae8-A44D-F34B88042005}	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}\stubpath = "C:\\Windows\\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe"	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}\stubpath = "C:\\Windows\\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe"	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551CA909-2122-4746-B1F9-9B521246186B}\stubpath = "C:\\Windows\\{551CA909-2122-4746-B1F9-9B521246186B}.exe"	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926BD4EA-E8AF-413c-8F32-62584FD78C38}	{551CA909-2122-4746-B1F9-9B521246186B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF81896F-DE1D-4cd8-B797-4109625D93E4}	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}\stubpath = "C:\\Windows\\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe"	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D93984A1-33BB-4539-B14C-E57506267775}	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe

Executes dropped EXE 12 IoCs

Processes:

{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe{551CA909-2122-4746-B1F9-9B521246186B}.exe{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe{D93984A1-33BB-4539-B14C-E57506267775}.exe{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe

pid	process
3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe
3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe
4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
3924	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
448	{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe

Drops file in Windows directory 12 IoCs

Processes:

{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{551CA909-2122-4746-B1F9-9B521246186B}.exe{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe{D93984A1-33BB-4539-B14C-E57506267775}.exe{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe

description	ioc	process
File created	C:\Windows\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
File created	C:\Windows\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
File created	C:\Windows\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
File created	C:\Windows\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
File created	C:\Windows\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
File created	C:\Windows\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	{551CA909-2122-4746-B1F9-9B521246186B}.exe
File created	C:\Windows\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
File created	C:\Windows\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	{D93984A1-33BB-4539-B14C-E57506267775}.exe
File created	C:\Windows\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
File created	C:\Windows\{551CA909-2122-4746-B1F9-9B521246186B}.exe	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
File created	C:\Windows\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
File created	C:\Windows\{D93984A1-33BB-4539-B14C-E57506267775}.exe	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe{551CA909-2122-4746-B1F9-9B521246186B}.exe{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe{D93984A1-33BB-4539-B14C-E57506267775}.exe{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
Token: SeIncBasePriorityPrivilege	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe
Token: SeIncBasePriorityPrivilege	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
Token: SeIncBasePriorityPrivilege	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
Token: SeIncBasePriorityPrivilege	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
Token: SeIncBasePriorityPrivilege	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
Token: SeIncBasePriorityPrivilege	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
Token: SeIncBasePriorityPrivilege	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe
Token: SeIncBasePriorityPrivilege	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
Token: SeIncBasePriorityPrivilege	3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
Token: SeIncBasePriorityPrivilege	3924	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2352 wrote to memory of 3508	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
PID 2352 wrote to memory of 3508	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
PID 2352 wrote to memory of 3508	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
PID 2352 wrote to memory of 4564	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 2352 wrote to memory of 4564	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 2352 wrote to memory of 4564	2352	2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe	cmd.exe
PID 3508 wrote to memory of 2908	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	{551CA909-2122-4746-B1F9-9B521246186B}.exe
PID 3508 wrote to memory of 2908	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	{551CA909-2122-4746-B1F9-9B521246186B}.exe
PID 3508 wrote to memory of 2908	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	{551CA909-2122-4746-B1F9-9B521246186B}.exe
PID 3508 wrote to memory of 4180	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	cmd.exe
PID 3508 wrote to memory of 4180	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	cmd.exe
PID 3508 wrote to memory of 4180	3508	{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe	cmd.exe
PID 2908 wrote to memory of 3704	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
PID 2908 wrote to memory of 3704	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
PID 2908 wrote to memory of 3704	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
PID 2908 wrote to memory of 1940	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	cmd.exe
PID 2908 wrote to memory of 1940	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	cmd.exe
PID 2908 wrote to memory of 1940	2908	{551CA909-2122-4746-B1F9-9B521246186B}.exe	cmd.exe
PID 3704 wrote to memory of 4976	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
PID 3704 wrote to memory of 4976	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
PID 3704 wrote to memory of 4976	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
PID 3704 wrote to memory of 4408	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	cmd.exe
PID 3704 wrote to memory of 4408	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	cmd.exe
PID 3704 wrote to memory of 4408	3704	{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe	cmd.exe
PID 4976 wrote to memory of 1464	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
PID 4976 wrote to memory of 1464	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
PID 4976 wrote to memory of 1464	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
PID 4976 wrote to memory of 2228	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	cmd.exe
PID 4976 wrote to memory of 2228	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	cmd.exe
PID 4976 wrote to memory of 2228	4976	{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe	cmd.exe
PID 1464 wrote to memory of 3900	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
PID 1464 wrote to memory of 3900	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
PID 1464 wrote to memory of 3900	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
PID 1464 wrote to memory of 1932	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	cmd.exe
PID 1464 wrote to memory of 1932	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	cmd.exe
PID 1464 wrote to memory of 1932	1464	{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe	cmd.exe
PID 3900 wrote to memory of 3256	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
PID 3900 wrote to memory of 3256	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
PID 3900 wrote to memory of 3256	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
PID 3900 wrote to memory of 1260	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	cmd.exe
PID 3900 wrote to memory of 1260	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	cmd.exe
PID 3900 wrote to memory of 1260	3900	{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe	cmd.exe
PID 3256 wrote to memory of 4212	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	{D93984A1-33BB-4539-B14C-E57506267775}.exe
PID 3256 wrote to memory of 4212	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	{D93984A1-33BB-4539-B14C-E57506267775}.exe
PID 3256 wrote to memory of 4212	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	{D93984A1-33BB-4539-B14C-E57506267775}.exe
PID 3256 wrote to memory of 932	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	cmd.exe
PID 3256 wrote to memory of 932	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	cmd.exe
PID 3256 wrote to memory of 932	3256	{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe	cmd.exe
PID 4212 wrote to memory of 4104	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
PID 4212 wrote to memory of 4104	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
PID 4212 wrote to memory of 4104	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
PID 4212 wrote to memory of 2920	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	cmd.exe
PID 4212 wrote to memory of 2920	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	cmd.exe
PID 4212 wrote to memory of 2920	4212	{D93984A1-33BB-4539-B14C-E57506267775}.exe	cmd.exe
PID 4104 wrote to memory of 3312	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
PID 4104 wrote to memory of 3312	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
PID 4104 wrote to memory of 3312	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
PID 4104 wrote to memory of 5048	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	cmd.exe
PID 4104 wrote to memory of 5048	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	cmd.exe
PID 4104 wrote to memory of 5048	4104	{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe	cmd.exe
PID 3312 wrote to memory of 3924	3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
PID 3312 wrote to memory of 3924	3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
PID 3312 wrote to memory of 3924	3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
PID 3312 wrote to memory of 3248	3312	{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a77d647f9b70ef02833d0306d10ba5fd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
C:\Windows\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\{551CA909-2122-4746-B1F9-9B521246186B}.exe
C:\Windows\{551CA909-2122-4746-B1F9-9B521246186B}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
C:\Windows\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
C:\Windows\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
C:\Windows\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
C:\Windows\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
C:\Windows\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\{D93984A1-33BB-4539-B14C-E57506267775}.exe
C:\Windows\{D93984A1-33BB-4539-B14C-E57506267775}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
C:\Windows\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
C:\Windows\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
C:\Windows\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe
C:\Windows\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe
13⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F57A3~1.EXE > nul
13⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C071C~1.EXE > nul
12⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99A99~1.EXE > nul
11⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D9398~1.EXE > nul
10⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBF5~1.EXE > nul
9⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA00B~1.EXE > nul
8⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF818~1.EXE > nul
7⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA14A~1.EXE > nul
6⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{926BD~1.EXE > nul
5⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{551CA~1.EXE > nul
4⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DD753~1.EXE > nul
3⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4AD5D072-B9AD-4fe4-9C30-797FCE9DF2F5}.exe

Filesize
180KB

MD5
953305e6f0500a76020ca9db272ee4dc

SHA1
55f976e487123ce06b15606c89c2d978f7ffbeae

SHA256
946b58bc873a07d07549e6d68e844b65de16efd7e5a5d371f66020283fd4fbe7

SHA512
afbafd64d7c57ad61a05f1a270a9641da6fe64f0dd49eaa2f0f02f19fa9e9ce854a5b64d75ece44cef99429e9f618621e42b9913d201d0849f79102df7d58ef9

Download Submit
C:\Windows\{4BBF51FA-5218-4021-B23C-9347F9ADDB21}.exe

Filesize
180KB

MD5
293933da71ac3da40bd7e1449aa8f289

SHA1
9b74c7d48328cc7b9dab2bce972c384ada0704e8

SHA256
d4b762308d4cf3b5ac8f6459c8a4b6828db64249a16bd92c53a17751dce4da9b

SHA512
83dd7945bd65f7b6851bc558c11252e66b973573893b2f4e7760edf40a3cdb702db5ccdb2d4ed561bd1f07eb28507db79f6c4e7e9ecfc54abf16668e24dce849

Download Submit
C:\Windows\{551CA909-2122-4746-B1F9-9B521246186B}.exe

Filesize
180KB

MD5
9bd7e489f40f8977636b27899c49daca

SHA1
c2bfb9f61c8076768d254c06a7fca56d619984f6

SHA256
d481d0806922a9e1a2101080bc469c43a3262cda00ff4f1d5e9cb55dfe4ab2b6

SHA512
24205535ce79ae1c25cb6b361a96c9c3ec0105f07bc52bcc94c022400cdf0b7ddff3ce07cf647c9bd34c0f2f07a6b271607b1a1ef26b1ce41aeab6877f232faf

Download Submit
C:\Windows\{926BD4EA-E8AF-413c-8F32-62584FD78C38}.exe

Filesize
180KB

MD5
16a90594dca0c670701705741cfe8a34

SHA1
7ab30148b49a03b0b6fd06e4a35bccb3517bbbd9

SHA256
3fd4c7a382035114c24fa2b07bf46d2e88c0ee3c8b83292efc5d7b6e5e1e493b

SHA512
74fff5e632484e7abb32e6e6121bd548e5be068bcc4ddb9865ccf8bebf94e154c60b61069211f9676cb9f98e6757131ddd8ae5b4e3919388fddc5a7829c39d07

Download Submit
C:\Windows\{99A99194-950A-4b72-86A8-66981C4CBC0B}.exe

Filesize
180KB

MD5
6f441c5b4ccc8c4096e3f32432115721

SHA1
b56d384ce2d9ea1e23fe0d76d2fa7e4ad313c5ca

SHA256
b7e2cf5ee37fff221ad55c6b5af4ebcc975b2da170f6944a0a85d0e26c85b11a

SHA512
82c452023fa0e6af761b5006b1b728a2cb1962cfdbef4d8efb84931deff14f4923b04f9c6054335372725c5b1f72c0c46e8b6428e46162d65fd259f46d7c4cfb

Download Submit
C:\Windows\{C071CBF8-0B25-4ae8-A44D-F34B88042005}.exe

Filesize
180KB

MD5
73f7c998fac995f89eb0609225e3a003

SHA1
ee6fcc500d0806fce4b12f0137ad902f32fe1699

SHA256
3fc7b90ab5ab5a45e6563efc408a1a80240858d62749a70ac8249ff824b12946

SHA512
d20aa3ae196750fac2b93d6a26cb003a6a3e2ca28080d4bd9d2a7037409822ef548eef5b8fc5928a76710cde8513ae2403a40e651b8625f5ce3afc6582ec7b4a

Download Submit
C:\Windows\{D93984A1-33BB-4539-B14C-E57506267775}.exe

Filesize
180KB

MD5
eb022bbae46875e8d00a18c2e547707a

SHA1
5723940626223ff8f2b26e26a59fd532e16648b7

SHA256
a2902fd53d84736bf35c41c0a1e12a40a47bf916546332d2c56b391071c368dd

SHA512
242da0b3510188012cc279c9af6a8ecd6f3e1ec46d686fe7c15687ab38ab65e4a01fae7906d0aa81b6197f562ac66042d8cbeb40941c1604feae5c9f6e42c7b1

Download Submit
C:\Windows\{DA00BFA6-7443-4d9c-95BA-0705661E91B0}.exe

Filesize
180KB

MD5
7cfe30030cf39ba6d42b74daa9bfe4a9

SHA1
30c11a5de06fb6cb63b98a3ca496ec7571031913

SHA256
535c16b0c463b645d35e931f6c90683e3bc0a0ab1fc57c72984978ebdb4089cf

SHA512
5738e15f2ba29181bd0aa041c0da9b2a977f21267da42d3f5955d9a55712cec00c437212d407a56fa32943c21666f5138226fd7ddcf9e23dede7ca6529d97857

Download Submit
C:\Windows\{DD7539D0-D6E3-4e9f-B1BA-0470866F6354}.exe

Filesize
180KB

MD5
d37a90656bdac702e8d8a102326f8116

SHA1
0618c4f26b822ae6bbe12e211ca91deccb43240d

SHA256
41d3a1294e9061e25895a54c8ae27321b555d74fcae4abfbed5f45649a18b730

SHA512
ea726496e1bb707baaa5ea5f5c27dcc1f2af9be4c5cb024d36f6308a44f17ca99dc62becd172075767e949c4f331ccad799743543e6bb01f5837ee680e82fe85

Download Submit
C:\Windows\{EA14AF02-E417-47f4-88B0-7B5D1AE8BCA5}.exe

Filesize
180KB

MD5
3e8b4b85bf7a84730aef4d7da3b7a2f0

SHA1
319435d979aff05cf21102651a22054f9b1355a3

SHA256
0b6c4f237cbd4e3da3396cf627bc99462625b9d6d3d087618e5c75a6459b03f6

SHA512
e90f859d0a9cf3d783af11e4aca6f4d88f5741c4b91fb05879666ff2d33ee3011a0ebea685846b14ce65e3888729d2ebe33ffeaa5ef2f8c4576d65e35eaa96a8

Download Submit
C:\Windows\{F57A3DB3-1B27-4c8e-B6B4-EB3F767B28E9}.exe

Filesize
180KB

MD5
8a061e2ed549cf6996b65b13fe94e676

SHA1
388e1bffa27e157532bee391732efaa8598ac9fd

SHA256
395a5067a416d6038d3d4c9b3d9247066594ae03b759b04d80bf4bd588d85193

SHA512
927cd939456bd250acbffa6a133e8992e5db770cd49da492463d890e1a99df27c79189f781663d2ed243cdd8d78d5a0b45c7cee94102fc1221f55c3756a104fe

Download Submit
C:\Windows\{FF81896F-DE1D-4cd8-B797-4109625D93E4}.exe

Filesize
180KB

MD5
abeb56a995e405349479021fa4ddf0b0

SHA1
ca6bb1f4d36b4f987d4bac1ca58fccf999703cf6

SHA256
c7a669bde44b8148a597b00c5646d182b9ab88945156ba1d322ee552ff3a4cd2

SHA512
b7455fb840042f641d8c6664bf4858da1c3ee61872f98eaf4dbe60ad5bcc02eeff4e0f853702bf6d922beabc9b1398ec5df771d2ba05520d3cbc6fe084fffbfe

Download Submit