c2012d1c2bfde307384aac5bcf86215cc4d3d21d4ba94557d5e88ee4d71227ff

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Size

180KB
MD5

2eacf9b575fda381de9e81f90ddd4791
SHA1

eea825deb93806ebb2382558b397e01aeec16416
SHA256

c2012d1c2bfde307384aac5bcf86215cc4d3d21d4ba94557d5e88ee4d71227ff
SHA512

c7ef521384ca2e0d89a5704ba79e3f53c5ebfb58a8488dde2acde3c87d321e2ff45054cd1c3fdb7c9569da3d7fa36110fc89f205f055b590d90096e1b987db39
SSDEEP

3072:jEGh0ovlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{881D0E15-5847-4893-A5F8-2E406852634C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{30964A4A-6324-49a1-B972-8860D13F0083}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4AC962FA-678E-4238-B976-EE815550D43F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{47BFE5AE-418F-40fd-8451-54968851534C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe{30964A4A-6324-49a1-B972-8860D13F0083}.exe{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe{881D0E15-5847-4893-A5F8-2E406852634C}.exe{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe{4AC962FA-678E-4238-B976-EE815550D43F}.exe{47BFE5AE-418F-40fd-8451-54968851534C}.exe{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B489A696-4E5C-4037-AE8F-09B5552ED254}	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B489A696-4E5C-4037-AE8F-09B5552ED254}\stubpath = "C:\\Windows\\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe"	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94FE666-7F81-4a51-9009-1EBC8822B826}	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}\stubpath = "C:\\Windows\\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe"	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A25693-AB72-4603-B77E-61694E66D8EC}	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}\stubpath = "C:\\Windows\\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe"	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30964A4A-6324-49a1-B972-8860D13F0083}	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30964A4A-6324-49a1-B972-8860D13F0083}\stubpath = "C:\\Windows\\{30964A4A-6324-49a1-B972-8860D13F0083}.exe"	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC962FA-678E-4238-B976-EE815550D43F}\stubpath = "C:\\Windows\\{4AC962FA-678E-4238-B976-EE815550D43F}.exe"	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BFE5AE-418F-40fd-8451-54968851534C}	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}\stubpath = "C:\\Windows\\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe"	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}\stubpath = "C:\\Windows\\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe"	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{881D0E15-5847-4893-A5F8-2E406852634C}	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{881D0E15-5847-4893-A5F8-2E406852634C}\stubpath = "C:\\Windows\\{881D0E15-5847-4893-A5F8-2E406852634C}.exe"	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94FE666-7F81-4a51-9009-1EBC8822B826}\stubpath = "C:\\Windows\\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe"	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BFE5AE-418F-40fd-8451-54968851534C}\stubpath = "C:\\Windows\\{47BFE5AE-418F-40fd-8451-54968851534C}.exe"	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}\stubpath = "C:\\Windows\\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe"	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC962FA-678E-4238-B976-EE815550D43F}	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A25693-AB72-4603-B77E-61694E66D8EC}\stubpath = "C:\\Windows\\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe"	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe

Executes dropped EXE 12 IoCs

Processes:

{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe{881D0E15-5847-4893-A5F8-2E406852634C}.exe{30964A4A-6324-49a1-B972-8860D13F0083}.exe{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe{4AC962FA-678E-4238-B976-EE815550D43F}.exe{47BFE5AE-418F-40fd-8451-54968851534C}.exe{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe

pid	process
4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
1404	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
4304	{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe

Drops file in Windows directory 12 IoCs

Processes:

{47BFE5AE-418F-40fd-8451-54968851534C}.exe{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe{4AC962FA-678E-4238-B976-EE815550D43F}.exe{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe{881D0E15-5847-4893-A5F8-2E406852634C}.exe{30964A4A-6324-49a1-B972-8860D13F0083}.exe{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe

description	ioc	process
File created	C:\Windows\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
File created	C:\Windows\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
File created	C:\Windows\{4AC962FA-678E-4238-B976-EE815550D43F}.exe	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
File created	C:\Windows\{47BFE5AE-418F-40fd-8451-54968851534C}.exe	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
File created	C:\Windows\{881D0E15-5847-4893-A5F8-2E406852634C}.exe	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
File created	C:\Windows\{30964A4A-6324-49a1-B972-8860D13F0083}.exe	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
File created	C:\Windows\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
File created	C:\Windows\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
File created	C:\Windows\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
File created	C:\Windows\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
File created	C:\Windows\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
File created	C:\Windows\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe{881D0E15-5847-4893-A5F8-2E406852634C}.exe{30964A4A-6324-49a1-B972-8860D13F0083}.exe{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe{4AC962FA-678E-4238-B976-EE815550D43F}.exe{47BFE5AE-418F-40fd-8451-54968851534C}.exe{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
Token: SeIncBasePriorityPrivilege	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
Token: SeIncBasePriorityPrivilege	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
Token: SeIncBasePriorityPrivilege	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
Token: SeIncBasePriorityPrivilege	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
Token: SeIncBasePriorityPrivilege	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
Token: SeIncBasePriorityPrivilege	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
Token: SeIncBasePriorityPrivilege	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
Token: SeIncBasePriorityPrivilege	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
Token: SeIncBasePriorityPrivilege	3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
Token: SeIncBasePriorityPrivilege	1404	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 576 wrote to memory of 4404	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
PID 576 wrote to memory of 4404	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
PID 576 wrote to memory of 4404	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
PID 576 wrote to memory of 2780	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 576 wrote to memory of 2780	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 576 wrote to memory of 2780	576	2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe	cmd.exe
PID 4404 wrote to memory of 1920	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
PID 4404 wrote to memory of 1920	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
PID 4404 wrote to memory of 1920	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
PID 4404 wrote to memory of 2384	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	cmd.exe
PID 4404 wrote to memory of 2384	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	cmd.exe
PID 4404 wrote to memory of 2384	4404	{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe	cmd.exe
PID 1920 wrote to memory of 2800	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
PID 1920 wrote to memory of 2800	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
PID 1920 wrote to memory of 2800	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	{881D0E15-5847-4893-A5F8-2E406852634C}.exe
PID 1920 wrote to memory of 2976	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	cmd.exe
PID 1920 wrote to memory of 2976	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	cmd.exe
PID 1920 wrote to memory of 2976	1920	{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe	cmd.exe
PID 2800 wrote to memory of 1136	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
PID 2800 wrote to memory of 1136	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
PID 2800 wrote to memory of 1136	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	{30964A4A-6324-49a1-B972-8860D13F0083}.exe
PID 2800 wrote to memory of 3912	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	cmd.exe
PID 2800 wrote to memory of 3912	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	cmd.exe
PID 2800 wrote to memory of 3912	2800	{881D0E15-5847-4893-A5F8-2E406852634C}.exe	cmd.exe
PID 1136 wrote to memory of 752	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
PID 1136 wrote to memory of 752	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
PID 1136 wrote to memory of 752	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
PID 1136 wrote to memory of 1100	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	cmd.exe
PID 1136 wrote to memory of 1100	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	cmd.exe
PID 1136 wrote to memory of 1100	1136	{30964A4A-6324-49a1-B972-8860D13F0083}.exe	cmd.exe
PID 752 wrote to memory of 2536	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
PID 752 wrote to memory of 2536	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
PID 752 wrote to memory of 2536	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	{4AC962FA-678E-4238-B976-EE815550D43F}.exe
PID 752 wrote to memory of 4240	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	cmd.exe
PID 752 wrote to memory of 4240	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	cmd.exe
PID 752 wrote to memory of 4240	752	{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe	cmd.exe
PID 2536 wrote to memory of 3440	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
PID 2536 wrote to memory of 3440	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
PID 2536 wrote to memory of 3440	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	{47BFE5AE-418F-40fd-8451-54968851534C}.exe
PID 2536 wrote to memory of 1416	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	cmd.exe
PID 2536 wrote to memory of 1416	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	cmd.exe
PID 2536 wrote to memory of 1416	2536	{4AC962FA-678E-4238-B976-EE815550D43F}.exe	cmd.exe
PID 3440 wrote to memory of 2384	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
PID 3440 wrote to memory of 2384	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
PID 3440 wrote to memory of 2384	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
PID 3440 wrote to memory of 544	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	cmd.exe
PID 3440 wrote to memory of 544	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	cmd.exe
PID 3440 wrote to memory of 544	3440	{47BFE5AE-418F-40fd-8451-54968851534C}.exe	cmd.exe
PID 2384 wrote to memory of 3916	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
PID 2384 wrote to memory of 3916	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
PID 2384 wrote to memory of 3916	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
PID 2384 wrote to memory of 4324	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	cmd.exe
PID 2384 wrote to memory of 4324	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	cmd.exe
PID 2384 wrote to memory of 4324	2384	{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe	cmd.exe
PID 3916 wrote to memory of 3180	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
PID 3916 wrote to memory of 3180	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
PID 3916 wrote to memory of 3180	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
PID 3916 wrote to memory of 4076	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	cmd.exe
PID 3916 wrote to memory of 4076	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	cmd.exe
PID 3916 wrote to memory of 4076	3916	{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe	cmd.exe
PID 3180 wrote to memory of 1404	3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
PID 3180 wrote to memory of 1404	3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
PID 3180 wrote to memory of 1404	3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
PID 3180 wrote to memory of 1148	3180	{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2eacf9b575fda381de9e81f90ddd4791_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
C:\Windows\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
C:\Windows\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\{881D0E15-5847-4893-A5F8-2E406852634C}.exe
C:\Windows\{881D0E15-5847-4893-A5F8-2E406852634C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\{30964A4A-6324-49a1-B972-8860D13F0083}.exe
C:\Windows\{30964A4A-6324-49a1-B972-8860D13F0083}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
C:\Windows\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\{4AC962FA-678E-4238-B976-EE815550D43F}.exe
C:\Windows\{4AC962FA-678E-4238-B976-EE815550D43F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\{47BFE5AE-418F-40fd-8451-54968851534C}.exe
C:\Windows\{47BFE5AE-418F-40fd-8451-54968851534C}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
C:\Windows\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
C:\Windows\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
C:\Windows\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
C:\Windows\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe
C:\Windows\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe
13⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B053A~1.EXE > nul
13⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9074~1.EXE > nul
12⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D27E7~1.EXE > nul
11⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA97~1.EXE > nul
10⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47BFE~1.EXE > nul
9⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC96~1.EXE > nul
8⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D94FE~1.EXE > nul
7⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{30964~1.EXE > nul
6⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{881D0~1.EXE > nul
5⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B479~1.EXE > nul
4⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B489A~1.EXE > nul
3⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DA97E3A-24C8-4613-8345-6DDF65C1CD28}.exe
Filesize
180KB

MD5
97dec3d9afb895a9fa0a86cf53d307e0

SHA1
412a4c1fda22483efd6e570b057fd0500db6389a

SHA256
7f30cc2a837091387fbc1894e93c843c56752e26ed5cc49d56eedc7e4c203afe

SHA512
9e7da053fa29ba078ee8db0437add93733a801af6a20e36c0932cb5ff3fccb07978a5c8705cfd9633efe7d6f6e35c756da396ce163944ef17f8a9bdb6b96cce0

Download Submit
C:\Windows\{30964A4A-6324-49a1-B972-8860D13F0083}.exe
Filesize
180KB

MD5
aa4abcaee51c7b1bd4412960216e08a7

SHA1
2d46b69da3e8b25b22dbcb4a9e057d0845044007

SHA256
5cd6a2cab3dc43e58ae5c522ea23dede7c891dfabeab18f226526515bc33bd65

SHA512
6dadb58228f6eaab13eedc4aab63e4c9a154e0e22e39704679940c58438c7adf05c57fc5b529f47dd421149329fd1bcda1173445f2fd4b3bd0a15a68d87e925f

Download Submit
C:\Windows\{47BFE5AE-418F-40fd-8451-54968851534C}.exe
Filesize
180KB

MD5
6d4d07b3af651b63baba4531e50e7912

SHA1
e6620519f8bd6080c51ea9f4d7a84df481951639

SHA256
876e812b3580d686f6974f988765a2e8b3b0dedd35a78696c43f3ed08044a45b

SHA512
7d6e58dc8e32a5ed538f1e6ee5f762247b1f29e382d0f7a25a3985d30036064768ed00a8bddb5660b03e3c2cabdef4fcca608e548decdab89541713a8d6e5b72

Download Submit
C:\Windows\{4AC962FA-678E-4238-B976-EE815550D43F}.exe
Filesize
180KB

MD5
e1e818ac64f068697368e6045ca05e2d

SHA1
79428a34a417a878b4bc6f5b487c172111852f79

SHA256
76e060b6d37ab3ef5a5568b490e2486da8948dbd15b9866432065fcfa2c65eab

SHA512
55af2f284cc88c4535867535b50702c9f5eb083797b2921d443ba0f119f1299b8a419b13c8f659fe12895b026dd2e31b97383922af22eb8f86f6c0598755a519

Download Submit
C:\Windows\{4B479B5F-5F0C-44ba-8DE0-1A012B0EDBF6}.exe
Filesize
180KB

MD5
03589cf75562fdf9e761388535f0ae92

SHA1
b2c462b6ff5d318b82c85761d9757daf7a6116d3

SHA256
df1d0f6f658b2a3db68387f8f63c2f4d79c303dc551b81ca33ab8547fd6db19d

SHA512
d661e56e67997c4b840941ac36ef9fd7b6977a28e9a71f597abc26442e3cd38f144dc15c3781801339a3d71fd560f193d76f0180b03a002f220a116f5fb388de

Download Submit
C:\Windows\{881D0E15-5847-4893-A5F8-2E406852634C}.exe
Filesize
180KB

MD5
71214d3f6dffb2e900179b6bf1a855cb

SHA1
c3f56675515862a5ce39997b2cb3046cebc520bd

SHA256
a0051efb488e89ed16b27a513a4cf13b9ae45424fd0fb02c370264394dd04f09

SHA512
c2932cb94156b60ed4cf03e67234271460d4cc0f35029a7caaf64d3d6d2716138bcd792a17ef55c9797909ddc85950ac1f95bd861d0376c2012aa0f05aa28c90

Download Submit
C:\Windows\{B053AFD1-A7EF-4e19-B505-49B5D28CAD4E}.exe
Filesize
180KB

MD5
6ced3d9de12958084319b1ee8429de9c

SHA1
c0cdfa276cdf862a47f4e963be02ad85a7515cfa

SHA256
2bdc331d70fcd0a51a7989cb5daedcf19d6aed4cc28643ab79f14d67135d0a60

SHA512
7b1bb42b70636212bc0bbbf14a891781e82f19d09f490a3c78ce6712a81048dc2b8be53b72f1908895ea1c506dfa7faa981dad22bc00b13ed9e1335a53c9061e

Download Submit
C:\Windows\{B489A696-4E5C-4037-AE8F-09B5552ED254}.exe
Filesize
180KB

MD5
9bd304757019bfaa08f8517283c65d07

SHA1
2eebe5db7c72ef1f2f2116a08f4bd3e865b3db1e

SHA256
e28f80c05ff25d27e0daf8dda5c46aaaf3339638c9beb8e217b6845591ca7414

SHA512
44292b1b8d237788250eb0030b75f6964cf5e374d8529397a16edc2ba84ec3116223b94aaac58174d04a990d0d4455ecc5dcdc5820209c813fe4b3225e4c19ef

Download Submit
C:\Windows\{C0A25693-AB72-4603-B77E-61694E66D8EC}.exe
Filesize
180KB

MD5
5b794a57ece526488f2e1405f24efaca

SHA1
fcd442a13643076875e5b5b364ba5b52543968a8

SHA256
9b520a57b245fd4c88197170f873b75fb8d777997d87646fea405642c7f70208

SHA512
89a1d17e13f5950af17a05bc32eec630dcee5a36754994bdfdae1b5a784d0af09c0ff3649e88454893259436ce67086f1c9b431fe30912135658f5084c3e4f24

Download Submit
C:\Windows\{D27E736C-CA84-4e7c-A4E1-9AEC897DD624}.exe
Filesize
180KB

MD5
c56698319fd3dfff3c6c8ff3d28b5582

SHA1
552c3c6b3d76b4697d68f01f28bc9f1401d0df2e

SHA256
c72ce6eecb2af32d63899e638ddd8d87e23e51bf002e816bd5227b1905028e0e

SHA512
b897f0aad1c78e5603026278afb691e29733167007bd499c6143b71b1add13209ca4ee160223341df974ff8079dc0fba0ef74acd320d3cbb4ff47dff67f65a43

Download Submit
C:\Windows\{D94FE666-7F81-4a51-9009-1EBC8822B826}.exe
Filesize
180KB

MD5
fcb2959997ef212e60d27eaab30bc153

SHA1
6903d217a30160ee3f96d498c2df5b5fc99311c9

SHA256
e55a31c464fefb834d884c0327f892f5d5a70cc520caa8f58570f39e1443826c

SHA512
9ec8a71237fa41faa265f4504ea3a804977ecda5862f81b04a9f4777b6aee86cef1dded6dc5f882d50e1d87cd8cb227d6c6fb0e330cf25454ee4b272759ac7e9

Download Submit
C:\Windows\{F9074963-CCE7-48f2-8BB9-744CD89E00B5}.exe
Filesize
180KB

MD5
6c77a5aab617083fab1243b78af6b93a

SHA1
a56aec30f326bd07f7af394a01e2ea4df9d0a441

SHA256
001678a30c781773126eb0e16d92aa791a83a4d57542cc413c8c1fa47b237150

SHA512
3f89da56511eea74c6a78fce9b8676c90c0d51d3347983e4d84245f2714dd9e141ad992293f295968d77e808feb7436e68857309900c20c55d1c52c1173b4e4d

Download Submit