eb8618b290072d1b82d72dde55fd6751058bb2743e5ade71ecb6e49064367501

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Size

344KB
MD5

3c54dfa7f5dbc7b2ab206d89106b8a07
SHA1

33e3d25d7efac7ccb29f47f0a1c91a68f6b6cd39
SHA256

eb8618b290072d1b82d72dde55fd6751058bb2743e5ade71ecb6e49064367501
SHA512

cd24be223e47d37c0a891ad623963543c1fe8c919f6112f877a1d42c68a3640520dc23ef944e9e9fd1f44af1e30c670dce50c8a35a9ef5472e87718d6acbfe6b
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B835D103-D97E-453f-B868-9B841418B729}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe{B835D103-D97E-453f-B868-9B841418B729}.exe{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe{B006DF63-9CA2-46db-93B7-1B062557229A}.exe{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}\stubpath = "C:\\Windows\\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe"	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}	{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}\stubpath = "C:\\Windows\\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe"	{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B006DF63-9CA2-46db-93B7-1B062557229A}\stubpath = "C:\\Windows\\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe"	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}\stubpath = "C:\\Windows\\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe"	{B835D103-D97E-453f-B868-9B841418B729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}\stubpath = "C:\\Windows\\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe"	{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C6189A-A977-47d5-8483-0D98B22874F3}\stubpath = "C:\\Windows\\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe"	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}\stubpath = "C:\\Windows\\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe"	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}\stubpath = "C:\\Windows\\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe"	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}	{B835D103-D97E-453f-B868-9B841418B729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B835D103-D97E-453f-B868-9B841418B729}\stubpath = "C:\\Windows\\{B835D103-D97E-453f-B868-9B841418B729}.exe"	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}\stubpath = "C:\\Windows\\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe"	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C6189A-A977-47d5-8483-0D98B22874F3}	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}	{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B006DF63-9CA2-46db-93B7-1B062557229A}	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}\stubpath = "C:\\Windows\\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe"	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B835D103-D97E-453f-B868-9B841418B729}	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2996 cmd.exe

pid	process
2996	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B006DF63-9CA2-46db-93B7-1B062557229A}.exe{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe{B835D103-D97E-453f-B868-9B841418B729}.exe{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe

pid	process
1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
2828	{B835D103-D97E-453f-B868-9B841418B729}.exe
2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
2776	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
1768	{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
1088	{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
1168	{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe

Drops file in Windows directory 11 IoCs

Processes:

{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe{B835D103-D97E-453f-B868-9B841418B729}.exe{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{B006DF63-9CA2-46db-93B7-1B062557229A}.exe{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe

description	ioc	process
File created	C:\Windows\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
File created	C:\Windows\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	{B835D103-D97E-453f-B868-9B841418B729}.exe
File created	C:\Windows\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
File created	C:\Windows\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe	{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
File created	C:\Windows\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
File created	C:\Windows\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
File created	C:\Windows\{B835D103-D97E-453f-B868-9B841418B729}.exe	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
File created	C:\Windows\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
File created	C:\Windows\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
File created	C:\Windows\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
File created	C:\Windows\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe	{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{B006DF63-9CA2-46db-93B7-1B062557229A}.exe{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe{B835D103-D97E-453f-B868-9B841418B729}.exe{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
Token: SeIncBasePriorityPrivilege	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
Token: SeIncBasePriorityPrivilege	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
Token: SeIncBasePriorityPrivilege	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe
Token: SeIncBasePriorityPrivilege	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
Token: SeIncBasePriorityPrivilege	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
Token: SeIncBasePriorityPrivilege	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
Token: SeIncBasePriorityPrivilege	2776	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
Token: SeIncBasePriorityPrivilege	1768	{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
Token: SeIncBasePriorityPrivilege	1088	{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1340 wrote to memory of 1256	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
PID 1340 wrote to memory of 1256	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
PID 1340 wrote to memory of 1256	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
PID 1340 wrote to memory of 1256	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
PID 1340 wrote to memory of 2996	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 1340 wrote to memory of 2996	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 1340 wrote to memory of 2996	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 1340 wrote to memory of 2996	1340	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 1256 wrote to memory of 2768	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
PID 1256 wrote to memory of 2768	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
PID 1256 wrote to memory of 2768	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
PID 1256 wrote to memory of 2768	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
PID 1256 wrote to memory of 2924	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	cmd.exe
PID 1256 wrote to memory of 2924	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	cmd.exe
PID 1256 wrote to memory of 2924	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	cmd.exe
PID 1256 wrote to memory of 2924	1256	{B006DF63-9CA2-46db-93B7-1B062557229A}.exe	cmd.exe
PID 2768 wrote to memory of 2816	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
PID 2768 wrote to memory of 2816	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
PID 2768 wrote to memory of 2816	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
PID 2768 wrote to memory of 2816	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
PID 2768 wrote to memory of 2560	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	cmd.exe
PID 2768 wrote to memory of 2560	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	cmd.exe
PID 2768 wrote to memory of 2560	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	cmd.exe
PID 2768 wrote to memory of 2560	2768	{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe	cmd.exe
PID 2816 wrote to memory of 2828	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	{B835D103-D97E-453f-B868-9B841418B729}.exe
PID 2816 wrote to memory of 2828	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	{B835D103-D97E-453f-B868-9B841418B729}.exe
PID 2816 wrote to memory of 2828	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	{B835D103-D97E-453f-B868-9B841418B729}.exe
PID 2816 wrote to memory of 2828	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	{B835D103-D97E-453f-B868-9B841418B729}.exe
PID 2816 wrote to memory of 2304	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	cmd.exe
PID 2816 wrote to memory of 2304	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	cmd.exe
PID 2816 wrote to memory of 2304	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	cmd.exe
PID 2816 wrote to memory of 2304	2816	{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe	cmd.exe
PID 2828 wrote to memory of 2856	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
PID 2828 wrote to memory of 2856	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
PID 2828 wrote to memory of 2856	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
PID 2828 wrote to memory of 2856	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
PID 2828 wrote to memory of 2888	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	cmd.exe
PID 2828 wrote to memory of 2888	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	cmd.exe
PID 2828 wrote to memory of 2888	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	cmd.exe
PID 2828 wrote to memory of 2888	2828	{B835D103-D97E-453f-B868-9B841418B729}.exe	cmd.exe
PID 2856 wrote to memory of 2428	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
PID 2856 wrote to memory of 2428	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
PID 2856 wrote to memory of 2428	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
PID 2856 wrote to memory of 2428	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
PID 2856 wrote to memory of 2016	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	cmd.exe
PID 2856 wrote to memory of 2016	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	cmd.exe
PID 2856 wrote to memory of 2016	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	cmd.exe
PID 2856 wrote to memory of 2016	2856	{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe	cmd.exe
PID 2428 wrote to memory of 1348	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
PID 2428 wrote to memory of 1348	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
PID 2428 wrote to memory of 1348	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
PID 2428 wrote to memory of 1348	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
PID 2428 wrote to memory of 1808	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	cmd.exe
PID 2428 wrote to memory of 1808	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	cmd.exe
PID 2428 wrote to memory of 1808	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	cmd.exe
PID 2428 wrote to memory of 1808	2428	{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe	cmd.exe
PID 1348 wrote to memory of 2776	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
PID 1348 wrote to memory of 2776	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
PID 1348 wrote to memory of 2776	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
PID 1348 wrote to memory of 2776	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
PID 1348 wrote to memory of 1648	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	cmd.exe
PID 1348 wrote to memory of 1648	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	cmd.exe
PID 1348 wrote to memory of 1648	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	cmd.exe
PID 1348 wrote to memory of 1648	1348	{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
  C:\Windows\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
    C:\Windows\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
      C:\Windows\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{B835D103-D97E-453f-B868-9B841418B729}.exe
        
        C:\Windows\{B835D103-D97E-453f-B868-9B841418B729}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
        
        C:\Windows\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
        
        C:\Windows\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
        
        C:\Windows\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
        
        C:\Windows\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
        
        C:\Windows\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
        
        C:\Windows\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe
        
        C:\Windows\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe
        12⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C088C~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0FB9~1.EXE > nul
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C61~1.EXE > nul
        10⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD581~1.EXE > nul
        9⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89A6~1.EXE > nul
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{663B1~1.EXE > nul
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B835D~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E8B~1.EXE > nul
        5⤵
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{869FD~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B006D~1.EXE > nul
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{663B12EA-1424-40e7-89E3-93CCB2F5DA60}.exe

Filesize
344KB

MD5
1cba9d39e79ab5b9100c23e798c0b886

SHA1
85f4fb420d791f8d1716dc488dd64ef6c18753c1

SHA256
42550d663c46e02c1679ca7ed8ed90583beb6bcc57e41bc5467590d73994248d

SHA512
3bea397de20b5515f6a4c3726c8972aae71e494e3c761935513e6e4ae1cb58b75b9cb5efc99278ddd089079907d2948cadfd23ee2451d1f00015c2501b3051a6

Download Submit
C:\Windows\{7FCE66BD-E385-45c1-A1B6-AAACD5E4D456}.exe

Filesize
344KB

MD5
1e5aa0ce41c6b3112cdbb05dfa01ff8c

SHA1
9f099d09f519eab5c883e069a3512443d5c76801

SHA256
b22549e9d4745a8c442ba50f01e063273365f9ff82162e63ee3b10109ef6f550

SHA512
99af5db2b241034ed8bd48d74b5ce3dfa24b8cec33c798e8191dfd219a988ed733e9869f07d75239689ee4271f3a2a239ef5da629b3ba3d7ed6a90dc8332e771

Download Submit
C:\Windows\{869FDBB6-1B3C-4f77-AEE9-286F0BA58A54}.exe

Filesize
344KB

MD5
f96eb0e0f9725a2f962f123a17e5352c

SHA1
d03bf43a826d9485916afe1e4038bf9498b843e2

SHA256
3a8fc1906310a0d45b934582215a5863540691f442999591362b4d29f36fe87c

SHA512
bf0bc896449dc1e16ca20e9b43761a2008b6321aeb149b3ef876c99d0bb0ca4ce06bcc8603991d5c9c8f407dbda198532e3ff94cb206bb3328209ff10b4b83c6

Download Submit
C:\Windows\{A0FB91DD-21D6-4562-A836-29EE60D1FD21}.exe

Filesize
344KB

MD5
28fdafa8a31e9c2d031fd2b4722a0778

SHA1
3668090a8563918e0dbd65aa7bb0c10d7ed2164a

SHA256
25890bb232fc18742af41f8948be0f79a7c51a50140ead2e6fc31a88c88392d1

SHA512
9aa0297afc4a1c64c694b8905bfb2ede2ab4849abf6db617be901ec842e3e40297dd2e29d9786de0a7b100a184e6371684974ee6a70b7de2a0e3dc821b925e2f

Download Submit
C:\Windows\{AD5812B2-51C3-4a4a-9B14-DA9583BC4E91}.exe

Filesize
344KB

MD5
449b20590e5055e4c56cac7f59a9790b

SHA1
2d0967a91b24d60083ab679b1384fa576f0026d8

SHA256
76572889e1a3f67725f4e2eb9c8f1e09fd8ef0474a5d33938b351957775843a5

SHA512
3248e8d0afcb8891cba087a0e53e9a60765e26cef2a71c4752fab9c65188028e74e32297796b8b119ac5c4e67409c55330f0e1b2890abb1ce61dd2e222e7203a

Download Submit
C:\Windows\{B006DF63-9CA2-46db-93B7-1B062557229A}.exe

Filesize
344KB

MD5
d5a4a5d37ecf212d915ec9b9ecb5fb3f

SHA1
7b0fcb3f14eef78d432a127ef6abdb6eabbed9ee

SHA256
0bb8a70fda247cedeafb4b82bf1aac4b87c101103df0490d2f520cccc0d68455

SHA512
9ab8c14300c2a31b530d36f79aba6f9178c9aa8fa2b6b98ccf1ffb93d3d3cdb1101bc5746ec10bf186d8ec4b052cae28a7c5c08fdda8825c1a5fbb858d404079

Download Submit
C:\Windows\{B835D103-D97E-453f-B868-9B841418B729}.exe

Filesize
344KB

MD5
1db62b07c3a58dc6fc886dc80ae0d0d3

SHA1
7e6009b9af07c10fa3cdfcd3764d4d3903479b7e

SHA256
3b7d1215f2ded88b57e2e80c46cda91166f5fedd377044cd5c84cab39a2ed94d

SHA512
84a6c3471641a779f2762976e845fc983276137c1203ec4b14848b07fc0e79cdb84cd5c46f11b883c2b20492342b8ef7e6a97284af6cbc4735c59ac873eabfa5

Download Submit
C:\Windows\{C088CD10-EF86-4c44-A54B-7FDCB5D722BA}.exe

Filesize
344KB

MD5
ae7d11ef91323dab5456979101b1c9e0

SHA1
2b900e1db58119eae87235a22c7444de1f214055

SHA256
2be533d586c4901f79f776b80519fe6f38f9241e3dc2aaee605274d96bde2ad0

SHA512
7e0c0920484c065bfe7732e27d72102b2282894bb6702b0501ad9126736ee55ee96787f002c3bb3bc4d2d624287375af1fad01385a6be8ecb805b858c4228f2c

Download Submit
C:\Windows\{C89A6C5B-0A24-4360-A9EA-4B2CF531AEA1}.exe

Filesize
344KB

MD5
d25b33a2943b3840edd6b4e5e37b6737

SHA1
02cdfeaa859c33126539bd5551443fbb4dc2776f

SHA256
24a10a1928298ca9b23c69ddd1b4c0a84b88c7009c237ee871829ae22b2d5994

SHA512
0f940ca3166ae26f5c75cc40c8e2e8dffd7cbf2d3c4879e70f5b67c0c933ea94d9503865245592c6c46dd8c7582a8795e18d89b27cd7539d1f825272bee73890

Download Submit
C:\Windows\{D1C6189A-A977-47d5-8483-0D98B22874F3}.exe

Filesize
344KB

MD5
5ab20e29e30df17386c112878b16ecf5

SHA1
1791f6e75025d33d52d5535b131ea9ef1e7316f3

SHA256
9ea9e831554ae53340f8ebf8ddc7df747bc46b4a333bc7dca411012225acbc12

SHA512
09bccd7efcb6b6065c367b7cdd9586a8dffc4493d6dbb9c0392fc50ae6fa73297b4a19cb9ce1bb174e0f9597465e5e2c74ce75a8fca8efb6e859cf89286ba0e5

Download Submit
C:\Windows\{E6E8B1C4-EF7F-4ce8-89EC-C87B17AEE589}.exe

Filesize
344KB

MD5
b2dfe866f3f237fa0ce8e8d66d36622c

SHA1
44f1baf061d9b69d413bbba8481cf6f054fcf752

SHA256
358c6ecabfd2d8bef4ad1bc4603f57becfaa8e9350bb1dd39c73b82b7d8fc47d

SHA512
46679b07dd87a76761c5a0ea48a57037365150b513c07b81a0599c411d1eaecce14ce88d2c4a4e2b7a73c19509ca8af0dab88d19758ce5baecf1e965edf9b43f

Download Submit