eb8618b290072d1b82d72dde55fd6751058bb2743e5ade71ecb6e49064367501

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Size

344KB
MD5

3c54dfa7f5dbc7b2ab206d89106b8a07
SHA1

33e3d25d7efac7ccb29f47f0a1c91a68f6b6cd39
SHA256

eb8618b290072d1b82d72dde55fd6751058bb2743e5ade71ecb6e49064367501
SHA512

cd24be223e47d37c0a891ad623963543c1fe8c919f6112f877a1d42c68a3640520dc23ef944e9e9fd1f44af1e30c670dce50c8a35a9ef5472e87718d6acbfe6b
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74167292-F9DD-4cb7-A658-4199889245DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe{75662F03-4C00-4953-82C3-74A277D83D4C}.exe{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe{74167292-F9DD-4cb7-A658-4199889245DE}.exe2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}\stubpath = "C:\\Windows\\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe"	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}\stubpath = "C:\\Windows\\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe"	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}\stubpath = "C:\\Windows\\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe"	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2228996D-891A-497a-A831-7CAA6AA6DDC8}\stubpath = "C:\\Windows\\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe"	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}\stubpath = "C:\\Windows\\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe"	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74167292-F9DD-4cb7-A658-4199889245DE}	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75662F03-4C00-4953-82C3-74A277D83D4C}	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75662F03-4C00-4953-82C3-74A277D83D4C}\stubpath = "C:\\Windows\\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe"	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{318CF849-B63A-476d-8B4F-2192DD4925CD}\stubpath = "C:\\Windows\\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe"	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}\stubpath = "C:\\Windows\\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe"	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{318CF849-B63A-476d-8B4F-2192DD4925CD}	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2228996D-891A-497a-A831-7CAA6AA6DDC8}	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}\stubpath = "C:\\Windows\\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe"	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}\stubpath = "C:\\Windows\\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe"	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}\stubpath = "C:\\Windows\\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe"	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74167292-F9DD-4cb7-A658-4199889245DE}\stubpath = "C:\\Windows\\{74167292-F9DD-4cb7-A658-4199889245DE}.exe"	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe

Executes dropped EXE 12 IoCs

Processes:

{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe{75662F03-4C00-4953-82C3-74A277D83D4C}.exe{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe{74167292-F9DD-4cb7-A658-4199889245DE}.exe{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe

pid	process
1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
4948	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
4420	{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe

Drops file in Windows directory 12 IoCs

Processes:

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe{75662F03-4C00-4953-82C3-74A277D83D4C}.exe{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe{74167292-F9DD-4cb7-A658-4199889245DE}.exe

description	ioc	process
File created	C:\Windows\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
File created	C:\Windows\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
File created	C:\Windows\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
File created	C:\Windows\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
File created	C:\Windows\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
File created	C:\Windows\{74167292-F9DD-4cb7-A658-4199889245DE}.exe	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
File created	C:\Windows\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
File created	C:\Windows\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
File created	C:\Windows\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
File created	C:\Windows\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
File created	C:\Windows\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
File created	C:\Windows\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe	{74167292-F9DD-4cb7-A658-4199889245DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe{75662F03-4C00-4953-82C3-74A277D83D4C}.exe{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe{74167292-F9DD-4cb7-A658-4199889245DE}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
Token: SeIncBasePriorityPrivilege	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
Token: SeIncBasePriorityPrivilege	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
Token: SeIncBasePriorityPrivilege	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
Token: SeIncBasePriorityPrivilege	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
Token: SeIncBasePriorityPrivilege	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
Token: SeIncBasePriorityPrivilege	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
Token: SeIncBasePriorityPrivilege	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
Token: SeIncBasePriorityPrivilege	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
Token: SeIncBasePriorityPrivilege	2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
Token: SeIncBasePriorityPrivilege	4948	{74167292-F9DD-4cb7-A658-4199889245DE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe{75662F03-4C00-4953-82C3-74A277D83D4C}.exe{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe

description	pid	process	target process
PID 2692 wrote to memory of 1844	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
PID 2692 wrote to memory of 1844	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
PID 2692 wrote to memory of 1844	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
PID 2692 wrote to memory of 3636	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 2692 wrote to memory of 3636	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 2692 wrote to memory of 3636	2692	2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe	cmd.exe
PID 1844 wrote to memory of 2644	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
PID 1844 wrote to memory of 2644	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
PID 1844 wrote to memory of 2644	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
PID 1844 wrote to memory of 4520	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	cmd.exe
PID 1844 wrote to memory of 4520	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	cmd.exe
PID 1844 wrote to memory of 4520	1844	{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe	cmd.exe
PID 2644 wrote to memory of 2288	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
PID 2644 wrote to memory of 2288	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
PID 2644 wrote to memory of 2288	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
PID 2644 wrote to memory of 3188	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	cmd.exe
PID 2644 wrote to memory of 3188	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	cmd.exe
PID 2644 wrote to memory of 3188	2644	{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe	cmd.exe
PID 2288 wrote to memory of 1336	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
PID 2288 wrote to memory of 1336	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
PID 2288 wrote to memory of 1336	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
PID 2288 wrote to memory of 2396	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	cmd.exe
PID 2288 wrote to memory of 2396	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	cmd.exe
PID 2288 wrote to memory of 2396	2288	{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe	cmd.exe
PID 1336 wrote to memory of 2348	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
PID 1336 wrote to memory of 2348	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
PID 1336 wrote to memory of 2348	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
PID 1336 wrote to memory of 4140	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	cmd.exe
PID 1336 wrote to memory of 4140	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	cmd.exe
PID 1336 wrote to memory of 4140	1336	{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe	cmd.exe
PID 2348 wrote to memory of 4388	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
PID 2348 wrote to memory of 4388	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
PID 2348 wrote to memory of 4388	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
PID 2348 wrote to memory of 3732	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	cmd.exe
PID 2348 wrote to memory of 3732	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	cmd.exe
PID 2348 wrote to memory of 3732	2348	{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe	cmd.exe
PID 4388 wrote to memory of 4836	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
PID 4388 wrote to memory of 4836	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
PID 4388 wrote to memory of 4836	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
PID 4388 wrote to memory of 4864	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	cmd.exe
PID 4388 wrote to memory of 4864	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	cmd.exe
PID 4388 wrote to memory of 4864	4388	{75662F03-4C00-4953-82C3-74A277D83D4C}.exe	cmd.exe
PID 4836 wrote to memory of 1680	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
PID 4836 wrote to memory of 1680	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
PID 4836 wrote to memory of 1680	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
PID 4836 wrote to memory of 3260	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	cmd.exe
PID 4836 wrote to memory of 3260	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	cmd.exe
PID 4836 wrote to memory of 3260	4836	{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe	cmd.exe
PID 1680 wrote to memory of 3960	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
PID 1680 wrote to memory of 3960	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
PID 1680 wrote to memory of 3960	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
PID 1680 wrote to memory of 4212	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	cmd.exe
PID 1680 wrote to memory of 4212	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	cmd.exe
PID 1680 wrote to memory of 4212	1680	{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe	cmd.exe
PID 3960 wrote to memory of 2288	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
PID 3960 wrote to memory of 2288	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
PID 3960 wrote to memory of 2288	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
PID 3960 wrote to memory of 2044	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	cmd.exe
PID 3960 wrote to memory of 2044	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	cmd.exe
PID 3960 wrote to memory of 2044	3960	{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe	cmd.exe
PID 2288 wrote to memory of 4948	2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
PID 2288 wrote to memory of 4948	2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
PID 2288 wrote to memory of 4948	2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	{74167292-F9DD-4cb7-A658-4199889245DE}.exe
PID 2288 wrote to memory of 5008	2288	{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_3c54dfa7f5dbc7b2ab206d89106b8a07_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
  C:\Windows\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
    C:\Windows\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
      C:\Windows\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
        
        C:\Windows\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
        
        C:\Windows\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
        
        C:\Windows\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
        
        C:\Windows\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
        
        C:\Windows\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
        
        C:\Windows\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
        
        C:\Windows\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{74167292-F9DD-4cb7-A658-4199889245DE}.exe
        
        C:\Windows\{74167292-F9DD-4cb7-A658-4199889245DE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe
        
        C:\Windows\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe
        13⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74167~1.EXE > nul
        13⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC4AB~1.EXE > nul
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89BDF~1.EXE > nul
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B50E5~1.EXE > nul
        10⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE17~1.EXE > nul
        9⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75662~1.EXE > nul
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE707~1.EXE > nul
        7⤵
        
        PID:3732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22289~1.EXE > nul
        6⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{318CF~1.EXE > nul
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57D3E~1.EXE > nul
      4⤵
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D3B~1.EXE > nul
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{081AC82E-150A-42cf-9FB4-0E9EBB2D0018}.exe

Filesize
344KB

MD5
51731f7ac6129533fdd43f430f6d0939

SHA1
341f1386ebdfe637330de440902f996beffd657f

SHA256
cc59831e0d827ce71c09dbdf71646aa73e0648f1f74ebeb1ae09d291a4525dd9

SHA512
d8026020aa29edce01fc320e1fbf6edf773c28679a715942dc7f07acabcee5c3d093fdde64c7ba519883e0681e167e82d57b11c5584e555ae66c4987ec656453

Download Submit
C:\Windows\{2228996D-891A-497a-A831-7CAA6AA6DDC8}.exe

Filesize
344KB

MD5
328dcb3c68bac12436ee338ebea559dc

SHA1
8cad9c78fbf8556cb84cca38b4ce60ae415e3663

SHA256
411eb9207f5ab387eec84819bba41757eb6c429e916c993ad81a46fe280537c3

SHA512
aabefb38f334b261be0fb58b455c875d046a54f7c10a47aa4ee6d55752ef7988bfb461239e32023a4ef9603fba82365a0624d2b14204d0b6012b080b1e8432ff

Download Submit
C:\Windows\{2CE17F13-CEF8-4bad-8A85-F85627A9BDBD}.exe

Filesize
344KB

MD5
b9dcfee7153e116a0bce6f8d1bd13440

SHA1
602e720546d2670871bdc11cbed30c3bc2a4d5bc

SHA256
d5d20829f1ec0e62e1d641663e0f7d93ea80e990ec815442d3cc56016311b4dc

SHA512
5b1773abaa8dff8e61b2d209ea42e98f07004029f305c0139defdaa553385d3341a052a5fc1c6da93396001eb908c4d4551bf7677a6820251370a9917d25dae4

Download Submit
C:\Windows\{318CF849-B63A-476d-8B4F-2192DD4925CD}.exe

Filesize
344KB

MD5
038f47e2baca2b860ec781b4281d166c

SHA1
0a88ed0465c6ae77779b41a2db6687c04e6d9f96

SHA256
403226c6c04f847b44ef9c299b28c4279e162bda45fd17ac2699c50e08c2ced0

SHA512
fd8802421fc8c4c2fa64aa7d5e382fd01c19df13e5f06712a4a9b1779a9883aee9de887489261aac2d93393f5af31293f3291b2c4fb8c3491e55500206108743

Download Submit
C:\Windows\{57D3ED60-A53A-4aeb-961B-76F9B57A0404}.exe

Filesize
344KB

MD5
cdb89ff9b56bfe24a912dde404b45032

SHA1
7d8e852169b3704247291309faa7a62eb8421eda

SHA256
8325695128a05e5a222d418527938340abc3ecf9fd16325a2f73db3de6c47178

SHA512
bd1d49d601ed81e3290773ddc47291c48b0cd520bf03f54038afe45b09482e717764d056f915aca33b4521a9919a501516a5d12ef52571fd6dd4c7c44a5d527b

Download Submit
C:\Windows\{74167292-F9DD-4cb7-A658-4199889245DE}.exe

Filesize
344KB

MD5
79c66a27782555f1967dabbd4fd80b35

SHA1
c7b9f46d713570300d73ff2b504faf97f93ad3b6

SHA256
6e4772e76d09f75dab21154d90e7b2d83389a3a0183432da218ce697a811563c

SHA512
d983722793c2e2a9333927a674d470c52f3b0c195d222752df12cd68af52c6e66436f9cf6ee6921b5514158e2b6e2d903c7c1c6a62aba82dec6cc089109819bb

Download Submit
C:\Windows\{75662F03-4C00-4953-82C3-74A277D83D4C}.exe

Filesize
344KB

MD5
a05b3e06a8c3437d0d25ba029e9a380f

SHA1
341704afefcf2d18119f636467e7a6b444ca6211

SHA256
1e121405fde23cfb743250e91b999eb4a480dcbf223dcc641c65e99b8a6d8889

SHA512
185861da6366f04951373df9eef35d837291443d70f16a9a6d155c0231bc87c6293c1a7e49a6f7e753f8e40cdbb3df10a0f1b3c20bb8b1f8ccedf080b4b854e9

Download Submit
C:\Windows\{89BDFF75-ACAB-456c-B4F8-5116D04A70FC}.exe

Filesize
344KB

MD5
26bc91cc8f090cbfb09d4bda1fa7a18f

SHA1
1e6033cc6afb20679864d058fb3e3e85519cc5ab

SHA256
4d00554a5b62bfb40e531d6f13f894a54cacf3fc9a1ce7a70ab76e6efea97f08

SHA512
b926afd52cb3523666a547dc593246ebf825862b53244fc824124b660737cd1ff6c9ab3176f5e4bdb38bff821bf6b3fa7f47236951c1b12a04bf9ee984460797

Download Submit
C:\Windows\{B2D3BFD6-771E-4dd7-9D7C-F5A32B94270F}.exe

Filesize
344KB

MD5
19288af830d4e8e88c21f1b95e622761

SHA1
bae43c64222b987fb472022cb25a4f31a4f25887

SHA256
1db502c70fbb6e1fef7082f46ae403aa37cf7ed715d2c97af283638e45120c26

SHA512
016c05039cdb360d02161eb5e5fcf192b5538f7425e0ce7fef78feaadc890150693a0597accfd7d53edef3c1abc841104aa9fa22d9c574f4fe6175b6f3eca9b1

Download Submit
C:\Windows\{B50E5BF9-7ED5-417f-866B-8EFE339E472D}.exe

Filesize
344KB

MD5
96fc27d8048643f5d899083d51f7916b

SHA1
4b1a818dfe24986e79176ad7dbffb594c0590d34

SHA256
0455868cce9449f0e83f6eb61a25a9b1895d3168b638906d4be177b5aabdc7a4

SHA512
50cc682b78aa75ee49e27dd5afd1b6737a51cce32b3adf6e7729e5d9923cd5d66b6e23931ce1f3d1dd87c413bc6d22b942365f390851dbf08696bbd19fdbc788

Download Submit
C:\Windows\{CE707686-6B0E-42c6-B23E-8161BA3CB2B3}.exe

Filesize
344KB

MD5
096795dee202824e11810c63f380ce5f

SHA1
5f41ab4c5d5956eb4b11f2b36260e32b3468a699

SHA256
ed9e05784871bc0ecff8cc8919b56d23044f330791b932845a2f0caf4246bc17

SHA512
8519e70d5f9bb8fe49159b8abaabc992f6898f1f775b6005816bafeda98cab6cb79c2e329a5d4d013b94e77c2ef3ec6cf96a645f6ce64212d44145bd84769590

Download Submit
C:\Windows\{DC4ABE24-2280-4336-A638-1D92BD3CBF00}.exe

Filesize
344KB

MD5
f7f287ab5443b105fa6fcc28df67437f

SHA1
68a280226cf5ad5c09b88f5fe7975a36069d93b6

SHA256
ac14c8c7bd26f53ee27fd63be754f1c99a0e0becde9873343154718bba2b8c52

SHA512
0c6abd3014e37901ce45748371caba485df1517adc4bf6f31a51be43e53fc9e1217e47097b48990f42a9c4fd6a1c62aafa2c82507cc5b71ae60101a181408f17

Download Submit