717b21cdfcc9d7270fc85aaa2ebd8e865e45b584f862cbfdf9f544f7482d46e7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Size

408KB
MD5

0cd20ffec964472cc4a54e8b4e619260
SHA1

038a39a7a43f12af68aca4ce322712f56662fb89
SHA256

717b21cdfcc9d7270fc85aaa2ebd8e865e45b584f862cbfdf9f544f7482d46e7
SHA512

ac46f8b1ac716289c42260f4f3bb6338da409b9872470cf5c83b629d965ac0cf9e2f99f08c2206507d6c4166b88d24e0f63f67b56f63bdd93bfe02e301e9bb4f
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe{C68BD396-7325-4243-8A30-193760BCDBAF}.exe{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B96264-2C08-4e8c-916A-F51D6722EA09}	{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}\stubpath = "C:\\Windows\\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe"	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}\stubpath = "C:\\Windows\\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe"	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}\stubpath = "C:\\Windows\\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe"	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}\stubpath = "C:\\Windows\\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe"	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}	{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}\stubpath = "C:\\Windows\\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe"	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}\stubpath = "C:\\Windows\\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe"	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C68BD396-7325-4243-8A30-193760BCDBAF}	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C68BD396-7325-4243-8A30-193760BCDBAF}\stubpath = "C:\\Windows\\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe"	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}\stubpath = "C:\\Windows\\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe"	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}\stubpath = "C:\\Windows\\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe"	{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B96264-2C08-4e8c-916A-F51D6722EA09}\stubpath = "C:\\Windows\\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe"	{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}\stubpath = "C:\\Windows\\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe"	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3016 cmd.exe

pid	process
3016	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe{C68BD396-7325-4243-8A30-193760BCDBAF}.exe{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe

pid	process
2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
1436	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
2004	{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
2380	{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
1084	{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe

Drops file in Windows directory 11 IoCs

Processes:

2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe{C68BD396-7325-4243-8A30-193760BCDBAF}.exe{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe

description	ioc	process
File created	C:\Windows\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
File created	C:\Windows\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
File created	C:\Windows\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
File created	C:\Windows\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe	{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
File created	C:\Windows\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
File created	C:\Windows\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
File created	C:\Windows\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
File created	C:\Windows\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
File created	C:\Windows\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
File created	C:\Windows\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
File created	C:\Windows\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe	{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe{C68BD396-7325-4243-8A30-193760BCDBAF}.exe{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
Token: SeIncBasePriorityPrivilege	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
Token: SeIncBasePriorityPrivilege	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
Token: SeIncBasePriorityPrivilege	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
Token: SeIncBasePriorityPrivilege	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
Token: SeIncBasePriorityPrivilege	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
Token: SeIncBasePriorityPrivilege	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
Token: SeIncBasePriorityPrivilege	1436	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
Token: SeIncBasePriorityPrivilege	2004	{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
Token: SeIncBasePriorityPrivilege	2380	{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1708 wrote to memory of 2060	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
PID 1708 wrote to memory of 2060	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
PID 1708 wrote to memory of 2060	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
PID 1708 wrote to memory of 2060	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
PID 1708 wrote to memory of 3016	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 1708 wrote to memory of 3016	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 1708 wrote to memory of 3016	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 1708 wrote to memory of 3016	1708	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 2060 wrote to memory of 2708	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
PID 2060 wrote to memory of 2708	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
PID 2060 wrote to memory of 2708	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
PID 2060 wrote to memory of 2708	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
PID 2060 wrote to memory of 2644	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	cmd.exe
PID 2060 wrote to memory of 2644	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	cmd.exe
PID 2060 wrote to memory of 2644	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	cmd.exe
PID 2060 wrote to memory of 2644	2060	{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe	cmd.exe
PID 2708 wrote to memory of 2780	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
PID 2708 wrote to memory of 2780	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
PID 2708 wrote to memory of 2780	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
PID 2708 wrote to memory of 2780	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
PID 2708 wrote to memory of 2868	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	cmd.exe
PID 2708 wrote to memory of 2868	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	cmd.exe
PID 2708 wrote to memory of 2868	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	cmd.exe
PID 2708 wrote to memory of 2868	2708	{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe	cmd.exe
PID 2780 wrote to memory of 1188	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
PID 2780 wrote to memory of 1188	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
PID 2780 wrote to memory of 1188	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
PID 2780 wrote to memory of 1188	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
PID 2780 wrote to memory of 1056	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	cmd.exe
PID 2780 wrote to memory of 1056	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	cmd.exe
PID 2780 wrote to memory of 1056	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	cmd.exe
PID 2780 wrote to memory of 1056	2780	{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe	cmd.exe
PID 1188 wrote to memory of 2832	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
PID 1188 wrote to memory of 2832	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
PID 1188 wrote to memory of 2832	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
PID 1188 wrote to memory of 2832	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
PID 1188 wrote to memory of 2856	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	cmd.exe
PID 1188 wrote to memory of 2856	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	cmd.exe
PID 1188 wrote to memory of 2856	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	cmd.exe
PID 1188 wrote to memory of 2856	1188	{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe	cmd.exe
PID 2832 wrote to memory of 2968	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
PID 2832 wrote to memory of 2968	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
PID 2832 wrote to memory of 2968	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
PID 2832 wrote to memory of 2968	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
PID 2832 wrote to memory of 2228	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	cmd.exe
PID 2832 wrote to memory of 2228	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	cmd.exe
PID 2832 wrote to memory of 2228	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	cmd.exe
PID 2832 wrote to memory of 2228	2832	{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe	cmd.exe
PID 2968 wrote to memory of 1612	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
PID 2968 wrote to memory of 1612	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
PID 2968 wrote to memory of 1612	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
PID 2968 wrote to memory of 1612	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
PID 2968 wrote to memory of 1796	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	cmd.exe
PID 2968 wrote to memory of 1796	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	cmd.exe
PID 2968 wrote to memory of 1796	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	cmd.exe
PID 2968 wrote to memory of 1796	2968	{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe	cmd.exe
PID 1612 wrote to memory of 1436	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
PID 1612 wrote to memory of 1436	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
PID 1612 wrote to memory of 1436	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
PID 1612 wrote to memory of 1436	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
PID 1612 wrote to memory of 872	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	cmd.exe
PID 1612 wrote to memory of 872	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	cmd.exe
PID 1612 wrote to memory of 872	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	cmd.exe
PID 1612 wrote to memory of 872	1612	{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
C:\Windows\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
C:\Windows\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
C:\Windows\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
C:\Windows\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
C:\Windows\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
C:\Windows\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
C:\Windows\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
C:\Windows\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
C:\Windows\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
C:\Windows\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe
C:\Windows\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe
12⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{955C6~1.EXE > nul
12⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BB9~1.EXE > nul
11⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C68BD~1.EXE > nul
10⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3975~1.EXE > nul
9⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB3B~1.EXE > nul
8⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE1C~1.EXE > nul
7⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CA62D~1.EXE > nul
6⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDEE~1.EXE > nul
5⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A148~1.EXE > nul
4⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22821~1.EXE > nul
3⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A14883C-EDD2-41fd-8913-1179C15DFB8C}.exe

Filesize
408KB

MD5
a129b171e635c9561602ee9adb93bcca

SHA1
830d03a60300c8c1cce4e1623073e373cbaf3f71

SHA256
542867a79b668e8ab9d9cfd5491f7f7427aa5c4b3bc95f41ca8c1d4892739b66

SHA512
3da47ec047778f43a5a0a5807bfb0190643ba48bcbc968e4c522f78e5e1eb9559177b3757767bbefbe3e1b4d11e30335ca94b802948ab584d655841ef7055d79

Download Submit
C:\Windows\{22821B23-A79B-414b-8B13-3AE6FDBE54B0}.exe

Filesize
408KB

MD5
c3d388e1370e740a8f42be52d87e3b63

SHA1
8201f5044d2ce10773f593c1328ea5616116ef36

SHA256
1a5e54c4caa02d7e7e63960aac0d2b75541c7ec2cc7c1c5470a93fbb90eb520b

SHA512
ad7eb134f18466f4212e415d2e92081962d6fb024f5b03e19554ad911e81744f1a98ae4b7fd8545a27bfc4b204d5a1611535a67cbf0292e1ac2f718abf0bc568

Download Submit
C:\Windows\{36B96264-2C08-4e8c-916A-F51D6722EA09}.exe

Filesize
408KB

MD5
1dac11e178c86a7d51fa1c5c11f2cd91

SHA1
80ebecb137afd03078da076d48fbd994b412f42b

SHA256
c320de82b7852fca85054b1aedaa1796cb3af13a03b10e792590b80fcab3e31d

SHA512
3bca861127673750fd020043809c06381650499019616e5ce2b80eb6d3131dbd219d464367d18d6a479ae6564185a5499a4380b7db11cf24fc38438bc6437f3a

Download Submit
C:\Windows\{4CDEE067-9F0F-42da-8FB4-7E5AABEDE54E}.exe

Filesize
408KB

MD5
6ebecfd26ea28f65fcf43a120dd229e8

SHA1
09ed2d6d842f2c8c58fcbb57d559c1500bca5476

SHA256
25960eda6c569cff01b2a801044b0cefd8541cb3ece40763e4a4f8770b27c5d6

SHA512
d37da5661c9eed29987d3b4886b5faa2b9b9148d6e1fbfee3789c3071d88900b9c8abe75dd71532b6a5cb33a8bc44f379c36e3c4190646cdd4c40142d57b823a

Download Submit
C:\Windows\{955C6EC2-26FF-4856-ABFA-C053D52B9FFC}.exe

Filesize
408KB

MD5
bf535a5a2b3e26d1557db6e1fbbf692c

SHA1
379b5e8c0475ecf3dd8f5488c537d8f8c439ea2b

SHA256
e3c716a95bb1ff1c87b4d60f935e5ee87ebe4860d400b451c8d3e74c9e5b5f6a

SHA512
d640b81095f0089c86b0be6dfc294fcfe979fe2a921ad86ccee0421fbc2a143007f953100bd4416025ed4691b522f690943f79793178abb5e123e63121dabac2

Download Submit
C:\Windows\{9CB3B170-4D14-4819-BB1E-77012A8B3E0D}.exe

Filesize
408KB

MD5
decad5ec1e3227df242d41c248171a53

SHA1
2f3b79be16751f395873c27319ddb4bb518df93a

SHA256
5b311bf307118bef0adc04ff9f107100c4ce8b6118e208894e4f830c73810885

SHA512
2bfa7d97ce95810c43e06bdccbc3beb364c009633f2f9a1c1042b1b04efcf2abc17a1f8d627d2c049c321463d0f9ff77d4d7fc50faf6b034ec5e8f1c7e712ada

Download Submit
C:\Windows\{C68BD396-7325-4243-8A30-193760BCDBAF}.exe

Filesize
408KB

MD5
07224c7ddf1f03e190df4f41af48b2c7

SHA1
d8a504b12d1ad34bbba4c56262297af9b9f513ad

SHA256
62fd182879f2aeefe026b058b267adb5f34dfb63af1360304e5cf145508f496f

SHA512
1889d1ec20a8b77e77042065b7d46404b098365a08b53b0475f6928a19eac7afc217f54f5104460a3157aa40164722e07735b2018ae8db11114454ceffd98753

Download Submit
C:\Windows\{CA62DC99-EFD6-44ad-9D50-8ECED1059DA2}.exe

Filesize
408KB

MD5
bdc18d441f3ad1f026181d685849cf78

SHA1
ca439f61c56f0ef8fa87ae7955b3194e465fa816

SHA256
5b854b101610f1ebd652c34dc71f2700da2fe89786dd652664fc785ed0be19f4

SHA512
cf78a7b9309f96238a0be1536037fcd9a10de47749a72c232b13c825840d7ff277d76c101a54a8d39901d8b166c1df9d3fffe7207eb265b5cd556770aeea6e51

Download Submit
C:\Windows\{D2BB9E7A-BBB8-4027-B8CE-BE6E823B3EC6}.exe

Filesize
408KB

MD5
3bd374530c7319b168bf2a2077e2ae5d

SHA1
b0082a7cb4cd85a0f3a1d7527ac88aa8a9d31ec4

SHA256
d81d8322ca209afb695f48368096ef8acf4a9055fe3ebccf89dbf8dd08f4d787

SHA512
323db18805d13b35a0bd81e17d00befa127ee92d26610c211d9eef4548398d5f66a1aae5a5008748eaae6487b03e64dc58aa50202bd5f067f02bed5f9a405c51

Download Submit
C:\Windows\{EEE1CAF3-EB68-44dc-9DC9-BE1E9ACD614A}.exe

Filesize
408KB

MD5
5e40bf201d15f9b682c4a95b7de22c76

SHA1
dada49726642032d5433b08c5e6fb66e9f4666df

SHA256
5c52433d398425bc63a20e16f2d4463558a0037ebe2497ccc9aadd119dd1fe70

SHA512
39797390f0dd83858bb91ef07f30ed9d0d5ec42451df671a732e478df5bd1e65117ab3f905563b2f94da8ddb0f2ae1951f36ac8d308433dc4ad6e3264938a5bc

Download Submit
C:\Windows\{F3975957-EA70-480a-AEA7-0A0B493F3A7F}.exe

Filesize
408KB

MD5
f2195e796cc87c8c65c0f85425bb97ec

SHA1
ded5709ba468de9ab9ab7022aae912b41077a440

SHA256
654ca191f8542415e88e5b9d00901c00b6ab2a4d32c69b969171fd0997eb003d

SHA512
cf58946497ce7986398b4f7f4404f8c6127d0e4d80dbd253d78adf27a01dada18a65296b8a7bc707546eee17efa7cb9bbdc502cad12a475087d1dcf0e3dd4b21

Download Submit