7b25b20b5edb6335fb45fafba44e9943c73ee673fc7b17ba0700ccf75952a482

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Size

380KB
MD5

137c0d0b6237fe97d74aec2aeca0d674
SHA1

f453d1f7e3383c04f0689227d42402b069659d46
SHA256

7b25b20b5edb6335fb45fafba44e9943c73ee673fc7b17ba0700ccf75952a482
SHA512

d7784cf955a6086e61d6ba5adf068ac8a8f47b19809d935dc91d3e0a66da66f037bcf67813dc01e5a0c055f48700c31951026ed49166e32cfd15c9b10500a437
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGKl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{06F70F07-5F07-4325-A317-E855F08493BD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{954AF349-6793-4142-A24C-CB86B1641C75}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe{06F70F07-5F07-4325-A317-E855F08493BD}.exe{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe{954AF349-6793-4142-A24C-CB86B1641C75}.exe{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}\stubpath = "C:\\Windows\\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe"	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{954AF349-6793-4142-A24C-CB86B1641C75}	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}	{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}\stubpath = "C:\\Windows\\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe"	{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}\stubpath = "C:\\Windows\\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe"	{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04D7CB5-3334-4feb-A6FA-161F46199148}\stubpath = "C:\\Windows\\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe"	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}\stubpath = "C:\\Windows\\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe"	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}\stubpath = "C:\\Windows\\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe"	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F70F07-5F07-4325-A317-E855F08493BD}	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}\stubpath = "C:\\Windows\\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe"	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}	{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04D7CB5-3334-4feb-A6FA-161F46199148}	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}\stubpath = "C:\\Windows\\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe"	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F70F07-5F07-4325-A317-E855F08493BD}\stubpath = "C:\\Windows\\{06F70F07-5F07-4325-A317-E855F08493BD}.exe"	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{954AF349-6793-4142-A24C-CB86B1641C75}\stubpath = "C:\\Windows\\{954AF349-6793-4142-A24C-CB86B1641C75}.exe"	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}\stubpath = "C:\\Windows\\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe"	{954AF349-6793-4142-A24C-CB86B1641C75}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2516 cmd.exe

pid	process
2516	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe{06F70F07-5F07-4325-A317-E855F08493BD}.exe{954AF349-6793-4142-A24C-CB86B1641C75}.exe{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe

pid	process
2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
676	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
2196	{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
604	{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
1792	{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe

Drops file in Windows directory 11 IoCs

Processes:

{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe{954AF349-6793-4142-A24C-CB86B1641C75}.exe{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe{06F70F07-5F07-4325-A317-E855F08493BD}.exe{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe

description	ioc	process
File created	C:\Windows\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
File created	C:\Windows\{06F70F07-5F07-4325-A317-E855F08493BD}.exe	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
File created	C:\Windows\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
File created	C:\Windows\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe	{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
File created	C:\Windows\{954AF349-6793-4142-A24C-CB86B1641C75}.exe	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
File created	C:\Windows\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe	{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
File created	C:\Windows\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
File created	C:\Windows\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
File created	C:\Windows\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
File created	C:\Windows\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
File created	C:\Windows\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe{06F70F07-5F07-4325-A317-E855F08493BD}.exe{954AF349-6793-4142-A24C-CB86B1641C75}.exe{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
Token: SeIncBasePriorityPrivilege	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
Token: SeIncBasePriorityPrivilege	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
Token: SeIncBasePriorityPrivilege	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
Token: SeIncBasePriorityPrivilege	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
Token: SeIncBasePriorityPrivilege	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
Token: SeIncBasePriorityPrivilege	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
Token: SeIncBasePriorityPrivilege	676	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
Token: SeIncBasePriorityPrivilege	2196	{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
Token: SeIncBasePriorityPrivilege	604	{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2164 wrote to memory of 2960	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
PID 2164 wrote to memory of 2960	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
PID 2164 wrote to memory of 2960	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
PID 2164 wrote to memory of 2960	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
PID 2164 wrote to memory of 2516	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 2164 wrote to memory of 2516	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 2164 wrote to memory of 2516	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 2164 wrote to memory of 2516	2164	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 2960 wrote to memory of 2500	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
PID 2960 wrote to memory of 2500	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
PID 2960 wrote to memory of 2500	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
PID 2960 wrote to memory of 2500	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
PID 2960 wrote to memory of 2736	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	cmd.exe
PID 2960 wrote to memory of 2736	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	cmd.exe
PID 2960 wrote to memory of 2736	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	cmd.exe
PID 2960 wrote to memory of 2736	2960	{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe	cmd.exe
PID 2500 wrote to memory of 2540	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
PID 2500 wrote to memory of 2540	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
PID 2500 wrote to memory of 2540	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
PID 2500 wrote to memory of 2540	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
PID 2500 wrote to memory of 2480	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	cmd.exe
PID 2500 wrote to memory of 2480	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	cmd.exe
PID 2500 wrote to memory of 2480	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	cmd.exe
PID 2500 wrote to memory of 2480	2500	{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe	cmd.exe
PID 2540 wrote to memory of 1608	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
PID 2540 wrote to memory of 1608	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
PID 2540 wrote to memory of 1608	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
PID 2540 wrote to memory of 1608	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
PID 2540 wrote to memory of 1052	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	cmd.exe
PID 2540 wrote to memory of 1052	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	cmd.exe
PID 2540 wrote to memory of 1052	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	cmd.exe
PID 2540 wrote to memory of 1052	2540	{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe	cmd.exe
PID 1608 wrote to memory of 2592	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
PID 1608 wrote to memory of 2592	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
PID 1608 wrote to memory of 2592	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
PID 1608 wrote to memory of 2592	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
PID 1608 wrote to memory of 1984	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	cmd.exe
PID 1608 wrote to memory of 1984	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	cmd.exe
PID 1608 wrote to memory of 1984	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	cmd.exe
PID 1608 wrote to memory of 1984	1608	{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe	cmd.exe
PID 2592 wrote to memory of 1744	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
PID 2592 wrote to memory of 1744	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
PID 2592 wrote to memory of 1744	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
PID 2592 wrote to memory of 1744	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
PID 2592 wrote to memory of 768	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	cmd.exe
PID 2592 wrote to memory of 768	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	cmd.exe
PID 2592 wrote to memory of 768	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	cmd.exe
PID 2592 wrote to memory of 768	2592	{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe	cmd.exe
PID 1744 wrote to memory of 1996	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
PID 1744 wrote to memory of 1996	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
PID 1744 wrote to memory of 1996	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
PID 1744 wrote to memory of 1996	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	{06F70F07-5F07-4325-A317-E855F08493BD}.exe
PID 1744 wrote to memory of 2080	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	cmd.exe
PID 1744 wrote to memory of 2080	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	cmd.exe
PID 1744 wrote to memory of 2080	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	cmd.exe
PID 1744 wrote to memory of 2080	1744	{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe	cmd.exe
PID 1996 wrote to memory of 676	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
PID 1996 wrote to memory of 676	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
PID 1996 wrote to memory of 676	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
PID 1996 wrote to memory of 676	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	{954AF349-6793-4142-A24C-CB86B1641C75}.exe
PID 1996 wrote to memory of 2840	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	cmd.exe
PID 1996 wrote to memory of 2840	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	cmd.exe
PID 1996 wrote to memory of 2840	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	cmd.exe
PID 1996 wrote to memory of 2840	1996	{06F70F07-5F07-4325-A317-E855F08493BD}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
C:\Windows\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
C:\Windows\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
C:\Windows\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
C:\Windows\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
C:\Windows\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
C:\Windows\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\{06F70F07-5F07-4325-A317-E855F08493BD}.exe
C:\Windows\{06F70F07-5F07-4325-A317-E855F08493BD}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\{954AF349-6793-4142-A24C-CB86B1641C75}.exe
C:\Windows\{954AF349-6793-4142-A24C-CB86B1641C75}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
C:\Windows\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
C:\Windows\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe
C:\Windows\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe
12⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F856~1.EXE > nul
12⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF73A~1.EXE > nul
11⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{954AF~1.EXE > nul
10⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06F70~1.EXE > nul
9⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{111D8~1.EXE > nul
8⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC76B~1.EXE > nul
7⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A727~1.EXE > nul
6⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA74~1.EXE > nul
5⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{58CAE~1.EXE > nul
4⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F04D7~1.EXE > nul
3⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06F70F07-5F07-4325-A317-E855F08493BD}.exe

Filesize
380KB

MD5
4561ef0b1d9f49faa0275dba76516de9

SHA1
e3faede5e95a227001c0d6c0744e4e1382227afb

SHA256
031f6d54beed1960d91843069259289e598f8d9440ce8fec9e15b63a20581650

SHA512
00fa2c57808d047c313faf622eb26227c9c0ef88af6b29a927b850235b431e03f1d3d1a52a7242a52ea8e29db2b59cf9493f426b3bfed63b3865324b07574d57

Download Submit
C:\Windows\{0A7277C4-BBE1-4d9f-A20C-E480B6A0FFB0}.exe

Filesize
380KB

MD5
6b386e059afc6e30abeca776bf9d940d

SHA1
f445d27aa648ac0ee908ce4f170c96bbd29e175a

SHA256
942fc20020e0fcf44a1c70d41637fa803e3513b8bb80002fb4d0f6598d959700

SHA512
7493d30868fa6624b7bd0ddbb95eefbf368824f6db1dc0fe03a621f232ef1e81d1c7835714ad014cb475f1a7160a052c92ebd25bf61f0432852ec827aa527921

Download Submit
C:\Windows\{0F8564D7-CEDB-4096-B7C7-FB752F2834B3}.exe

Filesize
380KB

MD5
a3e31c768969ead1c423ef3257e3123f

SHA1
d80739c0925a9a18c2124f60e900a047ea5ae0d2

SHA256
66abc61a30e6a1facc57c286e29599655a9fc49dfc0cd904df07753f1cfb268c

SHA512
46876620d59a5b05ebc864a3633b366fc96f690ac610b0236e773fd29bcf8ca7e1e3e08dc4829df6c585a790d911cc477683143ae7d67f25e7628a49c5cad71d

Download Submit
C:\Windows\{111D8CEB-F5B0-4645-8C20-094D9F2D9743}.exe

Filesize
380KB

MD5
44a22f1bcb54e1c97e8f2dca3b73f2fd

SHA1
c4750ca11be6e8a534401f74615e95582ba4ed24

SHA256
2b5e6c4d1a3c6b4395df5cdba2bf8ed969b704eacfb94f3f623984c94aa2458f

SHA512
b42be17b8352d1c6abafeced83dc040133121be85c4fcf22bda703e57801169ea32a2a7978286ece65634f586a7feacbb7ee78938c4f201882397a93e133e49d

Download Submit
C:\Windows\{58CAEED6-43E3-4100-A47D-0C9DAECC9AD6}.exe

Filesize
380KB

MD5
39f38fa119703b51a623936c2fb201e7

SHA1
3976e3c5b192808f88f163d7120e4511a53744e8

SHA256
8116d51d004b77af58d5738c0e45e339304ff84e3d49a0cd912032e1cadc0c99

SHA512
3e6283f52e2089725e107f968aa11869205101f319503dc8fd7411c134bbbd454fd3e730208a7976fc6f04b0847708ca66ac63c729ac78a215c2419e12fe66d3

Download Submit
C:\Windows\{65ABAB29-6B5C-4388-A1FD-3E1BDB75DE7C}.exe

Filesize
380KB

MD5
06838887465b74df847550b398fef4eb

SHA1
e05eda82742e6f8055485740af168fa5139d8910

SHA256
c449fd1acacb750cfea669359301c1d615bf2add19646141ac14481925a0d7a0

SHA512
24bd564a5d31a1ca50c82af234be0ea2ba19601ccc50b214f22d59cd967804b2aab78fb27d2b7c68cb7295c9b2bf773e4b506e97dc1d80a12cc866200ce61467

Download Submit
C:\Windows\{954AF349-6793-4142-A24C-CB86B1641C75}.exe

Filesize
380KB

MD5
eeb560e9c48e1454227d631cd1a34f29

SHA1
f2aeec1d776857f565bee8eaf70a5cf4fd96cf60

SHA256
aed8d4ec776dae3fbeec65c13c358e6bbd67836ed8c8e95a2690c5fea8a486f8

SHA512
fb621b9939d0d372eff97cb6f0366a8b509b0d0256b26c6127a176b9f54188fd43b6d0fb311ee75a85f352d1daaaf079a467ddf56e48b07e76539898e355fc45

Download Submit
C:\Windows\{AC76BC6D-F980-4b7e-875F-5C920A3C2E9E}.exe

Filesize
380KB

MD5
487886380b14984a5c535d9a394276cc

SHA1
6b8ab2da2e1789264c598ddd5708a746e70e4f8a

SHA256
45b2ef6629def349ca19b24cda03c09c55de768f78f0b3da91525594837936c5

SHA512
3de91dd28d55d62682d458dcf30e39478ec4966775e036eea37e5335c09ae084ed15257c1ec14aa96237944bf9c134d2f2ff5fe271c98ad0cb4a78a91b971f75

Download Submit
C:\Windows\{CEA7442B-FD9E-4a86-B3B7-28F587D8BF99}.exe

Filesize
380KB

MD5
cb8b911d6a50bb6aeb26dd9250f77ee3

SHA1
cf972fe53168b9b2ca75291cd88f3f95e6b98f57

SHA256
16207add767c0fea007d1dda9c5608f6a1df83994fc173fcb46e53151aebeccc

SHA512
4467d88e39c096a88e8e42494678dfff6858d6185cc925c91600de85792d7988c78337b0956d3a4ed76ead069180d5cc066b228d5ff5cecb1e0b4764b43b1d67

Download Submit
C:\Windows\{F04D7CB5-3334-4feb-A6FA-161F46199148}.exe

Filesize
380KB

MD5
196aedfc30e5314c9c0a9f1cb707faf4

SHA1
17e1291c008d34ceeaab075918efc99a958ca0ed

SHA256
8224ca0b238bbab8c1552cb3ea21d741a46c27d62c4688b075cb97815d6c7cb8

SHA512
a57c6bc98a852519fbe75119ef59e1e3b7195f7988d67be404c55795f9f7de88d4908ab53ad8999eb416c6174052d407ac88ee3f3542ddf701768d88a2cb1e9d

Download Submit
C:\Windows\{FF73A7E3-AF0E-4ec9-B874-D1E1F79CF007}.exe

Filesize
380KB

MD5
f7ead1a6dc8d7bcc517747bfd9647615

SHA1
ee9ba4ceeb34ca39eba991c9f1b0fdc764811cdc

SHA256
e19c670169d8c51b36586bfc8469fa38dd2615ceda96d79e13289695f8006d39

SHA512
b7fe7483ed78f560293560efed48332a4afcea78c2beaecba48eb3e2a2f12c1a16aae3b8c6b73e576630f995532d1b1ff41e6fea21fa4239e5204e23cfcfd75f

Download Submit