7b25b20b5edb6335fb45fafba44e9943c73ee673fc7b17ba0700ccf75952a482

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Size

380KB
MD5

137c0d0b6237fe97d74aec2aeca0d674
SHA1

f453d1f7e3383c04f0689227d42402b069659d46
SHA256

7b25b20b5edb6335fb45fafba44e9943c73ee673fc7b17ba0700ccf75952a482
SHA512

d7784cf955a6086e61d6ba5adf068ac8a8f47b19809d935dc91d3e0a66da66f037bcf67813dc01e5a0c055f48700c31951026ed49166e32cfd15c9b10500a437
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGKl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe{1367472B-E131-4289-BF01-1D1DBED3637A}.exe{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{ED92CFE8-B09F-441c-A195-6638468324B9}.exe{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED92CFE8-B09F-441c-A195-6638468324B9}\stubpath = "C:\\Windows\\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe"	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}\stubpath = "C:\\Windows\\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe"	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784E7DD2-1DD2-4f32-851E-53947A9F707B}\stubpath = "C:\\Windows\\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe"	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}\stubpath = "C:\\Windows\\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe"	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}\stubpath = "C:\\Windows\\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe"	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96401AFC-6F84-4f81-A378-C5CB69A3A200}\stubpath = "C:\\Windows\\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe"	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C46E358A-18D7-43d5-85F5-C126F4D27728}	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C46E358A-18D7-43d5-85F5-C126F4D27728}\stubpath = "C:\\Windows\\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe"	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96401AFC-6F84-4f81-A378-C5CB69A3A200}	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1367472B-E131-4289-BF01-1D1DBED3637A}\stubpath = "C:\\Windows\\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe"	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}\stubpath = "C:\\Windows\\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe"	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED92CFE8-B09F-441c-A195-6638468324B9}	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}\stubpath = "C:\\Windows\\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe"	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}\stubpath = "C:\\Windows\\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe"	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1367472B-E131-4289-BF01-1D1DBED3637A}	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784E7DD2-1DD2-4f32-851E-53947A9F707B}	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}\stubpath = "C:\\Windows\\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe"	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe

Executes dropped EXE 12 IoCs

Processes:

{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe{1367472B-E131-4289-BF01-1D1DBED3637A}.exe{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe{ED92CFE8-B09F-441c-A195-6638468324B9}.exe{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe

pid	process
2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
4152	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
3224	{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe

Drops file in Windows directory 12 IoCs

Processes:

{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe{1367472B-E131-4289-BF01-1D1DBED3637A}.exe{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe{ED92CFE8-B09F-441c-A195-6638468324B9}.exe{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe

description	ioc	process
File created	C:\Windows\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
File created	C:\Windows\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
File created	C:\Windows\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
File created	C:\Windows\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
File created	C:\Windows\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
File created	C:\Windows\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
File created	C:\Windows\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
File created	C:\Windows\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
File created	C:\Windows\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
File created	C:\Windows\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
File created	C:\Windows\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
File created	C:\Windows\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe{1367472B-E131-4289-BF01-1D1DBED3637A}.exe{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe{ED92CFE8-B09F-441c-A195-6638468324B9}.exe{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
Token: SeIncBasePriorityPrivilege	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
Token: SeIncBasePriorityPrivilege	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
Token: SeIncBasePriorityPrivilege	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
Token: SeIncBasePriorityPrivilege	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
Token: SeIncBasePriorityPrivilege	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
Token: SeIncBasePriorityPrivilege	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
Token: SeIncBasePriorityPrivilege	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
Token: SeIncBasePriorityPrivilege	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
Token: SeIncBasePriorityPrivilege	1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
Token: SeIncBasePriorityPrivilege	4152	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1780 wrote to memory of 2468	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
PID 1780 wrote to memory of 2468	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
PID 1780 wrote to memory of 2468	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
PID 1780 wrote to memory of 1340	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 1780 wrote to memory of 1340	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 1780 wrote to memory of 1340	1780	2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe	cmd.exe
PID 2468 wrote to memory of 1508	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
PID 2468 wrote to memory of 1508	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
PID 2468 wrote to memory of 1508	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
PID 2468 wrote to memory of 3792	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	cmd.exe
PID 2468 wrote to memory of 3792	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	cmd.exe
PID 2468 wrote to memory of 3792	2468	{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe	cmd.exe
PID 1508 wrote to memory of 2936	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
PID 1508 wrote to memory of 2936	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
PID 1508 wrote to memory of 2936	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
PID 1508 wrote to memory of 2328	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	cmd.exe
PID 1508 wrote to memory of 2328	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	cmd.exe
PID 1508 wrote to memory of 2328	1508	{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe	cmd.exe
PID 2936 wrote to memory of 2528	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
PID 2936 wrote to memory of 2528	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
PID 2936 wrote to memory of 2528	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
PID 2936 wrote to memory of 400	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	cmd.exe
PID 2936 wrote to memory of 400	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	cmd.exe
PID 2936 wrote to memory of 400	2936	{1367472B-E131-4289-BF01-1D1DBED3637A}.exe	cmd.exe
PID 2528 wrote to memory of 2252	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
PID 2528 wrote to memory of 2252	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
PID 2528 wrote to memory of 2252	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
PID 2528 wrote to memory of 1688	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	cmd.exe
PID 2528 wrote to memory of 1688	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	cmd.exe
PID 2528 wrote to memory of 1688	2528	{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe	cmd.exe
PID 2252 wrote to memory of 628	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
PID 2252 wrote to memory of 628	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
PID 2252 wrote to memory of 628	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
PID 2252 wrote to memory of 1760	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	cmd.exe
PID 2252 wrote to memory of 1760	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	cmd.exe
PID 2252 wrote to memory of 1760	2252	{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe	cmd.exe
PID 628 wrote to memory of 2732	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
PID 628 wrote to memory of 2732	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
PID 628 wrote to memory of 2732	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
PID 628 wrote to memory of 3336	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	cmd.exe
PID 628 wrote to memory of 3336	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	cmd.exe
PID 628 wrote to memory of 3336	628	{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe	cmd.exe
PID 2732 wrote to memory of 3212	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
PID 2732 wrote to memory of 3212	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
PID 2732 wrote to memory of 3212	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
PID 2732 wrote to memory of 1924	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	cmd.exe
PID 2732 wrote to memory of 1924	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	cmd.exe
PID 2732 wrote to memory of 1924	2732	{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe	cmd.exe
PID 3212 wrote to memory of 4552	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
PID 3212 wrote to memory of 4552	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
PID 3212 wrote to memory of 4552	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
PID 3212 wrote to memory of 4376	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	cmd.exe
PID 3212 wrote to memory of 4376	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	cmd.exe
PID 3212 wrote to memory of 4376	3212	{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe	cmd.exe
PID 4552 wrote to memory of 1920	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
PID 4552 wrote to memory of 1920	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
PID 4552 wrote to memory of 1920	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
PID 4552 wrote to memory of 3788	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	cmd.exe
PID 4552 wrote to memory of 3788	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	cmd.exe
PID 4552 wrote to memory of 3788	4552	{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe	cmd.exe
PID 1920 wrote to memory of 4152	1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
PID 1920 wrote to memory of 4152	1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
PID 1920 wrote to memory of 4152	1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
PID 1920 wrote to memory of 3288	1920	{ED92CFE8-B09F-441c-A195-6638468324B9}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_137c0d0b6237fe97d74aec2aeca0d674_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
C:\Windows\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
C:\Windows\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
C:\Windows\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
C:\Windows\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
C:\Windows\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
C:\Windows\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
C:\Windows\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
C:\Windows\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
C:\Windows\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
C:\Windows\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
C:\Windows\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe
C:\Windows\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe
13⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C46E3~1.EXE > nul
13⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ED92C~1.EXE > nul
12⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{707D0~1.EXE > nul
11⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C47A~1.EXE > nul
10⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43F9B~1.EXE > nul
9⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4ADB~1.EXE > nul
8⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{784E7~1.EXE > nul
7⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2806~1.EXE > nul
6⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{13674~1.EXE > nul
5⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4524~1.EXE > nul
4⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96401~1.EXE > nul
3⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1367472B-E131-4289-BF01-1D1DBED3637A}.exe

Filesize
380KB

MD5
d59278a161d0ae618afa8b1c9149e50a

SHA1
c6714b3721f16cab25cffaffc79326f3d2ef7b39

SHA256
3cf2b36c1293deca7aa1449966de045bdd4ce6984c022348a8f415ae42c2f625

SHA512
900daf9595a4ca97b72f858408936f5abfc85d3fb8f8f413c2321375b0c96cc815c252d283fccac0fc9613ac74aa0ef68cdbbe81dd9a0d83ddbfa69632f614e0

Download Submit
C:\Windows\{3C47A69B-0BF4-4f19-A563-CB83CE594A75}.exe

Filesize
380KB

MD5
1c61c7fbb5aaacb9358612661fe76af4

SHA1
4be61695e2478484de238e066f803a0b9247a302

SHA256
bae5592bb1ab100d28fb655ca8fc0304487d772b1ceb7fb3c2cdaf7ba11361e4

SHA512
e1d12d168c583cc1188d4ac115cb0561fe51ab4d745a7f38c316b3383f2188821291dba49cf5e8063b8efc7cb5be92901c53ce519928aac9909d41de1bc91dd2

Download Submit
C:\Windows\{43F9BD3A-B6D4-4f18-B9F2-FA0FC1951D1C}.exe

Filesize
380KB

MD5
d7f68b36c3cacc7f1a6364ddbc6498ad

SHA1
3417785c633517ce505be83009c183b2227743b9

SHA256
a1a1cb0f09e2c563f4ed138d83a642ae18763051c265cb0867ad115425bfa594

SHA512
b15859fe06a787ff4ef4efc114d8bfd2e21d8ca76487bf106a0f5a7eae8cae84fd3f4bf5a6501a69ac598ecd449a027d47c7024db9b30189d15bb27bc88ecdfd

Download Submit
C:\Windows\{707D0B8A-29BE-42fe-BC6F-BD3ACA086AB7}.exe

Filesize
380KB

MD5
7c602488b2064e96cda96c8cda2b0e6f

SHA1
8df422b1d370e41fa54fc4a2c9a49afc3ce7c24d

SHA256
6a0edcdd6545d5258661ec8021b3698ed1f2549682af7e24a29f83107b2d1255

SHA512
e696cc039acbe951a4ac300c18e1446de36d73a1210d259fce0f14520fb7430288d0b2bd600abb49f9e5ac37198b35e7dea2255b484c94dbb9d5d653bff3cdba

Download Submit
C:\Windows\{784E7DD2-1DD2-4f32-851E-53947A9F707B}.exe

Filesize
380KB

MD5
a350e091462c7517f104b30051d98df6

SHA1
d5afa8c0a6551ca0473f7698588a78290c70add0

SHA256
791eade64b10a388ef6d2285513789171e556f7d3314bfa4525b2329a3cabb25

SHA512
dffac318dc28f2c0b5f88ee72e91256237ff2d9f847309b21b2f09b744637a1945f4ec2771f42ec349971a25af85f433a9acda28e3cc791f8fa5cd9d024fbf14

Download Submit
C:\Windows\{96401AFC-6F84-4f81-A378-C5CB69A3A200}.exe

Filesize
380KB

MD5
10eec04fda940477358bed7b75cffb95

SHA1
7d1b37ab5ab8c812080660c5eb20878954f7a1b6

SHA256
5c7f5bf92e467c9073b77143659fc8b833f8a8bc60d34b054d56469900c47cff

SHA512
b40af61c641b948791203043f1c7e6e3d547c8c6772f9de9e59a85396a818d7fd5a51d87ceb8dafebc5d3246a45c313424c01ae34a35af7c591c129abf893f55

Download Submit
C:\Windows\{9EA7886B-A826-49bb-A5D8-C72D4E0B77C3}.exe

Filesize
380KB

MD5
aeb0da01d886959768b6f598cf8685ea

SHA1
a111093f7fa58401ab6562a0745982d462897ecb

SHA256
d755a8f950665126ddb6a6ffd07b45e2be4fc816ea9463c92f191d6713db8ee0

SHA512
6519cc587ed498575932184267bdbd3423aca1f5aefc684ddcb17953060235d9b4194537cc39a286f495a0c4cf5562a7ba82fc729ee2cd11fcaac50904c3868f

Download Submit
C:\Windows\{B452496C-4FE2-4bd7-BB79-E08CFFBFF46D}.exe

Filesize
380KB

MD5
9b7c688299a522c27b110398ee027541

SHA1
96fa5a62f4212bd6e719701af2a18ce509e21c95

SHA256
a5038a8944999b7851c6212b45ad6e7dc534a783f1dd494a69939d2e5c61cde9

SHA512
62c268797894f2d143c852a74474d3817ef33ebd43cb4193d6656294e8606827c5e7334b5263e13ebba6d6dbcb5b0edcab16c61e3f85fdd332bedb2c42cad9d3

Download Submit
C:\Windows\{B4ADB918-FC4C-492d-AA6B-E2AA974C1168}.exe

Filesize
380KB

MD5
4fb9ff4ca195fe3ba50cf663d0370312

SHA1
241365b4c3a594cbad01030292f9e9756466499c

SHA256
3faf355f59db7d960fbdf3fdf973b6841dc99ac6f9657486a6f9e6dae002c440

SHA512
069b441d583a1f782e0fbce6e3995b9ad5ec9be5f69d4db06b03d4d1590d6b995647e578eeb154a42bb432223a28097a9c0f60748a30400f9c7d2c4f5a95ed84

Download Submit
C:\Windows\{C2806A2D-1ADA-4a1b-8487-DF96C40F3434}.exe

Filesize
380KB

MD5
33f4ec05f5480766295d5374707981a2

SHA1
4c0c12fccbe584426c5b451a8af7560d7379f23c

SHA256
9cc7ade0e393f161e61718ea96330762420581e7b812ba6bc8e9e564dbca5c7e

SHA512
c32b2a634c733e768848ab6b7db4d81c9a9984964f83ddcf2ef5ef2271360ca86ffb52ddfd37a143a1c65cbb68a00f97a32b8af2ab69eb80399d547a107460dd

Download Submit
C:\Windows\{C46E358A-18D7-43d5-85F5-C126F4D27728}.exe

Filesize
380KB

MD5
805fa9df5e974064c1263b9c857ea93d

SHA1
1525dccf6a124ca0a4822e66a525b1e9ef23aa46

SHA256
92a79bca6da10650e37597ecdcbd2d3968db7fb6425b936b9b353d4cf7294e87

SHA512
48c6e23991755c55fb2c3366aba91536812fd5ce60419f13a63a476cb204750097dd2a835c5ecae2e742780a861c2ef2fd5fce7de7b31a79f8fbb202d810ec4c

Download Submit
C:\Windows\{ED92CFE8-B09F-441c-A195-6638468324B9}.exe

Filesize
380KB

MD5
d01d38f90bc54d279694503858279845

SHA1
db733754c3b0708118573a7408305a036b1e4fd0

SHA256
09712305c114353fc5a084d85d4c2ab4d5e74147e405ff23d0263ab6f0b4de9e

SHA512
0bf77877a266b00b2d7fc05fc97afbc719011fd3077fc22623858169d3e5c49d75d2a44ee5844cd320c1c99d56c83da16879f4d6bfef839939be52cd6cc49629

Download Submit