5a861468f261c6de09ec5e0836a607df7fecaa4252503b6ba15c90e91e4d7105

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Size

380KB
MD5

18b5b21bd8f7dd6fab9e31343ca249b9
SHA1

d12421a811622b8015efa619419f5fd3ce4eb2bc
SHA256

5a861468f261c6de09ec5e0836a607df7fecaa4252503b6ba15c90e91e4d7105
SHA512

f9aa43c8f8e64627d4c2a215a6b2b43ee5b003be35b693f04e04b6f199c03ca8a5bb7e978fbbb0444e80e5e9435abc7032c61e98501738965d2424da08a783bd
SSDEEP

3072:mEGh0oRlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{7215C213-6196-447e-8F8D-95298ACAA215}.exe{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe{D49B27B6-992D-4964-9967-92C95F434995}.exe{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe{59666088-CA27-4f81-86D8-03611604EBCF}.exe2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{671DDC63-1387-44c7-AE56-6CBAE13D5951}\stubpath = "C:\\Windows\\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe"	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49B27B6-992D-4964-9967-92C95F434995}	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49B27B6-992D-4964-9967-92C95F434995}\stubpath = "C:\\Windows\\{D49B27B6-992D-4964-9967-92C95F434995}.exe"	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}	{D49B27B6-992D-4964-9967-92C95F434995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}\stubpath = "C:\\Windows\\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe"	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}\stubpath = "C:\\Windows\\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe"	{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59666088-CA27-4f81-86D8-03611604EBCF}	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{671DDC63-1387-44c7-AE56-6CBAE13D5951}	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}	{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}	{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7215C213-6196-447e-8F8D-95298ACAA215}\stubpath = "C:\\Windows\\{7215C213-6196-447e-8F8D-95298ACAA215}.exe"	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59666088-CA27-4f81-86D8-03611604EBCF}\stubpath = "C:\\Windows\\{59666088-CA27-4f81-86D8-03611604EBCF}.exe"	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}\stubpath = "C:\\Windows\\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe"	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}\stubpath = "C:\\Windows\\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe"	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}\stubpath = "C:\\Windows\\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe"	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}\stubpath = "C:\\Windows\\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe"	{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7215C213-6196-447e-8F8D-95298ACAA215}	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}\stubpath = "C:\\Windows\\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe"	{D49B27B6-992D-4964-9967-92C95F434995}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2496 cmd.exe

pid	process
2496	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe{59666088-CA27-4f81-86D8-03611604EBCF}.exe{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe{7215C213-6196-447e-8F8D-95298ACAA215}.exe{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe{D49B27B6-992D-4964-9967-92C95F434995}.exe{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe

pid	process
1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe
1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
1252	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
3068	{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
1992	{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
1580	{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe

Drops file in Windows directory 11 IoCs

Processes:

{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe{59666088-CA27-4f81-86D8-03611604EBCF}.exe{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe{7215C213-6196-447e-8F8D-95298ACAA215}.exe{D49B27B6-992D-4964-9967-92C95F434995}.exe{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe

description	ioc	process
File created	C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
File created	C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
File created	C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
File created	C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
File created	C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
File created	C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
File created	C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe	{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
File created	C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
File created	C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	{D49B27B6-992D-4964-9967-92C95F434995}.exe
File created	C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
File created	C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe	{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe{59666088-CA27-4f81-86D8-03611604EBCF}.exe{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe{7215C213-6196-447e-8F8D-95298ACAA215}.exe{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe{D49B27B6-992D-4964-9967-92C95F434995}.exe{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
Token: SeIncBasePriorityPrivilege	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
Token: SeIncBasePriorityPrivilege	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
Token: SeIncBasePriorityPrivilege	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
Token: SeIncBasePriorityPrivilege	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
Token: SeIncBasePriorityPrivilege	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe
Token: SeIncBasePriorityPrivilege	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
Token: SeIncBasePriorityPrivilege	1252	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
Token: SeIncBasePriorityPrivilege	3068	{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
Token: SeIncBasePriorityPrivilege	1992	{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1624 wrote to memory of 1936	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
PID 1624 wrote to memory of 1936	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
PID 1624 wrote to memory of 1936	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
PID 1624 wrote to memory of 1936	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
PID 1624 wrote to memory of 2496	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 1624 wrote to memory of 2496	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 1624 wrote to memory of 2496	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 1624 wrote to memory of 2496	1624	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 1936 wrote to memory of 2488	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
PID 1936 wrote to memory of 2488	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
PID 1936 wrote to memory of 2488	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
PID 1936 wrote to memory of 2488	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	{59666088-CA27-4f81-86D8-03611604EBCF}.exe
PID 1936 wrote to memory of 2516	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	cmd.exe
PID 1936 wrote to memory of 2516	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	cmd.exe
PID 1936 wrote to memory of 2516	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	cmd.exe
PID 1936 wrote to memory of 2516	1936	{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe	cmd.exe
PID 2488 wrote to memory of 2492	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
PID 2488 wrote to memory of 2492	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
PID 2488 wrote to memory of 2492	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
PID 2488 wrote to memory of 2492	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
PID 2488 wrote to memory of 2652	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	cmd.exe
PID 2488 wrote to memory of 2652	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	cmd.exe
PID 2488 wrote to memory of 2652	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	cmd.exe
PID 2488 wrote to memory of 2652	2488	{59666088-CA27-4f81-86D8-03611604EBCF}.exe	cmd.exe
PID 2492 wrote to memory of 1052	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
PID 2492 wrote to memory of 1052	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
PID 2492 wrote to memory of 1052	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
PID 2492 wrote to memory of 1052	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	{7215C213-6196-447e-8F8D-95298ACAA215}.exe
PID 2492 wrote to memory of 312	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	cmd.exe
PID 2492 wrote to memory of 312	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	cmd.exe
PID 2492 wrote to memory of 312	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	cmd.exe
PID 2492 wrote to memory of 312	2492	{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe	cmd.exe
PID 1052 wrote to memory of 2540	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
PID 1052 wrote to memory of 2540	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
PID 1052 wrote to memory of 2540	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
PID 1052 wrote to memory of 2540	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
PID 1052 wrote to memory of 1588	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	cmd.exe
PID 1052 wrote to memory of 1588	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	cmd.exe
PID 1052 wrote to memory of 1588	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	cmd.exe
PID 1052 wrote to memory of 1588	1052	{7215C213-6196-447e-8F8D-95298ACAA215}.exe	cmd.exe
PID 2540 wrote to memory of 1548	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	{D49B27B6-992D-4964-9967-92C95F434995}.exe
PID 2540 wrote to memory of 1548	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	{D49B27B6-992D-4964-9967-92C95F434995}.exe
PID 2540 wrote to memory of 1548	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	{D49B27B6-992D-4964-9967-92C95F434995}.exe
PID 2540 wrote to memory of 1548	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	{D49B27B6-992D-4964-9967-92C95F434995}.exe
PID 2540 wrote to memory of 1844	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	cmd.exe
PID 2540 wrote to memory of 1844	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	cmd.exe
PID 2540 wrote to memory of 1844	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	cmd.exe
PID 2540 wrote to memory of 1844	2540	{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe	cmd.exe
PID 1548 wrote to memory of 1932	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
PID 1548 wrote to memory of 1932	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
PID 1548 wrote to memory of 1932	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
PID 1548 wrote to memory of 1932	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
PID 1548 wrote to memory of 1496	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	cmd.exe
PID 1548 wrote to memory of 1496	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	cmd.exe
PID 1548 wrote to memory of 1496	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	cmd.exe
PID 1548 wrote to memory of 1496	1548	{D49B27B6-992D-4964-9967-92C95F434995}.exe	cmd.exe
PID 1932 wrote to memory of 1252	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
PID 1932 wrote to memory of 1252	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
PID 1932 wrote to memory of 1252	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
PID 1932 wrote to memory of 1252	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
PID 1932 wrote to memory of 1336	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	cmd.exe
PID 1932 wrote to memory of 1336	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	cmd.exe
PID 1932 wrote to memory of 1336	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	cmd.exe
PID 1932 wrote to memory of 1336	1932	{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe
C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe
C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe
C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe
C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe
12⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBC1C~1.EXE > nul
12⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A98E1~1.EXE > nul
11⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1CC12~1.EXE > nul
10⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39B16~1.EXE > nul
9⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D49B2~1.EXE > nul
8⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{671DD~1.EXE > nul
7⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7215C~1.EXE > nul
6⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8BBD~1.EXE > nul
5⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{59666~1.EXE > nul
4⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B83~1.EXE > nul
3⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CC123D1-3AEB-431b-AFBD-95C26BF5F8BD}.exe

Filesize
380KB

MD5
8dcef15af3261289450fbf55fce600bc

SHA1
34bccca62bdf45623bec1ed313da537e65f99c74

SHA256
e107b35324792e1c7e38d8d6dc39752450e8a30bbd506efc86f7b83a5cdc2a87

SHA512
e756e633ffc1aae50ab01974dcfaf2b6c1310b46f31af9204cf524e183cd59d0516184fe4dd318ed47fb068a3149b2845008ad1a9603227acb171b8fe2684db9

Download Submit
C:\Windows\{39B160D7-397F-44a9-9F0B-DCE28A7D9E90}.exe

Filesize
380KB

MD5
826cd465bfc92f5344e08a3faa74f89f

SHA1
9412aa562ac210070b2db99d18eab66547bfb3c4

SHA256
0b27f08907ac63379be1a0ebc59707ab42063e95d2fe057f4bb73667d92ac4b7

SHA512
c9196cc562c41db243572880ce1084d95127517dc343f780fcaad2c3fde8c06266d85fa181f8eb42bb8c472c985eeeca4bb494af1bf90ddd0ec374eb56ed9907

Download Submit
C:\Windows\{59666088-CA27-4f81-86D8-03611604EBCF}.exe

Filesize
380KB

MD5
6c4daa8fa953367ef6fcda8668ff98f8

SHA1
de36d55abda31415440aecfdf709f1079468c6a6

SHA256
d6da230c0ab1c66c27569c82cb2be6f9512c84c4ba52d9c68d41fde06bcffa76

SHA512
5ea90f8df9d62a6988838a02500e8f7d6d47dba3ceff17e97018036b742ad9344d6262884a785216b1760009f3366330128bc125604ad2ebda1faf2751f0804d

Download Submit
C:\Windows\{671DDC63-1387-44c7-AE56-6CBAE13D5951}.exe

Filesize
380KB

MD5
10ffc3432e1ef67e52921694288a5b36

SHA1
a23264f84cd8bad87f9e5155d7dd1a114f933ed3

SHA256
d281aa3e3973e0104fa38af7582a6dc634164e7f5e51505ea029d4bd07293850

SHA512
2855029400321ab339131dd92c7b366d11f3acbc0d3416dec670003f1892eef0bf7d0bf8d3a617b67224075331ea88de30085fd08305c05710724de7589de10b

Download Submit
C:\Windows\{7215C213-6196-447e-8F8D-95298ACAA215}.exe

Filesize
380KB

MD5
d4da10f3e9299e922e7402342f4dcdbc

SHA1
99114fbc812b62b9124f6abf51a418c7ee123ba8

SHA256
920d91c78bbc38b1db03e0d5a5d557e326c10c473e2c88d7513759e83f669f55

SHA512
d1d1d7ca5676a09644c165b5753c580f498f94dfbd8011c4e70f6e4a722aa72df856a97af1fab22bf30ae67c3619ea4e3e4ea44f5bff8e9e6fc3fec885c98364

Download Submit
C:\Windows\{A98E1A48-1942-42ef-BD7B-FCA6987764E7}.exe

Filesize
380KB

MD5
16319788ed3d244e1c7b9b4fcf7689a3

SHA1
6e533a7468c24dba67ca87069aa39d86fd5d6a4f

SHA256
e49780bfca9e730479eccd34523867876bcb5c8eeb4278066fc9725fa54a850d

SHA512
bca05634cf11ae246180aeccff5cfcdb8b955fbe30b2341042d9716e4f7b5d894c5f00a86f566dd7beb531415ff0231715d4239dbb049717ac7a0f08b5c71b00

Download Submit
C:\Windows\{B8BBD319-D475-44d0-B1B0-6E2D3E3422DE}.exe

Filesize
380KB

MD5
97c1ec9a41027160f1cd3cdbc63d2696

SHA1
6740d108fe12da0cbc9e5d48f0a7df1e505bd1f9

SHA256
385d5339ada6da5a5b74d22f3da4fad79256a0b0b048b4ee8eb108a7ee7f4e59

SHA512
064e54ebec160b68ff51aea8ec0e37be06fa5ea143b58c8577bfed68d98a5712d5a23ae68f1ebcc9e9d8920fb5020b64a19cc2377a5c1dc057fd8e868a11f799

Download Submit
C:\Windows\{B9B8379C-62FE-4beb-ACA2-0A4B52A59DC1}.exe

Filesize
380KB

MD5
c73ea0683a6a8a678138af37c62b8ff0

SHA1
b6db68059eb4b01d01d1fc7e7732c807620bf8db

SHA256
4d6854de9d31ff101bf47a317d3abfbc4f240141d9f08570a416c67763aba8c4

SHA512
371d4ccdba55924d0d6f17b2e4751d3a4926d84fab32c11ed2b70f4406135384e629e6cd4a645cfc5e2a87b8da07fe0d431a10ec0adfcc1d3d560d0df90da6e0

Download Submit
C:\Windows\{C4F0D5AF-6654-44a5-91B2-544B1E9A41BE}.exe

Filesize
380KB

MD5
7241918bd64601af1489080dda6955ff

SHA1
6a1558478b599bf4ef70b4798737f737412a583a

SHA256
8747d88fd2dc0f42564fdb3cef53d781a86f9021a6918a0f4e8b58d5a9f43b0a

SHA512
1b5e302f3697efa9a44bae2c77c9a4c76d15d0aa7f76cfa90c0c60baee0c4b9c24c10c0bd804ec2a02e814e872c64c089c01716e3af41e3ec7c164ef112c1b67

Download Submit
C:\Windows\{D49B27B6-992D-4964-9967-92C95F434995}.exe

Filesize
380KB

MD5
c12c117afebb23b2613a61b189700693

SHA1
f010118963edd52308df203d9adda0c1346b797c

SHA256
a5f03cf605565a71bfc9664330c7c76250186fe1cbd135b89e8f0595c8a74190

SHA512
e323ba5812a4874ea98cf4501a30204e80c9955f2114a2d640061c46b1cef10c6f78fddd8c4b0768647aba1fdbc60016ddd1f2e4fb45bd0124deb64d580b3bb6

Download Submit
C:\Windows\{FBC1CCEB-3199-461a-98BA-696770C2EA0B}.exe

Filesize
380KB

MD5
3b8bcff68cadc79c7f5c01adc1157243

SHA1
56fcbf32a8b45f8735e5cb5ba73bf125f0d0234d

SHA256
bd0b2ceb65ac7d3b86712725275903f39975d2095c4dced5bb8b4de7e982f7c0

SHA512
d09913820cea323221c6a14eb5d3d1bd14cf5a28a730e5fe1ba19a18ed9090af8a152317aca2efe45b59d681d02a3adaa464f22596e208eca7f4b50bd40a7669

Download Submit